You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@devicemap.apache.org by Werner Keil <we...@gmail.com> on 2015/09/01 13:09:19 UTC
Fwd: Distributed Denial of Service attack on Apache's servers today:
Please be advised of changes enacted
Does this have an impact on DeviceMap?
As usual, please reply directly if immediate answer was required.
Otherwise could somebody please look into it, if a change is needed, it'll
affect all of DeviceMap, not just some components.
I decided to wait before proposing adjustments to the C# release. Will do
when the dust has settled over these recent issues.
It shouldn't affect a vote or preview of artifacts in a personal space.
Werner
---------- Forwarded message ----------
From: Daniel Gruno <hu...@apache.org>
Date: Tue, Sep 1, 2015 at 1:04 PM
Subject: Re: Distributed Denial of Service attack on Apache's servers
today: Please be advised of changes enacted
To: infrastructure-private@apache.org
Just a quick update (sorry for the noise):
For those struggling with these changes, we now have a simple guide to
changing your download page(s) at:
https://reference.apache.org/pmc/mirror_scripts
With regards,
Daniel.
On 08/31/2015 10:31 PM, Daniel Gruno wrote:
> Hello PMCs,
>
> Earlier today we discovered that a new type of DDoS had been started
> against our servers, where in the slow mirror selecting script used for
> most TLP sites' download pages had been abused, causing our server load
> averages to exceed 2000. Naturally, we do not have a 2000 core CPU on
> our machines, so things slowed down to a grinding halt, pages became
> unresponsive.
>
> To combat this, given the fact that it was (and still is) distributed,
> we have put in place a new mirror script that makes use of far more
> efficient data gathering and compiling to produce roughly the same
> output. This change means that within a day or two, we will be
> deprecating the .cgi scripts that we used to have, and replace it with
> our new Lua-driven system (which has proven to be ~500 times faster,
> thus mitigating the DDoS).
>
> IF you have a custom .cgi script on your TLP site with an accompanying
> .html file of the same name, you most likely do not need to change
> anything. Our new system will catch that request and use the old CGI EZT
> file to produce the output.
>
> If you refer to www.apache.org/dyn/closer.cgi, please refer to
> www.apache.org/dyn/closer.lua instead from now on.
>
> Any non-conforming CGI scripts are no longer enabled, and are all
> rewritten to go to our new mirror system.
>
> PLEASE, check your sites, make sure the download section works. If it
> does not, and you cannot figure out how to get it working, let us know,
> and we will do our best to help you out.
>
> As mentioned, this was an emergency fix and it is a permanent fix. If
> your current download page is off, you WILL need to change it, and ASAP.
>
> With regards,
> Daniel on behalf of the Apache Infrastructure Team.
>
Re: Distributed Denial of Service attack on Apache's servers today:
Please be advised of changes enacted
Posted by Werner Keil <we...@gmail.com>.
Will do, thanks.
I'll probably give you a heads-up and put stuff to review before the actual
vote.
Werner
On Tue, Sep 1, 2015 at 2:31 PM, Radu Cotescu <ra...@apache.org> wrote:
> Hi Werner,
>
> I think that DeviceMap's download script has probably been already
> migrated since the Downloads page works as expected.
>
> I suggest you prepare the C# release artifact in the meantime and restart
> the voting thread / restage the artifact.
>
> Cheers,
> Radu
>
>
> On Tue, 1 Sep 2015 at 13:09 Werner Keil <we...@gmail.com> wrote:
>
>> Does this have an impact on DeviceMap?
>>
>> As usual, please reply directly if immediate answer was required.
>>
>> Otherwise could somebody please look into it, if a change is needed, it'll
>> affect all of DeviceMap, not just some components.
>>
>> I decided to wait before proposing adjustments to the C# release. Will do
>> when the dust has settled over these recent issues.
>> It shouldn't affect a vote or preview of artifacts in a personal space.
>>
>> Werner
>>
>> ---------- Forwarded message ----------
>> From: Daniel Gruno <hu...@apache.org>
>> Date: Tue, Sep 1, 2015 at 1:04 PM
>> Subject: Re: Distributed Denial of Service attack on Apache's servers
>> today: Please be advised of changes enacted
>> To: infrastructure-private@apache.org
>>
>>
>> Just a quick update (sorry for the noise):
>>
>> For those struggling with these changes, we now have a simple guide to
>> changing your download page(s) at:
>> https://reference.apache.org/pmc/mirror_scripts
>>
>> With regards,
>> Daniel.
>>
>> On 08/31/2015 10:31 PM, Daniel Gruno wrote:
>> > Hello PMCs,
>> >
>> > Earlier today we discovered that a new type of DDoS had been started
>> > against our servers, where in the slow mirror selecting script used for
>> > most TLP sites' download pages had been abused, causing our server load
>> > averages to exceed 2000. Naturally, we do not have a 2000 core CPU on
>> > our machines, so things slowed down to a grinding halt, pages became
>> > unresponsive.
