Rate limiting for hotlinked images
Open, HighPublic
Actions

Assigned To

None

Authored By

	RLazarus
	Sep 14 2022, 6:30 PM

Description

A few times in recent history, including twice this week, we've suffered outages due to images hosted on our infrastructure hotlinked by popular websites or apps. The bottleneck is usually network bandwidth, either over our peering/transit connections or at the individual cp host, or both.

(Note there's been some discussion in the past about whether to permit hotlinking at all; see e.g. T152091. I don't want to get into that policy question here, only the technical issue of keeping the site available for other users when image requests exceed our available bandwidth.)

As currently implemented we can't use requestctl as a protective measure (T317794) and other proposed solutions (https://gerrit.wikimedia.org/r/768723) won't work as-is for similar reasons. Either approach might be adapted to work, but in the meantime, we need a tool available for oncallers to use to protect the infrastructure when this happens. Some possible approaches:

Prioritize the VCL changes needed for T317794
Prioritize the VCL changes needed for https://gerrit.wikimedia.org/r/768723
Apply automatic rate limiting at the haproxy layer (T306580 wouldn't apply here, because the per-client concurrency is probably ~1, so we'd need per-URL ratelimiting or better yet bpslimiting, but haproxy is a good place for it, for the reasons described in that task)
Add a knob for manual rate limiting at the haproxy layer, so oncallers can respond quickly to hotlink-induced outages (enabling requestctl would be preferable, just to keep all the controls in the same place -- but if we can implement this solution more quickly, let's do it)

Details

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
haproxy: bwlim-by-path: enable globally	operations/puppet	production	+14 -84
haproxy: bwlim-by-path: also roll out to eqiad	operations/puppet	production	+28 -0
haproxy limit-by-path: reduce bwlim	operations/puppet	production	+2 -2
hiera: exclude wikimedia_trust from url bwlim	operations/puppet	production	+2 -0
hiera: Extend bwlim experiment to upload@ulsfo\|eqsin	operations/puppet	production	+28 -27
hiera: Extend bwlim experiment to cp5030	operations/puppet	production	+27 -0
hiera: Fix cp4051 bwlimit configuration	operations/puppet	production	+1 -1
haproxy,hiera: Test bwlimit per url on cp4051	operations/puppet	production	+29 -2
C:varnish: Rate limit hotlinking	operations/puppet	production	+16 -16
C:varnish: Rate limit hotlinking dry-run	operations/puppet	production	+50 -2
hiera: Disable haproxy limit-by-path experiments on cp4041 and cp5030	operations/puppet	production	+0 -56
hiera: Test HAProxy bw limits per URL on cp5030	operations/puppet	production	+29 -0
haproxy: Fix filter bwlim syntax	operations/puppet	production	+1 -1
hiera: Test HAProxy bw limits per URL on cp4051	operations/puppet	production	+28 -0
haproxy: Add support for filter bwlim-(in\|out)	operations/puppet	production	+22 -3
hiera: Move HAProxy 2.7 experiments to cp4051	operations/puppet	production	+0 -0
hiera: Use HAProxy 2.7.x on cp5032	operations/puppet	production	+1 -0
cache::haproxy: Fix missing socket variable	operations/puppet	production	+3 -0
cache::haproxy: Set nbthreads on the first global section	operations/puppet	production	+26 -15
hiera: Switch cp4052 to HAProxy 2.7 branch	operations/puppet	production	+1 -0
C:varnish: Add cluster_fe_hit and cluster_fe_ratelimit_hits subroutines	operations/puppet	production	+16 -0

Related Objects

Mentioned In: T391172: Hotlinking Used by Malicious Actors
T358455: Primary outbound port utilisation over 80% alert muted
Mentioned Here: T152091: Block hotlinking
T317794: requestctl can't act on cache hits

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 14 2022, 6:30 PM

Peachey88 subscribed.Sep 15 2022, 8:31 AM

Change 768723 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] C:varnish: Rate limit hotlinking

https://gerrit.wikimedia.org/r/768723

Change 832268 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] C:varnish: Add cluster_fe_hit and cluster_fe_ratelimit_hits subroutines

https://gerrit.wikimedia.org/r/832268

Change 832621 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] C:varnish: Rate limit hotlinking

https://gerrit.wikimedia.org/r/832621

Change 832268 merged by Jbond:

[operations/puppet@production] C:varnish: Add cluster_fe_hit and cluster_fe_ratelimit_hits subroutines

https://gerrit.wikimedia.org/r/832268

Here's my jupyter notebook with a rough analysis of a very impactful hotlink incident (on 2022-09-13) and our biggest organic traffic surge to date (Queen Elizabeth's passing on 2022-09-08):

F35546836

Legoktm subscribed.Oct 4 2022, 7:17 PM

[clinic duty] tagging the teams I think are relevant to this task, please change the tags as needed

ayounsi unsubscribed.Oct 11 2022, 6:51 AM

ayounsi subscribed.

KOfori subscribed.Oct 20 2022, 11:58 AM

BCornwall moved this task from Backlog to Scheduled incidental work on the Traffic board.Feb 23 2023, 12:07 AM

Removing SRE, this has been already triaged to 2 different SRE subteams

Removing I/F as all the proposed solutions falls into the Traffic realm.

