Re: klecker mirror checker

["Ricardo Yanez" <ricardo.yanez@calel.org>]

> On Fri, Jul 11, 2008 at 09:37:49AM -0400, Ricardo Yanez wrote:
>> > On Wed, Jul 09, 2008 at 07:27:46PM -0400, Ricardo Yanez wrote:
>> >> We were recently forced to password protect
>> >> rsync://ftp.cl.debian.org/debian after two exploits to the pool/
>> that
>> >> infuriated our sponsor.
>> >
>> > Erh, you had exploits to the pool? Of what kind?
>> >
>>
>> of the most simple kind; an unknown IP downloading the entire pool,
>> clogging  a switch managed by the computing department. This happened
>> twice within the last 30 days, different IPs, no reverse lookup. I'm
>> myself not convinced it was a malicious attempt, but the mentioned
>> switch, which serves many other servers, got swamped by the intense
>> traffic. The computing department (over)reacted strongly. We responded
>> by password protecting the rsync port since there were talks about
>> shaping the traffic to the server, which would be unfortunate.
>
> Ah, phew. You should look into traffic shaping instead - see
> http://lartc.org/howto section about the HTB queuing discipline.
>

Oh, thanks, I wasn't aware of this nice howto.

I have shaped the traffic in the past, but the problem of doing it
locally was that the computing department started shaping it as well,
continuously cranking up and down the flow knobs depending on who was
complaining. I guess the ups and downs corresponded to a period when
they were adjusting the balance to keep everybody happy. So, we have
preferred to be in good terms with them, and to ask nicely not to shape
our link too aggressively. But, I will bring this idea up. I really
doubt they will allow us to be entirely in charge of the shaping,
though. Nevertheless, it doesn't hurt to ask.

Thanks,
Ricardo