Brane, Will this affect our mirror selecting CGI script on the download page?
D. ---------- Forwarded message ---------- From: Daniel Gruno <humbed...@apache.org> Date: Mon, Aug 31, 2015 at 1:31 PM Subject: Distributed Denial of Service attack on Apache's servers today: Please be advised of changes enacted To: infrastructure-priv...@apache.org Hello PMCs, Earlier today we discovered that a new type of DDoS had been started against our servers, where in the slow mirror selecting script used for most TLP sites' download pages had been abused, causing our server load averages to exceed 2000. Naturally, we do not have a 2000 core CPU on our machines, so things slowed down to a grinding halt, pages became unresponsive. To combat this, given the fact that it was (and still is) distributed, we have put in place a new mirror script that makes use of far more efficient data gathering and compiling to produce roughly the same output. This change means that within a day or two, we will be deprecating the .cgi scripts that we used to have, and replace it with our new Lua-driven system (which has proven to be ~500 times faster, thus mitigating the DDoS). IF you have a custom .cgi script on your TLP site with an accompanying .html file of the same name, you most likely do not need to change anything. Our new system will catch that request and use the old CGI EZT file to produce the output. If you refer to www.apache.org/dyn/closer.cgi, please refer to www.apache.org/dyn/closer.lua instead from now on. Any non-conforming CGI scripts are no longer enabled, and are all rewritten to go to our new mirror system. PLEASE, check your sites, make sure the download section works. If it does not, and you cannot figure out how to get it working, let us know, and we will do our best to help you out. As mentioned, this was an emergency fix and it is a permanent fix. If your current download page is off, you WILL need to change it, and ASAP. With regards, Daniel on behalf of the Apache Infrastructure Team.
