Re: [service-announce] Temporarily blocking AS4837 (China Unicom) from Git
On Tue, Jun 30, 2020 at 2:30 PM Jeremy Stanley <fungi@yuggoth.org> wrote:
Due to a flood of connections from random addresses within AS4837 (China Unicom), we have temporarily blocked access to the opendev.org Git service from all prefixes they're announcing in BGP. This is not a decision we took lightly, but whatever distributed system these requests are coming from is not limited to any easily classified network set. We're also seeing similar activity from AS4134 (ChinaNet), and so may have to add filtering for their prefixes too in the near term.
Have those blocks been removed or are they still in place?
Hopefully we can lift this block once the problematic traffic subsides, or as soon as we implement better alternative mitigations. -- Jeremy Stanley _______________________________________________ service-announce mailing list service-announce@lists.opendev.org http://lists.opendev.org/cgi-bin/mailman/listinfo/service-announce
-- Mohammed Naser VEXXHOST, Inc.
On 2020-07-05 13:29:36 -0400 (-0400), Mohammed Naser wrote: [...]
Have those blocks been removed or are they still in place? [...]
Still in place for the moment, we were planning to revisit the situation tomorrow. A quick look at the graphs suggests the problem activity may have trailed off around 03:00 UTC yesterday with a brief resumption for 12:30-14:00 UTC yesterday. There's a new spike starting at 17:20 UTC today (a few minutes ago) but I'm not in a position to check whether the actual requests match the ones we were getting last week. Ian worked out configuration management for an Apache proxy in front of each of the Gitea servers which we can activate to start performing user agent based filtering of future requests, which even though it's additional complication for the service still seems preferable to blocking every customer of the largest ISP in China. -- Jeremy Stanley
participants (2)
-
Jeremy Stanley
-
Mohammed Naser