Bug#912524: snapshot.debian.org is unreachable from (apparently) 18.128.0.0/9

To: Peter Palfrader <weasel@debian.org>, 912524@bugs.debian.org, Jeremy Apthorp <jeremya@chromium.org>
Cc: Noah Meyerhans <noahm@debian.org>, Mike Hommey <mh+reportbug@glandium.org>
Subject: Bug#912524: snapshot.debian.org is unreachable from (apparently) 18.128.0.0/9
From: Julien Cristau <jcristau@debian.org>
Date: Mon, 21 Oct 2019 15:29:28 +0200
Message-id: <[🔎] 20191021132928.GA19207@jcristau-z4>
Reply-to: Julien Cristau <jcristau@debian.org>, 912524@bugs.debian.org
In-reply-to: <20181102091512.wtxmyorlgxjghvmt@sarek.noreply.org>
References: <154103321167.27271.738828882358740663.reportbug@mitsuha.glandium.org> <154103321167.27271.738828882358740663.reportbug@mitsuha.glandium.org> <20181102041753.jdcqysoosdiuo5pb@ctrl.internal.morgul.net> <154103321167.27271.738828882358740663.reportbug@mitsuha.glandium.org> <20181102052518.rhs6yui5z7vibn7n@ctrl.internal.morgul.net> <154103321167.27271.738828882358740663.reportbug@mitsuha.glandium.org> <20181102091512.wtxmyorlgxjghvmt@sarek.noreply.org> <154103321167.27271.738828882358740663.reportbug@mitsuha.glandium.org>

On Fri, Nov 02, 2018 at 09:15:12AM +0000, Peter Palfrader wrote:
> On Thu, 01 Nov 2018, Noah Meyerhans wrote:
> 
> > It was pointed out on IRC that this is intentional, per
> > https://salsa.debian.org/dsa-team/mirror/dsa-puppet/blob/master/modules/roles/manifests/snapshot_web.pp
> > 
> > IMO blocking random (and large) chunks of EC2 is not a good idea, as the
> > collateral impact is potentially huge.  I'd like to suggest a more
> > targeted way of throttling individual clients that doesn't have such
> > broad impact. The iptables connlimit module comes to mind, but there are
> > undoubtedly other options.
> 
> It's not random.  Still, I agree that blocking large chunks is not
> ideal.
> 
> We would welcome you working with us on finding actual rate limiting
> configurations that work.  So far, many have suggested but nobody has
> actually delivered anything.

I have tentatively removed the block on AWS in
https://salsa.debian.org/dsa-team/mirror/dsa-puppet/commit/6510538f5a1a525e62e85be0d887c1f1b3e0e3fd

We'll see how that goes.

Cheers,
Julien

Reply to:

Prev by Date: Bug#941903: snapshot.debian.org: 404 error for one snapshot.debian.org IP address but not for the other
Next by Date: Bug#941903: snapshot.debian.org: 404 error for one snapshot.debian.org IP address but not for the other
Previous by thread: Processed: forcibly merging 941903 942485
Index(es):
- Date
- Thread