Mastodon reported that its main mastodon.social server was hit by a distributed denial-of-service (DDoS) attack on Monday.
This made the server unusable for many users for a short time, causing outage warnings and error messages. The company confirmed the attack in a public update and clarified that only its official server was affected, not the entire Mastodon network.
Outage hit the main instance, not the whole network
TechCrunch reported that Mastodon announced at about 7 a.m. ET that it was looking into the cyberattack.
By 9:05 a.m. ET, Mastodon said it had put a “countermeasure against the DDoS attack” in place and restored access, but warned that some instability might continue while the attack was still happening. Mastodon’s status page also showed that the site was accessible again after these steps.
That distinction matters because Mastodon is not a single centralized platform in the same way many mainstream social networks are.
Only mastodon.social was targeted, not the many smaller servers that together make up the broader Mastodon network.
Mastodon head of communications Andy Piper shared that this was a case where the decentralized nature of the Fediverse is a true advantage, adding that users on other Mastodon or Fediverse servers were completely unaffected and, in most cases, the outage would have been invisible to them.
Millions of malicious requests flooded the server
Mastodon shared that the traffic it was seeing — described as “millions of malicious requests” — matched the pattern of a DDoS attack. These attacks work by sending huge volumes of junk traffic at a site or app’s servers in an attempt to overwhelm them and knock them offline.
DDoS incidents generally do not involve data theft, but can still be highly disruptive because they prevent normal users from reaching a service.
The company did not say who was behind the incident, and there was no public attribution in the reports to a state actor or hacking group. But the timing made the attack notable in a broader social-media context.
Engadget shared that the Mastodon disruption came less than a week after Bluesky dealt with its own prolonged DDoS trouble.
As of Bluesky’s update on April 17, TechCrunch reported, that separate attack was still ongoing even though service had stabilized.
Decentralization softened the impact
The outage also became a live demonstration of one of Mastodon’s core architectural arguments. Because users are distributed across many interoperable servers, an attack on one large instance does not necessarily take down the entire network.
The attack so far had only affected the larger mastodon.social server and not the many other instances that form the full Mastodon ecosystem.
That does not make the incident minor. Mastodon’s flagship instance is one of the best-known and most visible entry points into the network, so an outage there still affects a large number of users and reinforces the threat DDoS attacks pose to social platforms.
But it does suggest that Mastodon’s federated design can contain the blast radius better than a one-server model.
For users on other instances, the network largely continued as usual even while Mastodon’s main server was under pressure.
