crafatar.com spammed with bogus requests

[qtchaos]

The Crafatar API returns a 521 error code, or sometimes shows a Heroku error. This is very unfortunate because recently we switched from mcheads to Crafatar for our game launcher, and having this occur within a week is making me lose confidence in the service.

[SuperZekes]

I also have the same issue with it we just have to wait for the service to be back up again.

[jomo]

Thanks for reporting this. The server seems to be down, I have contacted the hosting provider to bring it back up.

[sauramel]

Any news on this?

[jomo]

They haven't replied to the ticket yet

[AqueleHaru]

you should change the host D:

[Matthewn7]

Hi. Blazing fast API has been timing out for 3 days now. Has the server grown legs and left for some milk? Updates would be appreciated. Thanks

[sauramel]

So is this abandoned? @jomo

[jomo]

The hosting provider restarted the VM and crafatar came back, but apparently it went down again. I wonder if this is caused by someone effectively DoSing the server with too many requests.

Unfortunately only the hosting provider can restart the VM, I've asked them again and will try to monitor the situation as soon as possible.

---

@AqueleHaru

you should change the host D:

They have hosted crafatar.com for free for almost a decade and only ever asked for their link and logo on the website. They replied in <24 hours, which is quite good for a 0.00 € tier.

@sauramel

So is this abandoned? @jomo

While I don't plan to continue active development on the software, I haven't abandoned running the crafatar.com service. I don't run this for profit, crafatar.com has been free software and ad-free since forever and all expenses are paid by myself. As such, running the service is not the top priority in my life and I'm not a team of SREs waiting 24/7 to handle any incidents.

If anyone relies on the availability of crafatar.com, please DM me if you're interested in a paid SLA. Alternatively, you can easily host a private or public instance of crafatar. hmu if you commit to running a public instance long-term, then I can add it to the README.

[jomo]

Found the problem: Someone is hitting the service with >37x the amount of traffic we usually have… Please don't.

The server is actually up, but it's out of resources and slow to respond. I'll see what I can do.

[jomo]

Some IPs are requesting several bogus requests per second with obviously wrong UUIDs, causing a lot of uncached request hits that are then cached, and causing a lot of unnecessary traffic. The requests only identify as a Java version, so they seem to be coming off some kind of Java application.

I'm trying to redirect some of those requests here. If you know what's causing these requests, please let me know.

[jomo]

In other news, crafatar.com currently seems to be stable. I hope it stays that way for a while.

[iLemon]

@jomo not 100% sure if this is related to what you're saying, but I thought it'd be worth mentioning: a lot of Tebex stores for Minecraft servers have themes that use crafatar URLs with UUIDs. The problem is that Tebex now just generate a random UUID ever since most stores are now "offline mode" in order to support bedrock users. I just noticed this on my store and got forwarded here.

Hope that explains why you're probably getting a lot of invalid UUID requests!

[Technofied]

Checked our forum logs, we use MineSync which is an addon for Xenforo. It also uses Crafatar to fetch avatars for users according to their username.

We use Geyser to support bedrock players, this means the UUID it's parsing to fetch the avatar is invalid. I imagine there are other applications like this exhibiting similar behaviour - hope this helps. :)