Why we can't change avatars without getting banned from the server? [Explanation]
Posted: Wed Feb 04, 2026 9:03 pm
In the last months, there have been reported by more than one user of this forum being unable to access from their current IP address not only https://forum.map-union.org, but https://fedi.yesmap.net/ and https://wiki.yesmap.net/ as well. In this thread I explain the little investigation I engaged in order to figure out and provide a reasonable explanation to solve this problem.
Precedents:
It was reported in late 2024 that new methods to fight DDOS attacks were being tested and this had make the server unavailable for some users. Then in Oct 2025 an attacker was able to get the server down for some hours with multiple requests. I'm not sure if the same anti-DDOS system was then activated to deal with or if it was activated before, but incapable of handle the attacks. Anyway, in late 2025 [1][2], some users start to report some strange behavior.
I, as well as another user in this thread, had notice that while accessing the user control panel, in the avatar's tab, some strange behavior happens and after that, users were unable to access the 3 main websites.
The scene:
You log in into your account at forum.map-union.org, go to User Control Panel and try to change your Avatar. You reach the avatar's tab, it has a section with your current avatar, a gallery of identicons (default avatars) and a upload section. After a second, you notice that not even half of the avatars actually have been loaded. You then try to reload the page in order to get them. Your connection times out. The same it's true for the other websites hosted in this server.
Analysis:
While looking carefully on the original avatar's tab, I had notice that it is supposed to load a gallery with 1000 Identicons and since they use HTML attribute "alt" it may try to load all of them twice. This will get approximately 2000 requests. Considering that the anti-DDOS system used here it's actually quite simple and just works banning IPs that are making a thousands of requests in a small period of time, this was the most prominent clue I considered while I was making my analysis. Later on, I was able to improvise a browser extension that blocks the requests for the gallery of Identicons and it worked pretty well proving my thesis.
Conclusion:
How to solve it:
Here I offer some solutions that the technical staff or the server's admin could consider in order to solve this problem:
Decrease the number of identicons: You can decrease the number of identicons to ten or twenty and I guess it would still being a reasonable amount of them since users might not need a such great variety of 1000 identicons.
Remove identicons: Probably users who want to change or have an avatar will find Identicons boring, although there are many users here right now using them. As an addition, you could try to host these images in other server and get them from there to not overload this one.
Change the Anti-DDOS system: Despite the system used here in order to block malicious attempts to crash the whole server are probably still being used because they are serving well to some purpose, my guess is that they are a bit rudimentary. I would make suggestions like increasing the number of requests before banning an IP, but it seems like wiping ice. Anyway, the first two suggestions sound better.
My ways to mitigate:
Since the occurred, I found ways not to only to investigate, but also further, to mitigate these problems. Unfortunately, I think I can't share this in more detail because code could be deemed as sensible and people might not understand it completely then being irresponsible to use and to share. So I will explain my approaches just in case of interest.
Python Script: With a python script using the browser cookies I was capable not only to figure out the real number of identicons being loaded in the avatar's tab without getting banned, but I ended up developing a way to upload avatars without needing to access the page on my browser. I hope this is not against the rules, at least I think there's no specific rule against this and it's not like real hack with sensitive info and server invasion.
I was also planning do some sort protest
(as you could see in my current avatar) but I thought it would be kind of stupid of my part considering that we have much bigger problems like people in UK being unable to access Yesmap services due to government censorship and other problems in the whole MAP community as well.
Browser extension: A browser extension is probably the most clean way to mitigate such problem and it doesn't need to do "hacky" requests for the server using the cookies. It instead just blocks the requests that try to access the identicons. I first made a proof-of-work as a browser extension and it proved to be a success, but it's not perfect yet and needs a more careful testing, since if the extension fails for a moment, you are banned.
Precedents:
It was reported in late 2024 that new methods to fight DDOS attacks were being tested and this had make the server unavailable for some users. Then in Oct 2025 an attacker was able to get the server down for some hours with multiple requests. I'm not sure if the same anti-DDOS system was then activated to deal with or if it was activated before, but incapable of handle the attacks. Anyway, in late 2025 [1][2], some users start to report some strange behavior.
I, as well as another user in this thread, had notice that while accessing the user control panel, in the avatar's tab, some strange behavior happens and after that, users were unable to access the 3 main websites.
The scene:
You log in into your account at forum.map-union.org, go to User Control Panel and try to change your Avatar. You reach the avatar's tab, it has a section with your current avatar, a gallery of identicons (default avatars) and a upload section. After a second, you notice that not even half of the avatars actually have been loaded. You then try to reload the page in order to get them. Your connection times out. The same it's true for the other websites hosted in this server.
Analysis:
While looking carefully on the original avatar's tab, I had notice that it is supposed to load a gallery with 1000 Identicons and since they use HTML attribute "alt" it may try to load all of them twice. This will get approximately 2000 requests. Considering that the anti-DDOS system used here it's actually quite simple and just works banning IPs that are making a thousands of requests in a small period of time, this was the most prominent clue I considered while I was making my analysis. Later on, I was able to improvise a browser extension that blocks the requests for the gallery of Identicons and it worked pretty well proving my thesis.
Conclusion:
How to solve it:
Here I offer some solutions that the technical staff or the server's admin could consider in order to solve this problem:
Decrease the number of identicons: You can decrease the number of identicons to ten or twenty and I guess it would still being a reasonable amount of them since users might not need a such great variety of 1000 identicons.
Remove identicons: Probably users who want to change or have an avatar will find Identicons boring, although there are many users here right now using them. As an addition, you could try to host these images in other server and get them from there to not overload this one.
Change the Anti-DDOS system: Despite the system used here in order to block malicious attempts to crash the whole server are probably still being used because they are serving well to some purpose, my guess is that they are a bit rudimentary. I would make suggestions like increasing the number of requests before banning an IP, but it seems like wiping ice. Anyway, the first two suggestions sound better.
My ways to mitigate:
Since the occurred, I found ways not to only to investigate, but also further, to mitigate these problems. Unfortunately, I think I can't share this in more detail because code could be deemed as sensible and people might not understand it completely then being irresponsible to use and to share. So I will explain my approaches just in case of interest.
Python Script: With a python script using the browser cookies I was capable not only to figure out the real number of identicons being loaded in the avatar's tab without getting banned, but I ended up developing a way to upload avatars without needing to access the page on my browser. I hope this is not against the rules, at least I think there's no specific rule against this and it's not like real hack with sensitive info and server invasion.
I was also planning do some sort protest
(as you could see in my current avatar) but I thought it would be kind of stupid of my part considering that we have much bigger problems like people in UK being unable to access Yesmap services due to government censorship and other problems in the whole MAP community as well. Browser extension: A browser extension is probably the most clean way to mitigate such problem and it doesn't need to do "hacky" requests for the server using the cookies. It instead just blocks the requests that try to access the identicons. I first made a proof-of-work as a browser extension and it proved to be a success, but it's not perfect yet and needs a more careful testing, since if the extension fails for a moment, you are banned.