Volans moved this task from Backlog to E_TOO_BIG_MAYBE_OKR? on the SRE-Sprint-Week-Sustainability-March2023 board.Mar 20 2023, 10:26 AM

BCornwall moved this task from Scheduled incidental work to Backlog on the Traffic board.Mar 30 2023, 8:43 PM

Change 919862 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] hiera: Switch cp4052 to HAProxy 2.7 branch

https://gerrit.wikimedia.org/r/919862

Change 919862 merged by Vgutierrez:

[operations/puppet@production] hiera: Switch cp4052 to HAProxy 2.7 branch

https://gerrit.wikimedia.org/r/919862

Change 920207 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] cache::haproxy: Set nbthreads on the first global section

https://gerrit.wikimedia.org/r/920207

Change 920207 merged by Vgutierrez:

[operations/puppet@production] cache::haproxy: Set nbthreads on the first global section

https://gerrit.wikimedia.org/r/920207

Change 920212 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] cache::haproxy: Fix missing socket variable

https://gerrit.wikimedia.org/r/920212

Change 920212 merged by Vgutierrez:

[operations/puppet@production] cache::haproxy: Fix missing socket variable

https://gerrit.wikimedia.org/r/920212

Change 920217 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] hiera: Use HAProxy 2.7.x on cp5032

https://gerrit.wikimedia.org/r/920217

Change 920217 merged by Vgutierrez:

[operations/puppet@production] hiera: Use HAProxy 2.7.x on cp5032

https://gerrit.wikimedia.org/r/920217

Mentioned in SAL (#wikimedia-operations) [2023-05-16T10:33:45Z] <vgutierrez> testing HAProxy 2.7.8 in cp4052 and cp5032 (upload) - T317799

Fabfur subscribed.Jun 8 2023, 10:58 AM

Mentioned in SAL (#wikimedia-operations) [2023-06-08T11:40:35Z] <vgutierrez> depooling cp4052 for some HAProxy tests - T317799

Mentioned in SAL (#wikimedia-operations) [2023-06-08T11:51:03Z] <vgutierrez> repooling cp4052 - T317799

Mentioned in SAL (#wikimedia-operations) [2023-06-08T12:03:43Z] <vgutierrez> restore cp4052 HAProxy configuration - T317799

Change 928541 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] haproxy: Add support for filter bwlim-(in|out)

https://gerrit.wikimedia.org/r/928541

Change 928548 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] hiera: Test HAProxy bw limits per URL on cp4052

https://gerrit.wikimedia.org/r/928548

Change 961333 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] hiera: Move HAProxy 2.7 experiments to cp4051

https://gerrit.wikimedia.org/r/961333

Change 961333 merged by Vgutierrez:

[operations/puppet@production] hiera: Move HAProxy 2.7 experiments to cp4051

https://gerrit.wikimedia.org/r/961333

Mentioned in SAL (#wikimedia-operations) [2023-09-27T08:21:25Z] <vgutierrez> update HAProxy to version 2.7.10 in cp4051 - T317799

Change 928541 merged by Vgutierrez:

[operations/puppet@production] haproxy: Add support for filter bwlim-(in|out)

https://gerrit.wikimedia.org/r/928541

Change 928548 merged by Vgutierrez:

[operations/puppet@production] hiera: Test HAProxy bw limits per URL on cp4051

https://gerrit.wikimedia.org/r/928548

Change 961373 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] haproxy: Fix filter bwlim syntax

https://gerrit.wikimedia.org/r/961373

Change 961373 merged by Vgutierrez:

[operations/puppet@production] haproxy: Fix filter bwlim syntax

https://gerrit.wikimedia.org/r/961373

Change 961800 had a related patch set uploaded (by CDanis; author: CDanis):

[operations/puppet@production] hiera: Test HAProxy bw limits per URL on cp5030

https://gerrit.wikimedia.org/r/961800

Mentioned in SAL (#wikimedia-operations) [2023-09-28T14:02:15Z] <cdanis> depooling cp5030 for haproxy upgrade & testing T317799

Change 961800 merged by CDanis:

[operations/puppet@production] hiera: Test HAProxy bw limits per URL on cp5030

https://gerrit.wikimedia.org/r/961800

Mentioned in SAL (#wikimedia-operations) [2023-09-28T14:08:48Z] <cdanis> repooling cp5030 after haproxy upgrade & config deploy T317799

Change 971253 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] hiera: Disable haproxy limit-by-path experiments on cp4041 and cp5030

https://gerrit.wikimedia.org/r/971253

Change 971253 merged by Vgutierrez:

[operations/puppet@production] hiera: Disable haproxy limit-by-path experiments on cp4041 and cp5030

https://gerrit.wikimedia.org/r/971253

Change 768723 abandoned by Jbond:

[operations/puppet@production] C:varnish: Rate limit hotlinking dry-run

Reason:

thi is been handled by requestctl (or will be)

https://gerrit.wikimedia.org/r/768723

Change 832621 abandoned by Jbond:

[operations/puppet@production] C:varnish: Rate limit hotlinking

Reason:

thi is been handled by requestctl (or will be)

https://gerrit.wikimedia.org/r/832621

Maintenance_bot removed a project: Patch-For-Review.Nov 29 2023, 12:10 PM

CDanis mentioned this in T358455: Primary outbound port utilisation over 80% alert muted.Feb 26 2024, 3:45 PM

MatthewVernon subscribed.Mar 1 2024, 2:38 PM

fgiunchedi subscribed.Mar 10 2024, 9:54 AM

MoritzMuehlenhoff subscribed.Apr 8 2024, 8:20 AM

Change #1052064 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] haproxy,hiera: Test bwlimit per url on cp4051

https://gerrit.wikimedia.org/r/1052064

gerritbot added a project: Patch-For-Review.Jul 4 2024, 9:55 AM

Change #1052064 merged by Vgutierrez:

[operations/puppet@production] haproxy,hiera: Test bwlimit per url on cp4051

https://gerrit.wikimedia.org/r/1052064

Mentioned in SAL (#wikimedia-operations) [2024-07-08T12:48:26Z] <vgutierrez> test bwlimit per url on cp4051 - T317799

Change #1052736 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] hiera: Fix cp4051 bwlimit configuration

https://gerrit.wikimedia.org/r/1052736

Change #1052736 merged by Vgutierrez:

[operations/puppet@production] hiera: Fix cp4051 bwlimit configuration

https://gerrit.wikimedia.org/r/1052736

Maintenance_bot removed a project: Patch-For-Review.Jul 9 2024, 8:40 PM

Change #1053652 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] hiera: Extend bwlim experiment to cp5030

https://gerrit.wikimedia.org/r/1053652

gerritbot added a project: Patch-For-Review.Jul 11 2024, 12:19 PM

Change #1053652 merged by Vgutierrez:

[operations/puppet@production] hiera: Extend bwlim experiment to cp5030

https://gerrit.wikimedia.org/r/1053652

Maintenance_bot removed a project: Patch-For-Review.Jul 11 2024, 2:31 PM

Change #1055252 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] hiera: Extend bwlim experiment to upload@ulsfo|eqsin

https://gerrit.wikimedia.org/r/1055252

gerritbot added a project: Patch-For-Review.Jul 18 2024, 3:27 PM

Change #1055252 merged by Vgutierrez:

[operations/puppet@production] hiera: Extend bwlim experiment to upload@ulsfo|eqsin

https://gerrit.wikimedia.org/r/1055252

Maintenance_bot removed a project: Patch-For-Review.Jul 22 2024, 12:30 PM

cmooney subscribed.Aug 1 2024, 12:20 AM

Change #1059837 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] hiera: exclude wikimedia_trust from url bwlim

https://gerrit.wikimedia.org/r/1059837

gerritbot added a project: Patch-For-Review.Aug 5 2024, 9:05 AM

Change #1059837 merged by Vgutierrez:

[operations/puppet@production] hiera: exclude wikimedia_trust from url bwlim

https://gerrit.wikimedia.org/r/1059837

Maintenance_bot removed a project: Patch-For-Review.Aug 5 2024, 4:30 PM

Scott_French subscribed.Aug 23 2024, 4:31 AM

@Jelto and @fgiunchedi handled a repeat Jio set-top box hotlink issue between 0600-0730 UTC today. The new requestctl support for cache hits in Varnish (T317794) was successfully exercised by Jelto to stop answering the requests, which is awesome.

Looking at the dashboards afterwards, I think we did not trigger haproxy's per-URL bwlim rule in eqsin. Graphs in both gigabit/second and megabyte/second:

The bwlim threshold is set at 300 megabyte/second (the 300m here). This amounts to about 2.5Gbps... then *8 for each cp-upload haproxy and you get 20Gbps.

I think we should probably reduce haproxy's limit to ... let's say 62.5m. That comes out to half of a gigabit/second/instance, which means we can only fill up to 4Gbit/s of egress with requests for a single image file. Scraping events aside, we usually have 4G headroom on any given peering link most of the time.

I think that threshold would have prevented any user impact here.

I also think the lowered threshold is quite safe for user impact; even in large organic traffic events, we saw at most ~50rps of fetches per cp node for their set of thumbs, which are much smaller in bytes.

On the other hand we do need to figure out a monitoring plan for this -- it should not be the case that we're often bwlim'ing files, and we should get at least a ticket if that's true. This may get easier once we move x-analytics output into haproxy.

Change #1065240 had a related patch set uploaded (by CDanis; author: CDanis):

[operations/puppet@production] haproxy limit-by-path: reduce bwlim

https://gerrit.wikimedia.org/r/1065240

gerritbot added a project: Patch-For-Review.Aug 23 2024, 3:28 PM

11:47:53	<vgutierrez>	hmmm if those are megabytes my intention was to set it to 300 / 8 = 37.5
11:48:00	<cdanis>	ahahaha
11:48:03	<cdanis>	that ALSO sounds good to me
11:48:25	<vgutierrez>	traffic shaping in the cp servers doesn't allow a single stream to go over 300mbps IIRC