Bluesky has been dealing with a DDoS attack for nearly a full day (opens in new tab)

> Even when Bluesky confirmed it's a DDoS, the line is now "maybe they wouldn't have gotten DDoSed if they didn't vibecode and their code was better."

The context of the "jokes", regardless of if one finds them funny, is that this is exactly how AI boosters (including the bluesky team) have been behaving.

Every little benefit, no matter how small or unfounded, was being attributed to AI usage. So people do the opposite, attributing every little problem to the use of AI.

The implied punchline being "Oh, so now you care about accuracy?"

A week or two ago, when there was a Bluesky outage and a Claude outage at the same time, people were earnestly pointing to that as evidence that Claude was somehow a load-bearing component of Bluesky, or that AI vibecoding had caused the outage... I had to just disengage but I was also very annoyed by it all.

I don't have any anecdotal data, just detecting a whiff of a possible pattern in your statement. DDoS is bots. Any chance the prevalent discourse is bots? "I ain't saying she a gold digger..."

Perhaps underestimating how much the bsky audience absolutely hate AI.

It's funny how closely bsky has replicated the dynamic of old Twitter where the people who run it and the people who use it have completely different priorities and loathe each other.

It turns out that this was, in fact, the case. They DDOS'd themselves, with a deployment of their own code - something they have separately claimed is "99% AI written" these days.

I am not surprised. People on Bluesky are so blatantly anti-AI.

Would be funny if this nonsense came mostly from bots to distract from the fact that Bluesky isn't decentralized and thus easier to take out.

Theoretically, if the backend code is optimized enough, a DDoS attempt wouldn't lead to a denial of service since all those requests would just get served as normal. And as long as the network isn't the bottleneck, which it probably is in most cases.

The status page seems hosted by UptimeRobot, so it looks like it was a problem on their end.

The group that claim to be doing the DDoS also claim to be DDoSing the status page specifically.

If you're referring to Cloudflare, the "security check" is not a default setting. For some reason administrators love to use Under attack mode as a band-aid measure to reduce load on the host.

At least Apple devices are actually secure and can't really be omitted from things other than gaming and business. Granted, gaming and business are pretty important.

Client side challenges would be fine when a DDoS is actually happening, but they're basically targeting certain platforms more than others right now. Not actually helping in keeping a site secure in that case and hurting user experience.

My understanding is that ATProto itself is definitely decentralized but the app view most people interact with using the Bluesky app is centralized ...sort of. The Bluesky app view will read from PDSes hosted by other people, hence people on Bluesky can see stuff posted elsewhere, like users of Blacksky. If the Bluesky app view decides to stop reading from any other PDS (like those of Blacksky, or ones which are self-hosted) they're free to do so. The same is true for alternative app views like Blacksky. Since most people think of Bluesky as the thing you see on the official Bluesky app (which shows the Bluesky app view) an outage of the Bluesky app view will mean they lose the ability to view any posts from any source. If someone's using a separate app view like Blacksky, the most that will happen to them should be that they'll lose interaction with posts coming from Bluesky's PDSes until the outage ends.

I may have the division between Bluesky and Blacksky off, but ATProto does allow this sort of thing. Hosting a PDS is trivial and requires very few resources. Hosting a full app view can be expensive depending on how many PDSes you're ingesting from, but you can decide how much of that you want to do.

Yes, that's the first "D" in "DDoS" ;)

You're probably thinking of Mastadon

In theory! Theoretically it’s not needed to be down at any point today :)

Yes, and other hosts are working normally.

Thought so too. Odd.

Depending on size, such attacks can be very costly to organize, at least in opportunity cost (that is, using a botnet to attack BlueSky doesn't cost anything per se, but it does mean you can't use it for some other purpose, such as attacking someone else or mining Bitcoin).

If you're asking in general, DDoS attacks can absolutely serve a purpose - either to punish an organization that the attackers are unhappy with, or to hide some other more targeted attacks in a flood of errors, weird behaviors, and tired sysadmins.

One possible purpose is marketing. Owners of the botnet are merely demoing the capabilities for prospective customers.

> It seems like we're don't really see that many deliberate DDoS attack anymore.

There are more now then there ever have been in number of infected hosts and total data volume.

The internet is a big place.

”On 13 April 2026, 21 countries joined forces in a coordinated action week that focused on enforcement and prevention measures against over 75 000 criminal users engaging in distributed denial-of-service (DDoS)-for-hire services. With over 75 000 warning emails and letters being sent to identified criminal users and 4 arrests, the action week also led to the takedown of 53 domains and the issuing of 25 search warrants.”

Source: https://www.europol.europa.eu/media-press/newsroom/news/euro...

Bluesky isn't ATProto.

It's federated, not decentralized

You’re saying a mastodon instance can’t vet DDosed?