The prevalent discourse/attempt-at-a-meme-but-people-are-taking-it-seriously saying "Bluesky is down because of AI vibecoding!" is starting to get annoying and unoriginal.
Even when Bluesky confirmed it's a DDoS, the line is now "maybe they wouldn't have gotten DDoSed if they didn't vibecode and their code was better."
> Even when Bluesky confirmed it's a DDoS, the line is now "maybe they wouldn't have gotten DDoSed if they didn't vibecode and their code was better."
The context of the "jokes", regardless of if one finds them funny, is that this is exactly how AI boosters (including the bluesky team) have been behaving.
Every little benefit, no matter how small or unfounded, was being attributed to AI usage. So people do the opposite, attributing every little problem to the use of AI.
The implied punchline being "Oh, so now you care about accuracy?"
I haven't seen them do this at all. They've said that they use AI tools when writing code, because most devs do, and they've previewed Attie, their codegen for custom feeds thing, which is a separate tool. None of that is attributing improvements in Bluesky to AI.
As I understand things, the only AI tool the Bluesky team has been pushing has been a feed generator/curator. They have been pushing for vibe coding their systems or for using AI to generate content on Bluesky.
A week or two ago, when there was a Bluesky outage and a Claude outage at the same time, people were earnestly pointing to that as evidence that Claude was somehow a load-bearing component of Bluesky, or that AI vibecoding had caused the outage... I had to just disengage but I was also very annoyed by it all.
Because that would take a minimum amount of effort, nuance, and reasoning, and the result would probably generate less interactions compared to a cheap shot based on vibes.
This isn’t surprising at all. It reminds me of staunch Apple haters who recycle superficial talking points as opposed to Apple nerds who have long lists of very pointed critiques.
What annoys me the most bsky AI hate is the assumption that people who spend a lot of time working with LLMs don’t understand their weaknesses, as if we aren’t constructing systems and evaluations to determine precisely how much AI sucks for our given task.
I don't have any anecdotal data, just detecting a whiff of a possible pattern in your statement. DDoS is bots. Any chance the prevalent discourse is bots? "I ain't saying she a gold digger..."
Perhaps underestimating how much the bsky audience absolutely hate AI.
It's funny how closely bsky has replicated the dynamic of old Twitter where the people who run it and the people who use it have completely different priorities and loathe each other.
Theoretically, if the backend code is optimized enough, a DDoS attempt wouldn't lead to a denial of service since all those requests would just get served as normal. And as long as the network isn't the bottleneck, which it probably is in most cases.
There are multiple kinds of ddos attacks targeting different levels of infrastructure. Idk how anyone can say absolutely that a ddos works in one specific way.
The interface seemed to function as normal, but specifically the API was targeted, which left a lot of confused users who were seeing the interface peppered with errors. Watching as it unfolded, it seems it affected certain regions to begin with and then slowly spread worldwide.
Seems they might have failed to host the status page (https://status.bsky.app) separately as well, because that went down several times throughout the outage. They also weren't very active in updating the status page, and the notice that was there had a typo of 'reginos' and a description of 'null'.
What are the chances some company offers to "save" them with a security service which coincidentally will also require users to use the latest officially-sanctioned browsers, OSes, and "trusted" hardware to pass the "security check"...
If you're referring to Cloudflare, the "security check" is not a default setting. For some reason administrators love to use Under attack mode as a band-aid measure to reduce load on the host.
At least Apple devices are actually secure and can't really be omitted from things other than gaming and business. Granted, gaming and business are pretty important.
My understanding is that ATProto itself is definitely decentralized but the app view most people interact with using the Bluesky app is centralized ...sort of. The Bluesky app view will read from PDSes hosted by other people, hence people on Bluesky can see stuff posted elsewhere, like users of Blacksky. If the Bluesky app view decides to stop reading from any other PDS (like those of Blacksky, or ones which are self-hosted) they're free to do so. The same is true for alternative app views like Blacksky. Since most people think of Bluesky as the thing you see on the official Bluesky app (which shows the Bluesky app view) an outage of the Bluesky app view will mean they lose the ability to view any posts from any source. If someone's using a separate app view like Blacksky, the most that will happen to them should be that they'll lose interaction with posts coming from Bluesky's PDSes until the outage ends.
I may have the division between Bluesky and Blacksky off, but ATProto does allow this sort of thing. Hosting a PDS is trivial and requires very few resources. Hosting a full app view can be expensive depending on how many PDSes you're ingesting from, but you can decide how much of that you want to do.
Bluesky has never been distributed/decentralised. It's a single central system, which fetches 0.001% of user data from external systems if the user opts in, and has a marketing team that calls this decentralisation.
The Bluesky app view is centralized in that it can decide which content to show, but A) the hosting of that content is decentralized, and B) alternate app views like Blacksky exist which are fully independent of Bluesky (both Bluesky the company and Bluesky the app view). The Bluesky app view could stop showing users content from Blacksky (or any other) PDSes, but that's it. If you're using the Blacksky app view, afaik Bluesky the company can't do anything other than cut you off from Bluesky's PDSes.
