<div dir="ltr">Hi Clark,<div><br></div><div>We have in our infra 2 CI masters. 1 of them has 1 account configured and the other 3. This day (March 13) we were doing a test in a second server and we cloned the server to test the new scripts, so we ended up with 7 zuul threads connecting for requests and posting updates. This test was done only that afternoon and I believe that was what flagged your radar.</div><div><br></div><div>We have checked the traffic generated[1] (now we have only the 4 accounts activated) and it seems normal. This is the tcpdump from our gateway with last octet 193. In that log, the <span style="color:rgb(0,0,0);font-family:"bitstream vera sans mono",monospace;font-size:13px">172.24.45.118</span> server has 4 accounts and the 124 only one. That seems to be a normal flow right? <br></div><div><br></div><div><br></div><div>[1] <a href="http://paste.openstack.org/show/603133/">http://paste.openstack.org/show/603133/</a></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 14, 2017 at 7:03 PM, Clark Boylan <span dir="ltr"><<a href="mailto:cboylan@sapwetik.org" target="_blank">cboylan@sapwetik.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Tue, Mar 14, 2017, at 02:25 PM, Clark Boylan wrote:<br>
> On Tue, Mar 14, 2017, at 02:12 PM, Clark Boylan wrote:<br>
> > This account was found to be creating thousands of connections to Gerrit<br>
> > effectively DoSing it. As a result the account was disabled.<br>
> ><br>
> > For anyone looking to reenable the account in the future, the account<br>
> > number is 17623. The operators of this CI account will want to determine<br>
> > why this was happening and correct it before we reenable the account<br>
> > though.<br>
><br>
> I now have more infos. It appears there are at least two more CI<br>
> accounts coming from this IP address (last octet is 193). I have thus<br>
> disabled Hitachi HBSD2 CI (16660) and Hitachi Manila HSP CI (22236) as<br>
> well. We will need to sort out what is causing all of these connections<br>
> to sit on Gerrit and correct that. Please let us know if you need more<br>
> help debugging (though info on our end is fairly sparse, just shows<br>
> these accounts associated with the IP, but not which specific account is<br>
> creating all of the connections).<br>
><br>
<br>
</span>And now for another update. Disabling these three accounts didn't affect<br>
the new connections coming in from that IP address. So instead we have<br>
blocked the IP at the firewall and I have reenabled the CI accounts.<br>
This means the CI accounts won't work until the connection issue is<br>
sorted out, but once thats done and the firewall rule is removed we<br>
should be good to go again. Perhaps you can help track down who is<br>
coming from your IP address and leaving thousands of stale connections<br>
open?<br>
<br>
Thank you,<br>
<div class="HOEnZb"><div class="h5">Clark<br>
<br>
______________________________<wbr>_________________<br>
Third-party-announce mailing list<br>
<a href="mailto:Third-party-announce@lists.openstack.org">Third-party-announce@lists.<wbr>openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/third-party-announce" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>third-party-announce</a><br>
Please attend the third party meetings: <a href="http://eavesdrop.openstack.org/#Third_Party_Meeting" rel="noreferrer" target="_blank">http://eavesdrop.openstack.<wbr>org/#Third_Party_Meeting</a><br>
</div></div></blockquote></div><br></div>