Here you can see 2 day old post warning about the danger of not using email/captcha verification:
https://lemmy.ml/post/1345031
And here are stats of lemmy platform where it shows that we gained 200 000 lemmy users in 2 days:
https://lemmy.fediverse.observer/dailystats
Another tracking site with the same explosion in users: https://the-federation.info/platform/73
What do you think? Is it some sort of a bug or do people run bot farms?
Edit2: It's been now 3 days and we went from 150 000 user accounts 3 days ago to 700 000 user accounts today making it 550 000+ bot accounts and counting. Almost 80% accounts on lemmy are now bots and it may end up being an very serious issue for lemmy platform once they become active.
Edit3: It's now 4th day of the attack and the amount of accounts on lemmy has almost reached 1 200 000. Almost 90% of total userbase are now bots.
Edit 3.1: my numbers are outdated, there are currently 1 700 000 accounts which makes it even worse: https://fedidb.org/software/lemmy
It seems almost certain that there are farms creating these accounts - but why? The sheer volume of them is going to make them easy to identify and delete, and if the admins of the instances don't delete them the instances will be defederated in short order.
I fail to see any value to having 1 million+ bot accounts. What are we missing?
I dunno, between no rate limiting and no bot mitigation, you could create them pretty fast with a single machine running parallel requests.
But the question "why" strands. 200 upvotes will get you on the front page at the moment. Why not stop there, why make your bot accounts so conspicuous that they are basically garenteed to get deleted?
Because it's easy. Someone is just testing some basic tools, to which they can add countermeasures later.
Testing, I'd guess. Experimenting with hardware configurations, software configurations, bot configurations. Testing rate limits, looking for exploits, etc.
We can tell when they pile 1 million bots onto 5 servers all at once. Will we tell when they pile 100,000 across 10 servers over the span of a month?
They've just spoon fed us the data to help us identify them, and given us incentive to do so too. It just seems counter productive.
They've just spoon-fed us the data to help us identify a very particular type of attack. They don't need to use that type. They just need to know the ins and outs of the software.
Is it a benign "attack" to point out the weakness to get enough attention that it gets fixed?
The attack started after someone made a post waring about how easy it is to do so they are not losing anything here.