Bugzilla out of service

[Myk Melez]

Pete Collins wrote:

> Christian Robottom Reis wrote:
>
>>> This link was accessed 448 times since 12:00AM last night 
>>> continually from the same IP. It looks like an attack or an attempt 
>>> to crack the
>>> box.
>>
>> We've been having similar trouble over at bmo, so you might want to talk
>> to Myk or Justdave about it.
>
Indeed, we've had at least two DOS attacks since Saturday, the last one 
from 66.98.208.4.

>>> We blocked the IP. Any thoughts on how best to deal w/ this kind of
>>> crap?
>>
That's what we've been doing as well.  We used to use mod_throttle to 
limit connections per minute from any given IP.  We should do that again.

> Should I upgrade to 2.17?

2.17 is pretty good and has some very useful features.  I would 
recommend upgrading to the latest release of it.

> It seems that there should be a page limit for queries that are huge 
> so attacks like this can never happen. Just limit the query to say 50 
> itmes, per page and then let the user click forward if they want more 
> data.

I'm not sure how much of an effect that would have.  Output generation 
is just one cost of querying.  If you limited output, DOSers could still 
construct queries with a high query execution cost and use up your 
server's resources that way.

> Myke any quick fixes I can add to bugzilla to prevet an attacker from 
> scripting http GET's like the one I found in my log files below, that 
> can be used as a DOS/CRACK attack?

You could change query.cgi's query form from a GET to a POST and then 
block GET requests in buglist.cgi, but this makes Bugzilla less usable 
(f.e. users can't bookmark queries or modify them via the URL) and is 
thus unpalatable.  I suggest a suitably configured mod_throttle as the 
best defense.

-myk