Sure, much like how email is decentralized in theory but barely is in practice. This doesn’t mean that the decentralized nature is just a marketing gimmick.
It’s unsurprising that almost everyone uses the Bluesky app given that A) the infrastructure for hosting your own relay or app view (I can’t remember which) didn’t have a reference implementation until a while after launch, and B) the user base is much less tech-y than what I’ve seen on Mastodon. Most of the user base moved over in the flight from Twitter/X a couple years ago. I think if it had come out at a different time you’d see something which looked a lot more like Mastodon’s large population distribution.
> They have designed a protocol that could theoretically be decentralised. Then reality hit, and it was centralised.
Could you explain what you mean by the underlying protocol having become centralized over time? While I can understand arguing about whether or not Bluesky-the-social-network is practically decentralized to the degree of something like Mastodon or that it became more centralized over time, I think arguing that ATproto[1] itself isn’t decentralized would be ludicrous.
It seems like DDoS's are getting harder and harder to deal with. The tips that worked 10 years ago are now easily worked around. I keep seeing people on here say "just use TLS fingerprinting" like it's a panacea, but I can't remember the last time an attack didn't spoof their fingerprint.
It feels like, outside of custom behavior tracking, there's no good way to truly protect your site without making it more restrictive in general. Require JS, client side challenges, cloudflare.
Client side challenges would be fine when a DDoS is actually happening, but they're basically targeting certain platforms more than others right now. Not actually helping in keeping a site secure in that case and hurting user experience.
Curious how they handled it at the CDN level. I use Bunny CDN for video streaming on my project and signed URLs help a lot for abuse prevention, but a full DDoS is a different beast entirely.
Depending on size, such attacks can be very costly to organize, at least in opportunity cost (that is, using a botnet to attack BlueSky doesn't cost anything per se, but it does mean you can't use it for some other purpose, such as attacking someone else or mining Bitcoin).
If you're asking in general, DDoS attacks can absolutely serve a purpose - either to punish an organization that the attackers are unhappy with, or to hide some other more targeted attacks in a flood of errors, weird behaviors, and tired sysadmins.
Hopefully there will be some post-mortem. It seems like we're don't really see that many deliberate DDoS attack anymore. Not that it doesn't happen, but they really don't provide that much value against a target like Bluesky (unless you really hate them).
I'd be interested in how the attack manifests. Is it an actual DDoS? Is it highly aggressive scraping? We should be able to see this in how the attack manifests itself. What is the sources? That's a little harder, but it would be interesting to know if it's compromised devices, residential proxies, rented cloud capacity or something else.
> It seems like we're don't really see that many deliberate DDoS attack anymore.
There are more now then there ever have been in number of infected hosts and total data volume.
The internet is a big place.
”On 13 April 2026, 21 countries joined forces in a coordinated action week that focused on enforcement and prevention measures against over 75 000 criminal users engaging in distributed denial-of-service (DDoS)-for-hire services. With over 75 000 warning emails and letters being sent to identified criminal users and 4 arrests, the action week also led to the takedown of 53 domains and the issuing of 25 search warrants.”
Truth is if mastodon.social gets ddosd the same as Bluesky I can still use the rest of the network fine. Proof is in the pudding. tons of instances that make up the fabric of redundancy. I think most people would be served better if Bluesky acted differently early with their rollout in a sharded manner?
This is half true. If mastodon.social goes down every single one of the accounts made on that instance go down as well.
In truly decentralized protocols you own your identity and can take it elsewhere, for instance, in Nostr and SSB, a relay/pub going down is no big deal since you can connect to other servers and maintain communications.
i get real tired of people trumpeting that bsky is distributed.
Can i run a private node? can i run a functional node completely within my network segment? because i can with gnusocial and misskey; i've never run mastodon; i am on fosstodon and a couple of other mastodon-likes.
bluesky is to discord what mastodon (fedi) is to IRC.
don't let the fact that most people use the main instances fool you, there's thousands (maybe tens of thousands) of instances. I haven't seen a tally recently, i forget the account that shows them for each "instance type", like pleroma, misskey, mastodon, pixelfed, whatever the reddit clone is, whatever the 4chan clone is, and so on.
anyhow when elon bought twitter mastodon surged. I hope they didn't spend millions upgrading the main instances because most of that dropped off because, you know, everyone's on twitter. only a few million on mastodon.
My whole point is, trying to shoehorn words like "distributed" into a system that i cannot run independently is, well it's just not distributed, that's all.
edit: maybe this is sour grapes because i never got an invite; but maybe i think it's just twitter with a different coat of paint and different buzzwords attached.
The people I follow on mastodon come from a wide variety of instances. While mastodon.social is the largest instance, most of the accounts I follow are elsewhere.
Granted, all the smaller instances are likely easier to DOS as they are small instances. But mastodon is actually decentralized. If any one instance goes down, everything else keeps working. Unlike Bluesky and ATProto which is more of a theoretical “could be” decentralized.
