Bluesky is a decentralized microblogging platform gaining traction in recent days. With over 10 million registered users as of September 2024, it offers a unique, open-source infrastructure, allowing for greater user control and customization. This blog illustrates the network traffic research conducted at Keysight ATI Research Centre for the BlueSky web application and its traffic simulation offering on the Breaking Point system.
Overall Analysis
We have performed extensive user interactions with the Bluesky web application. The captured traffic was completely TLS encrypted. We have further analyzed the traffic based on hostnames.
Fig.1 : Request-Response count per host
In the figure above we can observe the maximum number of request-response was seen by cdn.bsky.app followed by conocybe.us-west.host.bsky.network . While the first host was serving a large number of web artifacts to be loaded, the later was used to get data from backend services such as user preferences, feed suggestions, notifications etc.
Fig. 2: Cumulative payload per host
The diagram above shows that the host cdn.bsky.app has the maximum cumulative payload. The rest of the hosts are also involved but they have lesser payloads.
Analyzing Endpoints
This section contains analysis of important endpoints we observed –
Session Creation
Fig 3: Session Creation in Bluesky
These interactions are used to create a user session and identify the possible actions that the server allows. The https://bsky.social/xrpc/com.atproto.server.createSession
does this by posting user credentials to the server, which returns a session ID and DID (Decentralized Identifiers) Document.
https://bsky.social/xrpc/com.atproto.server.createSession does this by checking the available operations for the given URL.
Loading User Related Information
For loading various user-related information such as conversations, preferences, notifications, services the conocybe.us-west.host.bsky.network host is used. We have observed several API calls-
Fig 4: Loading user centric information
-
This first request lists user’s conversations. The URL uses the GET method indicating a read operation. The endpoint ‘/xrpc/chat.bsky.convo.listConvos’ has a query parameter (‘limit=1’) to limit the number of responses. The response status is 200, indicating a successful operation, however, the response body signifies no existing conversations with the response, ‘{“convos”:[]}’.
-
The second request fetches user notifications. ‘GET’ method signifies read operation. Endpoint is ‘/xrpc/app.bsky.notification.listNotifications’. This API is returning encoded data in response. It uses ‘limit=40’ implying that the maximum number of notifications to be fetched is 40.
-
The third request retrieves user preferences. Again, ‘GET’ method indicates a read operation. The endpoint is ‘/xrpc/app.bsky.actor.getPreferences’. The responseBody suggests that personal data and interests of the user are stored as preferences.
-
The last request seen on the image above fetches services for a specific ‘did’ (decentralized identifier). URL is ‘/xrpc/app.bsky.labeler.getServices?dids=did%3Aplc%3Aar7c4by46qjdydhdevvrndac&detailed=true’. This is a complex operation which might fetch detailed information about different services available for the user.
Post Submission
This request-response pair represents a record creation operation, using a POST HTTP method and a structured JSON payload. The server responds with a 200-status indicating successful operation execution and provides unique identifiers for referencing the created record.
Fig 5: Submitting a post
The request is sent to create a new post in the ‘app.bsky.feed.post’ collection, and the collection name, the post content and DID was sent as the body of the POST request.
Bluesky Traffic in BreakingPoint
The Bluesky platform has gained significant popularity on the internet, resulting in a significant amount of related network traffic. If you’re wondering how to test and calibrate your network equipment to ensure accuracy and resiliency against this traffic, then BreakingPoint Systems is the perfect solution for you.
The Keysight Application and Threat Intelligence (ATI) team have analyzed the network traffic related to Bluesky web application and released simulation strategies in our ATI-2024-18 bi-weekly StrikePack release.
Fig 6: Bluesky in BreakingPoint
The BPS offers niche capability like mixing Bluesky network traffic with thousands of other applications traffic to make a real-world network traffic simulation that flows through your network equipment. For more details about Keysight BreakingPoint and to test your network equipment against the most updated network traffic available in the internet visit BreakingPoint.