devicemap-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Werner Keil <werner.k...@gmail.com>
Subject Fwd: Distributed Denial of Service attack on Apache's servers today: Please be advised of changes enacted
Date Tue, 01 Sep 2015 11:09:19 GMT
Does this have an impact on DeviceMap?

As usual, please reply directly if immediate answer was required.

Otherwise could somebody please look into it, if a change is needed, it'll
affect all of DeviceMap, not just some components.

I decided to wait before proposing adjustments to the C# release. Will do
when the dust has settled over these recent issues.
It shouldn't affect a vote or preview of artifacts in a personal space.

Werner

---------- Forwarded message ----------
From: Daniel Gruno <humbedooh@apache.org>
Date: Tue, Sep 1, 2015 at 1:04 PM
Subject: Re: Distributed Denial of Service attack on Apache's servers
today: Please be advised of changes enacted
To: infrastructure-private@apache.org


Just a quick update (sorry for the noise):

For those struggling with these changes, we now have a simple guide to
changing your download page(s) at:
https://reference.apache.org/pmc/mirror_scripts

With regards,
Daniel.

On 08/31/2015 10:31 PM, Daniel Gruno wrote:
> Hello PMCs,
>
> Earlier today we discovered that a new type of DDoS had been started
> against our servers, where in the slow mirror selecting script used for
> most TLP sites' download pages had been abused, causing our server load
> averages to exceed 2000. Naturally, we do not have a 2000 core CPU on
> our machines, so things slowed down to a grinding halt, pages became
> unresponsive.
>
> To combat this, given the fact that it was (and still is) distributed,
> we have put in place a new mirror script that makes use of far more
> efficient data gathering and compiling to produce roughly the same
> output. This change means that within a day or two, we will be
> deprecating the .cgi scripts that we used to have, and replace it with
> our new Lua-driven system (which has proven to be ~500 times faster,
> thus mitigating the DDoS).
>
> IF you have a custom .cgi script on your TLP site with an accompanying
> .html file of the same name, you most likely do not need to change
> anything. Our new system will catch that request and use the old CGI EZT
> file to produce the output.
>
> If you refer to www.apache.org/dyn/closer.cgi, please refer to
> www.apache.org/dyn/closer.lua instead from now on.
>
> Any non-conforming CGI scripts are no longer enabled, and are all
> rewritten to go to our new mirror system.
>
> PLEASE, check your sites, make sure the download section works. If it
> does not, and you cannot figure out how to get it working, let us know,
> and we will do our best to help you out.
>
> As mentioned, this was an emergency fix and it is a permanent fix. If
> your current download page is off, you WILL need to change it, and ASAP.
>
> With regards,
> Daniel on behalf of the Apache Infrastructure Team.
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message