Follow

Physical (de)centralization of Mastodon servers – after our XMPP scan, we took 1000+ random Mastodon servers and looked at their hosters:

gist.github.com/infosec-handbo

– about 50% of these servers are hosted by only 5 companies in 4 countries
– 26% of servers are hosted in Japan, followed by the USA (24%) and France (23%)

@infosechandbook Don't know how your find your results, but I've the same source (instance.social), and absolutely nothing agree with yours…

- 29% of USA servers : sp3r4z.fr/mastodon/countries
- 5 biggest company result into 38% of instances: sp3r4z.fr/mastodon/providers

Not really accurate in fact…

@Sp3r4z

The results are linked in the post. And as mentioned, we took 1000+ RANDOM Mastodon servers.

@infosechandbook So what's the purpose ? :s

I mean it's random stats, what do you want to show or demonstrate with that ?

@Sp3r4z

The purpose is to show that logically decentralized networks are actually physically centralized. Your data shows the same as the top 7 providers of your list nearly host 50% of 3,345 servers.

@infosechandbook Right, we finally find similar issue… sadly :(

I just find "1k+" a bit too low for having a "real picture" (even if 1k instances is quite a good statistical group). :)

@infosechandbook @Sp3r4z Since consumer-grade ISPs are simply inadequate at hosting large-scale dynamic websites, the bottleneck is the number of good hosting providers. There aren't that many of them in the world. Amazon, DigitalOcean, OVH, Hetzner, Linode. Did you check how these stats compare against a sample of random non-Mastodon websites? I think the results might be quite similar

@Gargron @Sp3r4z

Yes, this isn't unique to Mastodon/the Fediverse.

We checked 1000+ XMPP servers several days ago (mastodon.at/@infosechandbook/1) and got nearly the same results.

We also checked Matrix servers (gist.github.com/infosec-handbo), however, we only got 14 domain names, so there are no good statistics here so far.

@infosechandbook might be interesting to provide this as a parseable format (you're not far from JSON it seems)

@mmu_man

We used a custom Python script to get DNS information for those servers and compiled this list. AFAIK, there are already some websites that offer JSON output, e.g. instances.social/api/doc/

@mmu_man Je peux t'offrir une base de donnée sur le sujet (mon site en a une "publique"), avec les instances (quelques infos à l'instant T, toutes les heures) et leur localisations

@infosechandbook

@Sp3r4z @infosechandbook c'était juste pour info, j'en ai pas besoin pour l'instant, mais merci :)

@mmu_man À ta guise, mais comme le disait @infosechandbook c'est un bête script d'interrogation :)

@infosechandbook Interesting: Amazon, Microsoft and Google host some Mastodon servers.

@Cedara

Yes, likely via Amazon AWS, Google Cloud, and Microsoft Azure.

@infosechandbook

> Cloudflare, Inc. hosts 71 Mastodon servers

I have some doubts about Cloudflare hosting any servers at all, the most likely scenario is that they are hosted somewhere else but behind the Cloudflare CDN.

On the other hand, the sample instances are spread over ~160 providers, which seems quite good.

Interesting stats nevertheless 👍

@infosechandbook But the thing is, if there is any actual problem with a provider, instance admins could switch to another in a matter of days, and the users wouldn't even notice.

@infosechandbook wonder if any are more northerly than me. Can you graph by latitude?

Mind you, it probably shows as london...

@lupine

Actually, is it possible to get city names, however, they are based on IP addresses and this information is mostly not so accurate.

At least, there were 16 servers hosted in Finland in our sample, so they could match your criteria.

@infosechandbook I found my server there, which I have at home and there's that it's hosted by my ISP. So I suppose it's about who provides IPs and not about hosting.

@Mac_CZ

It lists the provider of each IP address. In most cases, you can clearly see whether it's an ISP or a server hosting company. For instance, Altnet s.r.o. provides "připojení k internetu" but they don't offer server hosting.

Contrary to this, OVH SAS or Hetzner Online GmbH (companies that are used most often) are well-known server hosting providers.

So, the fact that there are some ISPs on the list doesn't change our findings.

@infosechandbook But even Hetzner doesn't mean hosting automatically, it can be just anti ddos proxy.

@infosechandbook How do you easily identify who hosts a website/service? :)

@esureL

There are IP lookup tools/API that also provide information about rDNS, autonomous system numbers, and providers.

@esureL

There is no specific recommendation. All of these tools basically do the same.

For our script, we used the KeyCDN API: tools.keycdn.com/geo#ip-locati

Sign in to participate in the conversation
Mastodon

mastodon.at is a microblogging site that federates with most instances on the Fediverse.