Re: repository.apache.org - Re: Blocking Polaris Alpha Traffic to Apache

[Chris Lambertus <cm...@apache.org>]

It’s more that people use nexus aka repository.apache.org <http://repository.apache.org/> (RAO) as a generic artifactory server, and then all builds end up asking RAO for objects, which causes the ban. There really should be no need for anyone other than project committers or an extremely limited subset of people testing pre-release artifacts to be touching RAO. Not really sure how to address this more holistically. Maybe limit access to the artifacts to authenticated users? Just spitballing here, adding builds@ to the list as well. I’m not aware of other use cases.





> On May 13, 2019, at 2:37 PM, Dave Fisher <da...@comcast.net> wrote:
> 
> Hi Chris,
> 
> These misuses of repository.apache.org <http://repository.apache.org/> occur often.
> 
> Are there particular Apache projects that may have improper builds?
> 
> Regards,
> Dave
> 
> Sent from my iPhone
> 
> On May 13, 2019, at 11:28 AM, Chris Lambertus <cml@apache.org <ma...@apache.org>> wrote:
> 
>> Thanks. I have removed the ban. Note that it is an automated system, so if the traffic recurs, it will be banned again.
>> 
>> -Chris
>> 
>> 
>>> On May 13, 2019, at 7:03 AM, Scott Cowher <scott.cowher@polarisalpha.com <ma...@polarisalpha.com>> wrote:
>>> 
>>> Hello Chris, 
>>>  
>>> Thank you for the quick reply.  We have investigated and this issue has been resolved.  This resulted due to a change we implemented on Tuesday the 7th where we added it to the virtual proxy was what caused the spike in traffic.  We marked the repos as offline and removed them from the maven main.
>>>  
>>> Thanks again and I apologize for the issue this change had caused.
>>>  
>>> Scott 
>>> From: Chris Lambertus <cml@apache.org <ma...@apache.org>> 
>>> Sent: Friday, May 10, 2019 6:26 PM
>>> To: Scott Cowher <scott.cowher@polarisalpha.com <ma...@polarisalpha.com>>
>>> Cc: webmaster@apache.org <ma...@apache.org>; security@apache.org <ma...@apache.org>; apache@apache.org <ma...@apache.org>; Users <users@infra.apache.org <ma...@infra.apache.org>>
>>> Subject: Re: Blocking Polaris Alpha Traffic to Apache
>>>  
>>> The IP 63.238.47.2 was banned 3 days ago for abuse of our repository.apache.org <http://repository.apache.org/> service, with over 75,000 requests in a 24 hour period. This service is for testing of pre-production artifacts only. Unless you are an apache committer or testing a pre-release artifact, there is no reason to be using this service. It is likely that you have set up a build system which is configured to retrieve artifacts from repository.apache.org <http://repository.apache.org/>. Please don't do this, or set up a local mirror. Let us know what the results of your investigation are and we will evaluate removing the ban.
>>>  
>>>  
>>> 
>>> 
>>> On May 10, 2019, at 12:14 PM, Scott Cowher <scott.cowher@polarisalpha.com <ma...@polarisalpha.com>> wrote:
>>>  
>>> Hello, 
>>>  
>>> Emailing to find out more about the recent blocking of traffic from the Polaris Alpha network.  The traffic is coming from 63.238.47.0/24.  We have many developers who utilize apache and we’re thinking that several we’re accessing this week.  This influx of request may have cause apache to block thinking is was an DOS attack.
>>>  
>>> What can be done to unblock/whitelist the Polaris Alpha users?
>>>  
>>> Any help would be greatly appreciated.
>>>  
>>> Thanks, 
>>> 
>>> Scott  
>>>  
>>> <image003.jpg>
>>> 
>>> Scott Cowher 
>>> Director,  Program Support 
>>> 5450 Tech Center Dr, Ste 400 
>>> Colorado Springs, CO 80919scott.cowher@parsons.com <ma...@parsons.com>
>>> P: +1 719.452.7444    M: +1 719.640.8515 
>>> Parsons <http://www.parsons.com/>  | Facebook <https://www.facebook.com/parsonscorporation/>  |  LinkedIn <https://www.linkedin.com/company/parsons/>  |  Twitter <https://twitter.com/parsonscorp>  |  Youtube <https://www.youtube.com/user/ParsonsCorp>