tickets #3704
closedDefective DNS infrastructure for login.opensuse.org / build.opensuse.org
0%
Description
Hi SUSE Admins,
Can someone please take a look at the DNS resolver which provides
service to the OpenSUSE Build Service (OBS)? In particular you need to
check the systems which can originate traffic from the IP address with
the reverse DNS of "login.opensuse.org".
Git traffic from this address was erroneously directed towards the
single US based node of the KDE Anongit network (anongit.kde.org) due
to this defect in your DNS infrastructure. It should have been
directed towards our EU based nodes.
This pattern normally occurs when you are using Google Public DNS
(8.8.8.8), or have a tunnel setup which results in your traffic
appearing to originate in the Americas.
In this instance, the direction of traffic towards a single node
resulted in an effective denial of service attack - as they were
attempting to clone (or otherwise access) many large repositories
simultaneously.
This resulted in everyone in the Americas, Oceania and Asia being
prevented from accessing KDE Git repositories.
I'd therefore also appreciate it if someone could implement throttling
on your side to only fetch one Git repository at a time, particularly
as your systems should be going off reference tarballs which can be
easily obtained from the download.kde.org mirror network.
Regards,
Ben Cooksley
KDE Sysadmin