devicemap-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Radu Cotescu <r...@apache.org>
Subject Re: Distributed Denial of Service attack on Apache's servers today: Please be advised of changes enacted
Date Tue, 01 Sep 2015 12:31:12 GMT
Hi Werner,

I think that DeviceMap's download script has probably been already migrated
since the Downloads page works as expected.

I suggest you prepare the C# release artifact in the meantime and restart
the voting thread / restage the artifact.

Cheers,
Radu

On Tue, 1 Sep 2015 at 13:09 Werner Keil <werner.keil@gmail.com> wrote:

> Does this have an impact on DeviceMap?
>
> As usual, please reply directly if immediate answer was required.
>
> Otherwise could somebody please look into it, if a change is needed, it'll
> affect all of DeviceMap, not just some components.
>
> I decided to wait before proposing adjustments to the C# release. Will do
> when the dust has settled over these recent issues.
> It shouldn't affect a vote or preview of artifacts in a personal space.
>
> Werner
>
> ---------- Forwarded message ----------
> From: Daniel Gruno <humbedooh@apache.org>
> Date: Tue, Sep 1, 2015 at 1:04 PM
> Subject: Re: Distributed Denial of Service attack on Apache's servers
> today: Please be advised of changes enacted
> To: infrastructure-private@apache.org
>
>
> Just a quick update (sorry for the noise):
>
> For those struggling with these changes, we now have a simple guide to
> changing your download page(s) at:
> https://reference.apache.org/pmc/mirror_scripts
>
> With regards,
> Daniel.
>
> On 08/31/2015 10:31 PM, Daniel Gruno wrote:
> > Hello PMCs,
> >
> > Earlier today we discovered that a new type of DDoS had been started
> > against our servers, where in the slow mirror selecting script used for
> > most TLP sites' download pages had been abused, causing our server load
> > averages to exceed 2000. Naturally, we do not have a 2000 core CPU on
> > our machines, so things slowed down to a grinding halt, pages became
> > unresponsive.
> >
> > To combat this, given the fact that it was (and still is) distributed,
> > we have put in place a new mirror script that makes use of far more
> > efficient data gathering and compiling to produce roughly the same
> > output. This change means that within a day or two, we will be
> > deprecating the .cgi scripts that we used to have, and replace it with
> > our new Lua-driven system (which has proven to be ~500 times faster,
> > thus mitigating the DDoS).
> >
> > IF you have a custom .cgi script on your TLP site with an accompanying
> > .html file of the same name, you most likely do not need to change
> > anything. Our new system will catch that request and use the old CGI EZT
> > file to produce the output.
> >
> > If you refer to www.apache.org/dyn/closer.cgi, please refer to
> > www.apache.org/dyn/closer.lua instead from now on.
> >
> > Any non-conforming CGI scripts are no longer enabled, and are all
> > rewritten to go to our new mirror system.
> >
> > PLEASE, check your sites, make sure the download section works. If it
> > does not, and you cannot figure out how to get it working, let us know,
> > and we will do our best to help you out.
> >
> > As mentioned, this was an emergency fix and it is a permanent fix. If
> > your current download page is off, you WILL need to change it, and ASAP.
> >
> > With regards,
> > Daniel on behalf of the Apache Infrastructure Team.
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message