Sign in Subscribe
By Chris Greenacre in Tophhie Social

Tophhie Social: Attack Report Oct 2025

The Tophhie Social server was attacked on the 22nd Oct 2025. So, what happened?

Tophhie Social: Attack Report Oct 2025
Photo by Ladislav Sh / Unsplash

Unfortunately, the Tophhie Social server was subject to an attack yesterday that caused the service to go down for a large period of time.

In the spirit of providing full transparency, we're going to break down what happened, what we did to resolve the issue, and what we still have left to do to protect against attacks like this in the future.

What happened?

Here's a timeline of events (all times are UK)...

22nd October 2025

  • 6.05pm - We received our first alert from our internal monitoring service indicating the "Tophhie Social" service was down. We started investigating...
  • 6.14pm - Our investigation showed no hosting provider issues (Azure), no server issues, and the server itself was responsive. To expedite recovery, we initiated a full restart of the server.
  • 6.15pm - The service came back online. We continued investigating the root cause.
  • 6.20pm - We checked the network logs, and saw a huge increase in requests to the com.atproto.server.createAccount endpoint at roughly 6.04pm. Requests all come from the United States, but from varying different ISPs and hosting providers.
  • 6.21pm - We identified a total of 282 atproto accounts had been created on the PDS in very quick succession (within 60 seconds), overloading the server and grinding the web services to a halt. We determined the server had been DDOS'd.
  • 6.30pm - We reviewed our rate limiting systems and identified a flaw in the logic that failed to block repeated calls to the createAccount endpoint. We worked to fix the rule logic, and deploy the changes.
  • 6.40pm - We tested the rate limiting logic and found the changes were working as expected.
  • 7.00pm onwards - We implemented further network security rules to block certain traffic from ever reaching the Tophhie Social server.

We declared the incident resolved and confirmed no data was compromised. This was just an attack on the server, not the data.

23rd October 2025

  • 1.08am - We received another alert from our internal monitoring service. The "Tophhie Social" service was down again.

Unfortunately, during this overnight period, our automated recovery systems didn't kick in and therefore the service stayed down, until...

  • 8.06am - We initiated another restart of the server after identifying no further attacks had taken place, the hosting service seemed to be stable, and the server itself was accessible.
  • 8.07am - The service came back online. We continued our investigation into this seemingly new issue...
  • 8.15am - We determined the server itself wasn't experiencing issues, however the host the server was may have been contributing to impact. We initiated a redeploy of the server to another host within the Azure environment.
  • 8.20am onwards - We monitored the Tophhie Social service and determined everything was back online and responding as expected.

We have resolved the issue with our automated recovery system, and tested this is working as expected. A flaw in the workflow logic was causing the recovery tasks to not be triggered.

We have now declared this incident as fully resolved.

What have we done to protect against this happening again?

DDOS attacks are, unfortunately, very common. They're designed to cause disruption and take services offline... However, we have implemented several measures to protect against this and minimise disruption in the future.

  • We have fixed the rate limiting logic, so requests to the server are blocked when they reach a calculated threshold.
  • We have lowered the allowed rate within the rate limiter. Regular activity within the atproto network and your account should not be affected. However, bots, and systems that aim to abuse the server will be blocked quicker and for longer.
  • We have implemented several new network security rules to immediately block traffic based on a set of rules consistent with bots, attackers, and suspicious activity.

Conclusion

On the 22nd October 2025, the Tophhie Social server experienced a DDOS attack that took services offline for a short period of time. An investigation took place and actions implemented to remediate the issue, and bring services back online.

A separate incident took place overnight on the 23rd October 2025 which saw Azure host issues contribute to inaccessibility of the Tophhie Social service. This was remediated by initiating a restart and redeploy of the server onto a different Azure host.

If you have any questions or concerns, please do drop me a message on Bluesky at @tophhie.cloud or email us at help@tophhie.cloud.

Previous

MC1177767: How Windows 11 and AI are transforming the future of work

 Next

MC1178359: Microsoft Dataverse – Service Update 9.2.25103.00000 for GBR

You might also like...