Update of sr #111180 (group administration):
Status: None => Done
Assigned to: None => rwp
_______________________________________________________
Follow-up Comment #1:
DDoS Attack! Savannah's git server has been under a heavy botnet load since
January 15 when it started. The botnet numbers at least 3 million addresses!
Wow!
We are doing what we can to mitigate the attack and to keep the git service
useful. But when the botnet surges it will overwhelm the system and with 3
million bots hitting there is not any amount of mitigation that can completely
dodge the attack. wI can only ask that you be patient and to try it again.
As part of the mitigations we are blocking addresses. Quite a few of them at
the moment. However if you are receiving a 502 Bad Gateway then your IP is
NOT being blocked.
The 502 Bad Gateway indicates that the system is overloaded. The web page git
browser interface is relatively heavy weight and when the system is heavily
loaded then it will time out before it completes. This is true for both the
GITWEB and CGIT services.
It is also true for the git fetch service too but it is lighter weight and
less affected. That's LESS affected because 502 errors are also seen in the
git fetch service too but less often.
You mention CG-NAT and yes that is a problem for blocking the botnet when
there are shared addresses. I have implemented a partial workaround. We are
now keeping an ipset of all addresses that have successfully done a git fetch
action. Then when we detect an abuse botnet that would normally trigger
adding it to the block list we don't if we have seen that previously it
performed a successful git fetch. It's not a perfect solution because it
depends upon the ordering of the events. But it is better than nothing and it
has saved a dozen CG-NAT addresses so far.
Neither of the two addresses you furnished are in either of those two lists
however. Neither the good one nor the bad one.
You mentioned "pull in sources ... at ... /gitweb/?p=config.git" and I hope
that is just a casual reference. Because of course for git fetch and pull
operations one should use the git http backend.
git clone https://git.savannah.gnu.org/git/config.git
That's the proper URL for git source operations. The gitweb and cgit
interfaces are for human browsing. Don't use them for source operations!
And then of course once you have the source you can browse it directly rather
than using the web interface. The web interface is of course what we use for
mailing list discussion and such so we know it is useful.
_______________________________________________________
Reply to this item at:
<https://savannah.nongnu.org/support/?111180>
_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/
signature.asc
Description: PGP signature