>> >
>> > To combat this, given the fact that it was (and still is) distributed,
>> > we have put in place a new mirror script that makes use of far more
>> > efficient data gathering and compiling to produce roughly the same
>> > output. This change means that within a day or two, we will be
>> > deprecating the .cgi scripts that we used to have, and replace it with
>> > our new Lua-driven system (which has proven to be ~500 times faster,
>> > thus mitigating the DDoS).
>> >
>> > IF you have a custom .cgi script on your TLP site with an accompanying
>> > .html file of the same name, you most likely do not need to change
>> > anything. Our new system will catch that request and use the old CGI EZT
>> > file to produce the output.
>> >
>> > If you refer to www.apache.org/dyn/closer.cgi, please refer to
>> > www.apache.org/dyn/closer.lua instead from now on.
>> >
>> > Any non-conforming CGI scripts are no longer enabled, and are all
>> > rewritten to go to our new mirror system.
>> >
>> > PLEASE, check your sites, make sure the download section works. If it
>> > does not, and you cannot figure out how to get it working, let us know,
>> > and we will do our best to help you out.
>> >
>> > As mentioned, this was an emergency fix and it is a permanent fix. If
>> > your current download page is off, you WILL need to change it, and ASAP.
>> >
>> > With regards,
>> > Daniel on behalf of the Apache Infrastructure Team.
>> >
>>
>
Re: Distributed Denial of Service attack on Apache's servers today:
Please be advised of changes enacted
Posted by Radu Cotescu <ra...@apache.org>.
Hi Werner,
I think that DeviceMap's download script has probably been already migrated
since the Downloads page works as expected.
I suggest you prepare the C# release artifact in the meantime and restart
the voting thread / restage the artifact.
Cheers,
Radu
On Tue, 1 Sep 2015 at 13:09 Werner Keil <we...@gmail.com> wrote:
> Does this have an impact on DeviceMap?
>
> As usual, please reply directly if immediate answer was required.
>
> Otherwise could somebody please look into it, if a change is needed, it'll
> affect all of DeviceMap, not just some components.
>
> I decided to wait before proposing adjustments to the C# release. Will do
> when the dust has settled over these recent issues.
> It shouldn't affect a vote or preview of artifacts in a personal space.
>
> Werner
>
> ---------- Forwarded message ----------
> From: Daniel Gruno <hu...@apache.org>
> Date: Tue, Sep 1, 2015 at 1:04 PM
> Subject: Re: Distributed Denial of Service attack on Apache's servers
> today: Please be advised of changes enacted
> To: infrastructure-private@apache.org
>
>
> Just a quick update (sorry for the noise):
>
> For those struggling with these changes, we now have a simple guide to
> changing your download page(s) at:
> https://reference.apache.org/pmc/mirror_scripts
>
> With regards,
> Daniel.
>
> On 08/31/2015 10:31 PM, Daniel Gruno wrote:
> > Hello PMCs,
> >
> > Earlier today we discovered that a new type of DDoS had been started
> > against our servers, where in the slow mirror selecting script used for
> > most TLP sites' download pages had been abused, causing our server load
> > averages to exceed 2000. Naturally, we do not have a 2000 core CPU on
> > our machines, so things slowed down to a grinding halt, pages became
> > unresponsive.
> >
> > To combat this, given the fact that it was (and still is) distributed,
> > we have put in place a new mirror script that makes use of far more
> > efficient data gathering and compiling to produce roughly the same
> > output. This change means that within a day or two, we will be
> > deprecating the .cgi scripts that we used to have, and replace it with
> > our new Lua-driven system (which has proven to be ~500 times faster,
> > thus mitigating the DDoS).
> >
> > IF you have a custom .cgi script on your TLP site with an accompanying
> > .html file of the same name, you most likely do not need to change
> > anything. Our new system will catch that request and use the old CGI EZT
> > file to produce the output.
> >
> > If you refer to www.apache.org/dyn/closer.cgi, please refer to
> > www.apache.org/dyn/closer.lua instead from now on.
> >
> > Any non-conforming CGI scripts are no longer enabled, and are all
> > rewritten to go to our new mirror system.
> >
> > PLEASE, check your sites, make sure the download section works. If it
> > does not, and you cannot figure out how to get it working, let us know,
> > and we will do our best to help you out.
> >
> > As mentioned, this was an emergency fix and it is a permanent fix. If
> > your current download page is off, you WILL need to change it, and ASAP.
> >
> > With regards,
> > Daniel on behalf of the Apache Infrastructure Team.
> >
>