Mastodon scales and protects social media app servers to meet unprecedented surge in demand

The challenge

In 2022, Twitter users flocked en masse to alternative social media platforms in response to changes made by Elon Musk. Suddenly, five million users wanted to sign up for accounts on Mastodon, a competing platform that had a half-million users at the time. To welcome these new users, mastodon.social, one of social network’s biggest application servers, needed to expand its Ruby on Rails-based infrastructure fast.

Since Mastodon works in real time, the growth resulted in huge swings in traffic that resembled denial of service attacks. “When I post something, I expect my followers to be informed of it in a few seconds,” Mastodon CTO Renaud Chaput explains. “But when big accounts moved from Twitter to mastodon.social, our service would go down due to the volume of request traffic.”

The company also faced actual DDoS attacks. Stepping into a challenging situation, Chaput brought in Fastly to protect and scale the platform.

The solution

In 2023 Fastly invited Mastodon to join the Fast Forward initiative, a program that offers free services to open source projects and the nonprofits that support them. Fast Forward focuses on building community among the building and maintenance of an internet that is faster, safer, and more inclusive—a mission that Mastodon is aligned with as well.

Chaput explains, “One of the first things I did once we joined Fast Forward was to put Fastly in front of our infrastructure—initially a few bare metal servers in Germany, and later, dozens of cloud servers—to protect and reduce the load.” Fastly Content Delivery now fronts every part of the mastodon.social application, intercepting DDoS attacks and caching content and API calls.

Stops DDoS attacks

As a well-known social media platform, Mastodon is the target of malicious users and groups. Chaput’s team deployed Fastly during its first big DDoS attack. “In less than 30 minutes, we deployed Fastly and stopped the attack,” Chaput says. “Since then, we have worked with the Fastly security team to fend off many distributed denial of service (DDoS) attacks, thanks to the Fastly infrastructure. With the help of Fastly, we have mitigated every attack.”

Caching content and 60% of API calls reduces origin egress by 75%

The social media platform uses Fastly Streaming Delivery as a content delivery network (CDN) and as a caching layer for the application. Users share content that requires a lot of bandwidth, such as images and videos. “We use Fastly to cache everything, which results in less load on our servers,” Chaput says. “And, because it’s cached so close to the end user, it loads very fast. Our response time is much better all over the world by using Fastly.”

The social platform also uses Fastly to cache API calls. “We have a web front end that lives in the user’s browser in a JavaScript app—it makes a lot of API calls,” Chaput explains. “But user content is public, so now 60 percent of our API is served directly by Fastly from the cache, which allows us to scale with far fewer backend servers, reducing origin egress by 75%.”

When a user posts, the application sends a message to all servers that host accounts that follow the user. Those servers then return a request to download the new content. Within a few seconds, thousands of servers request at nearly the same time. Before Fastly, this request traffic hammered the servers. Then Chaput’s team decided to use Fastly caching for this content as well.

“We simply added an HTTP header that tells Fastly, ‘Cache this for 20 seconds.’ And Fastly receives all of the requests for the same object, coalesces the near simultaneous requests, and makes one request to our backend,” he explains. “Just one request instead of thousands. As a result, we don’t see traffic spikes anymore. Instead, the app server replies with the content, and Fastly distributes it all over the world and caches it.”

Real-time observability and sub-second changes enable nimble admins

Chaput notes that Fastly’s real-time observability, sub-second configuration changes, and instant purges worldwide are highly valued by his core systems team. “We are able to understand when we are under DDoS attack and see how to mitigate it because we have access to real-time Fastly logs. We drill down into the logs to see what is happening, what the attackers are targeting, and so on. That’s a big improvement over other platforms that only send hourly or daily statistics,” he says.

Configuration changes and content purges also occur in real time. “With Fastly, we push a configuration change on the API, and it slides in under a second. Similarly, if we want to invalidate an object that has changed, such as a cached API call, we send a purge request, and it is complete in less than a second worldwide. That’s really powerful,” he says.

Fast answers from expert support personnel every time

“Fastly support people are really amazing,” Chaput compliments. “The level of support Fastly provides is vastly superior to other providers we use. Each time we have an issue, we get a very fast, very good answer from Fastly. We quickly receive the assistance of an expert who really knows the service and how the underlying code works. We don’t waste time escalating from tier 1 to tier 2 support.”

Key takeaway

Mastodon.social has the protection, scalability, and support Chaput’s team needs to serve a highly responsive social media network to hundreds of thousands of users worldwide. Chaput architected Fastly into the core system architecture of mastodon.social, where it defends and optimizes communication with the application servers. By extending the use of the CDN to cache the application’s API calls as well user-generated content, mastodon.social is insulated from bursts of traffic from all sources for the best performance.