The story of my weekend project - A complete dumpster fire, and everything I learnt from it.
· 6 min read · Comments ↓
A story about how my Christmas was ruined by a series of spam, abuse and DDoS attacks on a small app that I built. And what you can learn from it.
A story about how my Christmas was ruined by a series of spam, abuse and DDoS attacks on a small app that I built. And what you can learn from it.
It’s the weekend before Christmas. Long holidays, nothing much to do in my boring college dorm. So, naturally, I decided to utilise this time to learn new skillls and build something useful for myself. I had been wanting to make a quick and dirty website to “DUMP” my thoughts, mainly right from iOS home screen, and then a good way to share it with others (RSS feed, a personal dump page, etc.)
I decided that I’ll build DUMP.place for me and my friends in just 6 hours. and as always, this will be open source. (repo here, star pls?)
View tweet
And I did.
The app
The app is simple.
-
Input box, a button, and a list of all dumps. (https://dump.place)
-
A profile page to access all your dumps. (https://dump.place/@dhravya)
-
RSS feed for all your dumps (https://dump.place/@dhravya/rss.xml)
-
and finally, an endpoint to post dumps so that I can automate it from iOS home screen. (https://dump.place/ios)
The stack
Here’s the stack that I used
View tweet
Nothing could go wrong, right? 🤡
Built it, launched it, and went to sleep.
The next morning
I woke up and was excited to see what people had to say about it. I opened the app, and saw this.
View tweet
Oh no.
A ton of spam, abusing the platform, porn links, chinese characters, etc.
So, I decided to add a simple moderation system for public dumps. a /admin page where I can see all the dumps, and delete them if they’re spam. And set up an OpenRouter Mistral 7b to “moderate” the dumps before they’re posted.
I did that, and went to sleep again.
a few hours later
Oh no.
That didn’t fix it, did it? People can still spam the platform, even though the content is ‘moderated’ before it’s posted. oof. why is the internet like this?
I added a simple database ratelimit to the app, so that people can’t post more than 2 dumps in 2 minutes. sigh no more issues, what could go wrong now?
View tweet
I quickly wrote a blog about one of my learnings from this app (How to send transactional emails with Cloudflare Workers), and went to sleep again.
Surely that’s it. Now I can go to sleep and wake up to a clean, spam-free, and happy dumping place.
But that’s when the real fun started.
the next morning
I woke up, and saw this.
View tweet
Atleast 15-20 notifications across Twitter, Discord, and email. I was shocked. What could have happened? Did my blog really go that viral?
So, I opened the vercel dashboard, to find out what’s really wrong here, why is dump.place down? And why tf is dhravya.dev also down? Oh no.
View tweet
To note: I had taken care of everything that I thought could go wrong, like spam, abuse, etc. I even used cloudflare to protect the app from DDoS attacks.
But, not on the signin routes. I used the email magic link signin provider from next-auth, and it was being abused by bots to send thousands of emails to random email addresses.
Creating email addresses means creating verification tokens, which means creating database entries, which means a lot of database writes, which means a lot of database reads and a total …
DUMPSTER FIRE
And that’s not even the worst part. This affected ALL my projects, my client’s projects, and my personal website, my home on the internet.
The small app that I built to dump my thoughts, ended up burning down my entire internet home.
Merry Christmas to me, I guess.
View tweet
(look at the number of requests 💀)
I love my community, and one my friends tagged rauchg in the tweet, and he was kind enough to help me out with this. He put all my websites back online and helped me fix the issue.
And it was fixed. But how?
View tweet
Some stats from the dumpster fire:
View tweet
(yes, that’s the CEO of Vercel doing customer support for someone on the free plan on Christmas eve. I love vercel.)
The fix
So, what was the fix?
It’s simple, really. Here’s some of my learnings -
- In my opinion, Don’t use email magic link signin for public apps. It’s a great signin provider, but it’s not meant for public apps. It’s meant for internal apps, where you can control who can access the app. It’s really easy for anyone to just send thousands of emails to random email addresses.
- If you do, use a captcha. I didn’t use a captcha, and that’s why it was so easy for bots to abuse the app.
- Use ratelimits everywhere. I did use a ratelimit, but it was only for the
/postendpoint, and not for the/api/auth/signinendpoint. You can use Upstash for this. - The internet is bad. People will abuse your app, no matter what. They spam, they DDoS, they will post porn links and chinese characters. It’s your job to make sure that they can’t.
- WAF rules. Cloudflare has a great WAF, and it’s really easy to set up. I added a few rules to add a universal ratelimit to all my apps, and it’s been working great so far.
Make original mistakes. I made a lot of mistakes, and I learnt a lot from them. I hope you do too.
The aftermath.
Honestly, this experience was scary and exhausting but exciting and fun at the same time. The entire internet (atleast my twitter community) came together to help me out with this, and I’m really grateful for that. This brought back my faith in humanity.
I learnt so much from this, met so many great people, and made so many new friends.
Also ended up with with atleast 400 new followers on twitter and multiple viral tweets with hundreds of thousands of impressions. DUMP.place got a lot of attention and traffic, and even this blog is popping off.
So, thanks, my hater, for making this happen. I really appreciate it.
Not everything was good though, I was travelling while this was happening. Missed sleep, time with friends, and lost my Airpods Pro in the middle of all this fiasco.
View tweet
yes. A nice christmas gift from the internet.
Again, I’m really grateful to everyone who reached out for help with this. There were people ready to hop on call with me and write code for me, there were people who were giving me ideas in every stop of the way with their own expertise. There were people who were just there to support me and cheer me up, even though they didn’t know must about tech.
The world is a better place because of you. Thank you.
The future
I’m gonna keep on dumping my thoughts on DUMP.place and keep working on it.
Definitely gonna keep on building stuff and learning from my mistakes. And think about everything that I did wrong with this app, and how I can improve it.
look, i’m just a normal person, and i like seeing numbers on the internet go up. so, if you like this story, please share it with your friends, and follow me on twitter. Links below. Bye!