On Fri, 14 Mar 2025 at 17:36, Nick Holland <n...@holland-consulting.net> wrote: > > hello. > As you may have noticed, cvsweb.openbsd.org has been having > issues. This time, it is due to effectively a Distributed Denial of > Service, though I don't actually believe it is /deliberately/ > malicious. Speculation is someone is trying to feed a so-called AI > application from cvsweb. While I admire the idea of training an AI > from the work of some of the best programmers in the world, cvsweb > is a perl script that writes a lot of temp files. The current > system is many times the first cvsweb HW I set up many years ago, > and won't even notice humans using it, when hundreds of simultaneous > automated queries are happening, things get bad quickly. > > FOR NOW, I've stopped the ability of cvsweb to show diffs of file > revisions. This is where both much of the abuse was happening, and > also much of the load on the system came from. > YES, that's horribly annoying, but you can still download any > individual version of a file and you can still see the annotated > output. I'll be thinking about a longer-term solution (which may > also be "wait until they get bored and move on"). > > Sorry for the inconvenience. > > Nick.
Why would you block it for everyone by returning 200 OK with a misleading "No viewable change" render, instead of limiting the number of requests by User-Agent and/or IP range? Both are trivial to do with nginx. C.
