Page MenuHomePhabricator
Create Task
Maniphest T394519

lists.wikimedia.org was unavailable
Closed, ResolvedPublicSecurity
Actions

Description

lists.wikimedia.org was unavailable for a period of time around 14:45 UTC on May 16.

There was an increase in CPU and memory usage starting around 11:30.

CPU:

image.png (264×654 px, 32 KB)

Memory:

image.png (259×653 px, 35 KB)

As a follow up we should check why there was no page / IRC message / Phab task.

Details

Risk Rating
Medium
Author Affiliation
WMF Technology
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
lists: add parameter and code to block abusers using nftablesoperations/puppetproduction+39 -0
nftables: add abuser to lists abuser listoperations/puppetproduction+2 -1
gerrit/nftables_throttling: make abusers more genericoperations/puppetproduction+165 -164
lists: include nftables throttling profileoperations/puppetproduction+1 -0
Customize query in gerrit

Related Objects

Event Timeline

LSobanski created this task.May 16 2025, 2:55 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 16 2025, 2:55 PM
LSobanski updated the task description. (Show Details)May 16 2025, 2:56 PM
LSobanski set Security to Software security bug.May 16 2025, 3:22 PM
LSobanski added projects: Security, Security-Team.
LSobanski changed the visibility from "Public (No Login Required)" to "Custom Policy".
LSobanski changed the subtype of this task from "Task" to "Security Issue".

Looks like a scraper

LSobanski updated the task description. (Show Details)May 16 2025, 3:24 PM
LSobanski added subscribers: ABran-WMF, Arnoldokoth, Dzahn, Jelto.
ABran-WMF added a comment.May 16 2025, 3:31 PM

I've manually dropped the abuser: sudo nft insert rule inet base input ip saddr 93.123.109.83 drop it was a top hitter in the logs, but there might be more.

LSobanski added a comment.May 16 2025, 3:34 PM

This is yet another reason to prioritize T286066: Put lists.wikimedia.org web interface behind LVS and T278495: Figure out plan for mailman IP situation

LSobanski added a comment.May 16 2025, 7:17 PM

Puppet was disabled on lists1004 to prevent rolling back the nftables change.

LSobanski assigned this task to Dzahn.May 19 2025, 3:26 PM
sbassett changed the task status from Open to In Progress.May 19 2025, 4:25 PM
sbassett triaged this task as Medium priority.
sbassett edited projects, added SecTeam-Processed, Vuln-DoS; removed Security-Team.
sbassett changed Author Affiliation from N/A to WMF Technology.
sbassett changed Risk Rating from N/A to Medium.
LSobanski moved this task from Incoming to Work in Progress on the collaboration-services board.May 20 2025, 7:30 AM
Dzahn added a comment.May 21 2025, 11:35 PM

I created and then merged https://gerrit.wikimedia.org/r/c/operations/puppet/+/1148432

This added generic throttling (not based on allow/deny lists) on lists servers.

The default values apply, so port is 443 and 32 parallel connections are allowed or they get banned for 300 seconds.

This is now active on lists2001 (fail-over machine) but not yet on lists1004 (active machine) because puppet is disabled there still with @ABran-WMF 's message.

If there are no concerns we can enable puppet again and it will also be applied on lists1004.

Regarding additional throttling with actual lists of bad IPs/networks.. there are 2 more changes pending / to be discussed:

https://gerrit.wikimedia.org/r/c/operations/puppet/+/1148826 by Arnaudb which makes throttling more generic and https://gerrit.wikimedia.org/r/c/operations/puppet/+/1148433/1 by myself which copied code over from Gerrit without making it generic.

Jelto added a comment.May 22 2025, 7:57 AM
In T394519#10846230, @Dzahn wrote:

I created and then merged https://gerrit.wikimedia.org/r/c/operations/puppet/+/1148432

This added generic throttling (not based on allow/deny lists) on lists servers.

The default values apply, so port is 443 and 32 parallel connections are allowed or they get banned for 300 seconds.

Thanks for enabling throttling on the lists machine! The default policy is accept, so no throttling is taking place:

ip saddr @DENYLIST accept
ip6 saddr @DENYLIST_V6 accept

If there are no concerns we can enable puppet again and it will also be applied on lists1004.

Regarding additional throttling with actual lists of bad IPs/networks.. there are 2 more changes pending / to be discussed:

https://gerrit.wikimedia.org/r/c/operations/puppet/+/1148826 by Arnaudb which makes throttling more generic and https://gerrit.wikimedia.org/r/c/operations/puppet/+/1148433/1 by myself which copied code over from Gerrit without making it generic.

We will enable generic throttling and add the single IP to the abusers list for lists host. Arnaud is preparing a patch for that.

ABran-WMF added a comment.May 22 2025, 8:10 AM

puppet has been reenabled, the patch has been applied on lists1004, everything seems to be running OK

ABran-WMF closed this task as Resolved.May 22 2025, 8:36 AM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".May 27 2025, 3:37 PM
gerritbot added a comment.May 28 2025, 10:55 PM

Change #1148433 abandoned by Dzahn:

[operations/puppet@production] lists: add parameter and code to block abusers using nftables

Reason:

another solution that uses the same list of abusers for multiple services by Arnaudb has been implemented.

https://gerrit.wikimedia.org/r/1148433

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits