AO3, or Archive of Our Own, is a popular fanfiction website that has recently been the target of DDoS (Distributed Denial of Service) attacks. These attacks have intermittently made the site slow or completely unavailable to users. Understanding why AO3 is being attacked can help make sense of this frustrating situation for the site’s many fans.
What is AO3?
AO3 is a nonprofit website for hosting and archiving fanfiction. It allows users to post their own fanfiction stories and read stories posted by others. The site hosts over 7 million fanworks across over 30,000 fandoms as of September 2022. It was created and is run by the Organization for Transformative Works (OTW), which advocates for fanfiction authors and their right to transform existing works.
Why is AO3 popular?
AO3 has become the most popular fanfiction site due to its permissive policies, nonprofit status, and robust archiving system. Unlike some other fanfiction sites, AO3 allows and does not judge any type of content, ranging from tame stories to explicit adult content. This inclusiveness appeals to many fans. As a nonprofit, AO3 is run for the benefit of fans, not corporate profit. The site also emphasizes permanence and access to older fanworks. Once a fic is posted, it is preserved even if the original author leaves the site. This reliable long-term storage sets AO3 apart.
Who uses AO3?
AO3 has a very diverse user base of all ages, nationalities, and interests. While exact demographics are unavailable, the site is popular globally. Some of the largest fandoms hosted include Anime & Manga, Video Games, Books & Literature, TV Shows, Movies, K-pop, Cartoons, Comics & Graphic Novels, Theatre, Celebrities, Music & Bands, History & Politics, and more. Any fan with an interest they want to creatively express can find their niche on AO3.
DDoS Explained
To understand why AO3 is the target of DDoS attacks, let’s first explain what a DDoS attack is and does:
What is a DDoS attack?
DDoS stands for Distributed Denial of Service. It is a type of cyberattack that overloads a website’s servers with fake traffic. This prevents real users from being able to access the site.
How does it work?
In a DDoS attack, the incoming fake traffic flooding the servers comes from many different sources, often a botnet of infected devices. The attack traffic essentially clogs up the site, overwhelming its bandwidth and resources. This renders it inaccessible to legitimate users.
What are the impacts?
A successful DDoS attack makes the website unreachable to real visitors. It’s like hundreds of people crowding the entrance to a store so no one else can get in. The effects depend on the site resources and attack scale. It can range from sluggish speeds to total denial of service. The attacks don’t directly affect site data but prevent access.
DDoS attack statistics
| Year | Number of DDoS Attacks |
|---|---|
| 2018 | 188,700 |
| 2019 | 230,700 |
| 2020 | 316,000 |
| 2021 | 378,600 |
DDoS attacks have been increasing over time as botnets grow. Attacks above 100 Gbps (gigabits per second) are frequent, requiring significant resources to withstand.
AO3 – A Ripe Target
AO3’s popularity, ideological clashes, and limited resources make it an ideal DDoS target:
Popularity & visitor traffic
As the largest fanfiction site, AO3 gets heavy visitor traffic. This makes it an enticing target, as an attack can disrupt more users. With millions of users monthly, AO3 sees:
- Over 5.7 million visitors weekly
- 1.8 million registered users
- Daily traffic peaks over 15 million pageviews
Generating enough attack traffic to overwhelm these numbers gives motivation to attackers.
Ideological disputes & controversies
There are groups that ideologically disagree with AO3’s permissive policies around content. Some cite concerns allowing adult/explicit stories, especially focused on taboo subjects. Though this material is a tiny fraction of the library, its presence angers moral activists. Religious fundamentalists, anti-LGBTQ groups, and far-right politicians have publicly condemned AO3. DDoSing the site is an insidious way they can undermine it without looking culpable.
Resource limitations
As a non-profit relying on donations, AO3 has far less funding than major corporations running commercial sites. Their servers and bandwidth capacity are limited, making it easier for attackers to overload. While profitable sites can throw money at DDoS mitigation services, AO3 must stretch their technical resources. This asymmetry makes it simpler to disrupt their operations.
Recent AO3 DDoS Timeline
Understanding when the attacks occurred provides more context:
| Date | Attack Event |
|---|---|
| August 22, 2022 | Sustained DDoS attack begins disrupting AO3 access |
| August 25, 2022 | Attack traffic peaks at 3x normal levels |
| September 5, 2022 | Attacks decrease but cause periodic outages |
| September 19, 2022 | Another DDoS spike slows site substantially |
The attacks have been intermittent but ongoing. Some outages have lasted hours during the largest bombardment peaks. Attacks may continue as AO3 upgrades their defenses.
Difficulties mitigating attacks
The non-profit has struggled to fight off the large attacks with limited resources:
- Adding more bandwidth is costly and may be outpaced by attackers
- DDoS mitigation services are very expensive
- Rerouting traffic sacrifices user experience with captcha and delays
- Defenses also impair site features like searching and algorithms
Fully mitigating the threat is an uphill battle, leading to the ongoing intermittent issues.
The Future of AO3
Despite continued DDoS disruptions, the AO3 community remains resilient:
United user support
AO3 users have rallied together across social media to spread awareness and support the site through donations or merchandise purchases. Rather than get angry at staff, they commend the efforts to keep AO3 running under attack.
Strengthening infrastructure
Donations have allowed the site to add more bandwidth and explore long-term DDoS solutions. Upgrading infrastructure will make AO3 more resilient over time.
Heightened monitoring
Staff have improved systems to quickly detect and respond to attack spikes. Experience from each incident also helps AO3 better tune defenses going forward.
Exploring legal options
While identifying attackers is very difficult, AO3 may look into legal recourse options once patterns emerge. DDoS attacks are illegal, so there is motivation for lawyers to assist pro bono.
Conclusion
In summary, AO3 is an ideological target being DDoSed due to its popularity, controversies around content policies, and limited resources. However, the passionate user community continues supporting the site through grassroots donations and promotion. With their help, AO3 is actively improving security infrastructure to better withstand inevitable future attacks. The DDoS campaigns are frustrating but ultimately reflect the vibrant values and impact of the AO3 community.