Even when Bluesky confirmed it's a DDoS, the line is now "maybe they wouldn't have gotten DDoSed if they didn't vibecode and their code was better."
The context of the "jokes", regardless of if one finds them funny, is that this is exactly how AI boosters (including the bluesky team) have been behaving.
Every little benefit, no matter how small or unfounded, was being attributed to AI usage. So people do the opposite, attributing every little problem to the use of AI.
The implied punchline being "Oh, so now you care about accuracy?"
What annoys me the most bsky AI hate is the assumption that people who spend a lot of time working with LLMs don’t understand their weaknesses, as if we aren’t constructing systems and evaluations to determine precisely how much AI sucks for our given task.
It's funny how closely bsky has replicated the dynamic of old Twitter where the people who run it and the people who use it have completely different priorities and loathe each other.
Also worth considering that there is a lot of anti-AI sentiment outside of our bubble! Maybe not a majority, but the minority is very vocal.
Seems they might have failed to host the status page (https://status.bsky.app) separately as well, because that went down several times throughout the outage. They also weren't very active in updating the status page, and the notice that was there had a typo of 'reginos' and a description of 'null'.
lol
I may have the division between Bluesky and Blacksky off, but ATProto does allow this sort of thing. Hosting a PDS is trivial and requires very few resources. Hosting a full app view can be expensive depending on how many PDSes you're ingesting from, but you can decide how much of that you want to do.
They have designed a protocol that could theoretically be decentralised. Then reality hit, and it was centralised.
It’s unsurprising that almost everyone uses the Bluesky app given that A) the infrastructure for hosting your own relay or app view (I can’t remember which) didn’t have a reference implementation until a while after launch, and B) the user base is much less tech-y than what I’ve seen on Mastodon. Most of the user base moved over in the flight from Twitter/X a couple years ago. I think if it had come out at a different time you’d see something which looked a lot more like Mastodon’s large population distribution.
> They have designed a protocol that could theoretically be decentralised. Then reality hit, and it was centralised.
Could you explain what you mean by the underlying protocol having become centralized over time? While I can understand arguing about whether or not Bluesky-the-social-network is practically decentralized to the degree of something like Mastodon or that it became more centralized over time, I think arguing that ATproto[1] itself isn’t decentralized would be ludicrous.
[1] https://arxiv.org/abs/2402.03239
It feels like, outside of custom behavior tracking, there's no good way to truly protect your site without making it more restrictive in general. Require JS, client side challenges, cloudflare.
Is it possible to have any certainty when answering that question?
If you're asking in general, DDoS attacks can absolutely serve a purpose - either to punish an organization that the attackers are unhappy with, or to hide some other more targeted attacks in a flood of errors, weird behaviors, and tired sysadmins.
I'd be interested in how the attack manifests. Is it an actual DDoS? Is it highly aggressive scraping? We should be able to see this in how the attack manifests itself. What is the sources? That's a little harder, but it would be interesting to know if it's compromised devices, residential proxies, rented cloud capacity or something else.
There are more now then there ever have been in number of infected hosts and total data volume.
The internet is a big place.
”On 13 April 2026, 21 countries joined forces in a coordinated action week that focused on enforcement and prevention measures against over 75 000 criminal users engaging in distributed denial-of-service (DDoS)-for-hire services. With over 75 000 warning emails and letters being sent to identified criminal users and 4 arrests, the action week also led to the takedown of 53 domains and the issuing of 25 search warrants.”
Source: https://www.europol.europa.eu/media-press/newsroom/news/euro...
My mastodon account is not even on mastodon.social, because why would I, when I could have a home server closer to home
Can i run a private node? can i run a functional node completely within my network segment? because i can with gnusocial and misskey; i've never run mastodon; i am on fosstodon and a couple of other mastodon-likes.
bluesky is to discord what mastodon (fedi) is to IRC.
don't let the fact that most people use the main instances fool you, there's thousands (maybe tens of thousands) of instances. I haven't seen a tally recently, i forget the account that shows them for each "instance type", like pleroma, misskey, mastodon, pixelfed, whatever the reddit clone is, whatever the 4chan clone is, and so on.
anyhow when elon bought twitter mastodon surged. I hope they didn't spend millions upgrading the main instances because most of that dropped off because, you know, everyone's on twitter. only a few million on mastodon.
My whole point is, trying to shoehorn words like "distributed" into a system that i cannot run independently is, well it's just not distributed, that's all.
edit: maybe this is sour grapes because i never got an invite; but maybe i think it's just twitter with a different coat of paint and different buzzwords attached.
I explicitly told them that I want something distributed and that's a high priority, not a nice-to-have.
Yesss, there's definitely some very cheeky marketing going on.
Granted, all the smaller instances are likely easier to DOS as they are small instances. But mastodon is actually decentralized. If any one instance goes down, everything else keeps working. Unlike Bluesky and ATProto which is more of a theoretical “could be” decentralized.