diff --git a/routes/api.py b/routes/api.py
index 95a9673..4f35f17 100644
--- a/routes/api.py
+++ b/routes/api.py
@@ -4,6 +4,7 @@ from flask import jsonify, redirect, make_response, request, Response
 from model import Account
 import libforget.settings
 import libforget.json
+import random
 
 @app.route('/api/health_check')
 def health_check():
@@ -68,6 +69,10 @@ def known_instances():
         if not known:
             return Response('[]', 404, mimetype='application/json')
 
+        # pad to avoid oracle attacks
+        for _ in range(random.randint(0, 1000)):
+                known += random.choice((' ', '\t', '\n'))
+
         return Response(known, mimetype='application/json')
 
     elif request.method == 'DELETE':