The prevalent discourse/attempt-at-a-meme-but-people-are-taking-it-seriously saying "Bluesky is down because of AI vibecoding!" is starting to get annoying and unoriginal.
Even when Bluesky confirmed it's a DDoS, the line is now "maybe they wouldn't have gotten DDoSed if they didn't vibecode and their code was better."
> Even when Bluesky confirmed it's a DDoS, the line is now "maybe they wouldn't have gotten DDoSed if they didn't vibecode and their code was better."
The context of the "jokes", regardless of if one finds them funny, is that this is exactly how AI boosters (including the bluesky team) have been behaving.
Every little benefit, no matter how small or unfounded, was being attributed to AI usage. So people do the opposite, attributing every little problem to the use of AI.
The implied punchline being "Oh, so now you care about accuracy?"
I haven't seen them do this at all. They've said that they use AI tools when writing code, because most devs do, and they've previewed Attie, their codegen for custom feeds thing, which is a separate tool. None of that is attributing improvements in Bluesky to AI.
As I understand things, the only AI tool the Bluesky team has been pushing has been a feed generator/curator. They have been pushing for vibe coding their systems or for using AI to generate content on Bluesky.
A week or two ago, when there was a Bluesky outage and a Claude outage at the same time, people were earnestly pointing to that as evidence that Claude was somehow a load-bearing component of Bluesky, or that AI vibecoding had caused the outage... I had to just disengage but I was also very annoyed by it all.
I don't have any anecdotal data, just detecting a whiff of a possible pattern in your statement. DDoS is bots. Any chance the prevalent discourse is bots? "I ain't saying she a gold digger..."
Perhaps underestimating how much the bsky audience absolutely hate AI.
It's funny how closely bsky has replicated the dynamic of old Twitter where the people who run it and the people who use it have completely different priorities and loathe each other.
It turns out that this was, in fact, the case. They DDOS'd themselves, with a deployment of their own code - something they have separately claimed is "99% AI written" these days.
Theoretically, if the backend code is optimized enough, a DDoS attempt wouldn't lead to a denial of service since all those requests would just get served as normal. And as long as the network isn't the bottleneck, which it probably is in most cases.
The interface seemed to function as normal, but specifically the API was targeted, which left a lot of confused users who were seeing the interface peppered with errors. Watching as it unfolded, it seems it affected certain regions to begin with and then slowly spread worldwide.
Seems they might have failed to host the status page (https://status.bsky.app) separately as well, because that went down several times throughout the outage. They also weren't very active in updating the status page, and the notice that was there had a typo of 'reginos' and a description of 'null'.
What are the chances some company offers to "save" them with a security service which coincidentally will also require users to use the latest officially-sanctioned browsers, OSes, and "trusted" hardware to pass the "security check"...
It seems like DDoS's are getting harder and harder to deal with. The tips that worked 10 years ago are now easily worked around. I keep seeing people on here say "just use TLS fingerprinting" like it's a panacea, but I can't remember the last time an attack didn't spoof their fingerprint.
It feels like, outside of custom behavior tracking, there's no good way to truly protect your site without making it more restrictive in general. Require JS, client side challenges, cloudflare.
Curious how they handled it at the CDN level. I use Bunny CDN for video streaming on my project and signed URLs help a lot for abuse prevention, but a full DDoS is a different beast entirely.
Hopefully there will be some post-mortem. It seems like we're don't really see that many deliberate DDoS attack anymore. Not that it doesn't happen, but they really don't provide that much value against a target like Bluesky (unless you really hate them).
I'd be interested in how the attack manifests. Is it an actual DDoS? Is it highly aggressive scraping? We should be able to see this in how the attack manifests itself. What is the sources? That's a little harder, but it would be interesting to know if it's compromised devices, residential proxies, rented cloud capacity or something else.
95 comments
Even when Bluesky confirmed it's a DDoS, the line is now "maybe they wouldn't have gotten DDoSed if they didn't vibecode and their code was better."
> Even when Bluesky confirmed it's a DDoS, the line is now "maybe they wouldn't have gotten DDoSed if they didn't vibecode and their code was better."
The context of the "jokes", regardless of if one finds them funny, is that this is exactly how AI boosters (including the bluesky team) have been behaving.
Every little benefit, no matter how small or unfounded, was being attributed to AI usage. So people do the opposite, attributing every little problem to the use of AI.
The implied punchline being "Oh, so now you care about accuracy?"
It's funny how closely bsky has replicated the dynamic of old Twitter where the people who run it and the people who use it have completely different priorities and loathe each other.
Seems they might have failed to host the status page (https://status.bsky.app) separately as well, because that went down several times throughout the outage. They also weren't very active in updating the status page, and the notice that was there had a typo of 'reginos' and a description of 'null'.
It feels like, outside of custom behavior tracking, there's no good way to truly protect your site without making it more restrictive in general. Require JS, client side challenges, cloudflare.
Is it possible to have any certainty when answering that question?
I'd be interested in how the attack manifests. Is it an actual DDoS? Is it highly aggressive scraping? We should be able to see this in how the attack manifests itself. What is the sources? That's a little harder, but it would be interesting to know if it's compromised devices, residential proxies, rented cloud capacity or something else.