| 2011-01-17 10:46:05 |
Tom Haddon |
bug |
|
|
added bug |
| 2011-01-17 10:46:14 |
Tom Haddon |
launchpad: importance |
Undecided |
Critical |
|
| 2011-01-17 10:46:23 |
Tom Haddon |
tags |
|
canonical-losa-lp |
|
| 2011-01-17 10:46:32 |
Tom Haddon |
bug |
|
|
added subscriber Canonical LOSAs |
| 2011-01-17 10:46:36 |
Tom Haddon |
removed subscriber Tom Haddon |
|
|
|
| 2011-01-17 10:47:22 |
Tom Haddon |
description |
Per the following email (sent to feedback@lp), our code import servers have DoS-ed third party services.
------------------------------------------------------
Date: Sun, 16 Jan 2011 10:55:20 +0000
Subject: Canonical Launchpad code import servers blocked due to abuse
The launchpad code import servers have been blocked from accessing
svn.apache.org for abuse. There were in excess of 1,000,000 requests
made to svn.apache.org in the previous 24 hours and a couple of
instances in the previous few days of ~500,000 requests.
ASF policy permits no more than one update per hour from automated clients.
To request removal of the block (you'll need to explain what you have
done to ensure the abuse is not repeated) contact
infrastructure@apache.org or find the ASF infrastructure team on
#asfinfra at freenode.
Mark |
Per the following email (sent to feedback@lp), our code import servers have DoS-ed third party services.
------------------------------------------------------
Date: Sun, 16 Jan 2011 10:55:20 +0000
Subject: Canonical Launchpad code import servers blocked due to abuse
The launchpad code import servers have been blocked from accessing
svn.apache.org for abuse. There were in excess of 1,000,000 requests
made to svn.apache.org in the previous 24 hours and a couple of
instances in the previous few days of ~500,000 requests.
ASF policy permits no more than one update per hour from automated clients.
To request removal of the block (you'll need to explain what you have
done to ensure the abuse is not repeated) contact
us or find the ASF infrastructure team on
#asfinfra at freenode.
Mark
|
|
| 2011-01-17 14:08:34 |
Robert Collins |
launchpad: importance |
Critical |
High |
|
| 2011-01-17 14:08:36 |
Robert Collins |
launchpad: status |
New |
Triaged |
|
| 2011-01-17 14:08:57 |
Robert Collins |
summary |
code import servers DoS-ing third party services |
no safety net for misbehaved backend services |
|
| 2011-01-17 14:20:43 |
Robert Collins |
description |
Per the following email (sent to feedback@lp), our code import servers have DoS-ed third party services.
------------------------------------------------------
Date: Sun, 16 Jan 2011 10:55:20 +0000
Subject: Canonical Launchpad code import servers blocked due to abuse
The launchpad code import servers have been blocked from accessing
svn.apache.org for abuse. There were in excess of 1,000,000 requests
made to svn.apache.org in the previous 24 hours and a couple of
instances in the previous few days of ~500,000 requests.
ASF policy permits no more than one update per hour from automated clients.
To request removal of the block (you'll need to explain what you have
done to ensure the abuse is not repeated) contact
us or find the ASF infrastructure team on
#asfinfra at freenode.
Mark
|
Symptoms
========
Launchpad backend services like the code importer, bug watchers, tarball finders are all expected to communicate with external sites at fairly high frequencies.
We will from time to time have bugs in those services that result in excessively high attempted requests being made to those sites. When this happens we generally get firewalled which is unpleasant for everyone.
Solution
========
As part of being good net citizens we need to ensure that when that happens our services are throttled in some fashion. Simple request count throttling won't cover all requests (e.g. asking svn to perform an expensive server side operation may still be an issue) but its an improvement over our current catchall (revisions imported in one session are throttled).
Implementation
==============
We probably want to use an external catchall - e.g. squid or something - so that many different services can all be throttled in some sensible fashion.
bzr-svn and cscvs also speak svn: and pserver: which means that we either need a proxy protocol implementation for them or some in-process policy layer (that doesn't lose state when a specific import worker fails). |
|
| 2011-01-17 14:20:53 |
Robert Collins |
bug task added |
|
launchpad-cscvs |
|
| 2011-01-17 14:21:05 |
Robert Collins |
launchpad-cscvs: status |
New |
Triaged |
|
| 2011-01-17 14:21:08 |
Robert Collins |
launchpad-cscvs: importance |
Undecided |
High |
|
| 2011-01-17 14:21:29 |
Robert Collins |
bug task added |
|
bzr-svn |
|
| 2011-01-17 14:21:50 |
Robert Collins |
bzr-svn: importance |
Undecided |
High |
|
| 2011-01-17 14:22:06 |
Robert Collins |
summary |
no safety net for misbehaved backend services |
misbehaving backend services are able to DOS external services |
|
| 2011-01-19 00:08:47 |
Jelmer Vernooij |
bzr-svn: status |
New |
Triaged |
|
| 2011-01-19 00:08:52 |
Jelmer Vernooij |
bzr-svn: assignee |
|
Jelmer Vernooij (jelmer) |
|
| 2011-08-30 19:13:11 |
Jelmer Vernooij |
bzr-svn: assignee |
Jelmer Vernooij (jelmer) |
|
|
| 2012-01-12 12:39:13 |
Robert Collins |
launchpad-cscvs: importance |
High |
Low |
|
| 2012-01-12 12:39:16 |
Robert Collins |
launchpad: importance |
High |
Low |
|
| 2021-01-06 16:30:06 |
Colin Watson |
affects |
launchpad |
lp-codeimport |
|
