This month you may have noticed that the servers used by the GMP project – the open source math library at the heart of GCC and other programs – are slow to a crawl. It was because of the flood of internet traffic, the sources of which are quite mysterious.
The packets appeared to be coming from servers connected to Microsoft.
Torbjörn Granlund, GMP secretary general, raised the alarm on the project’s mailing list.
“GMP servers are being attacked by several hundred IP addresses belonging to Microsoft Corporation,” he wrote. “We don’t know if this is done maliciously by Microsoft, if it’s some other mistake, or if [it is one] in their cloud clients… are running the scheme. The attack targets the GMP repo, with many similar requests. The requests are carefully selected to create a heavy load.
“We are removing all Microsoft IP addresses as an emergency response.”
The next day, Mike Blacker, director of threat detection, operations, and response at Microsoft’s GitHub, identified the culprit: the GitHub Actions Workflow that powers the Mercurial repo and has been cloned more than 700 times.
“Microsoft and GitHub investigated the issue and determined that a GitHub user modified a script within the FFmpeg-Builds project that outputs content to gmplib.org,” Blacker said.
“This project is designed to perform simultaneous testing on 100 different types of computers/architectures. This project does not seem to be dirty. [GMP] it seems that it has limited resources that cannot fulfill a few, but simultaneous requests. “
GitHub tries to stop the flood of work from running the fork repository. But job security doesn’t always work.
This is not the first time a software company has complained of DDoS for traffic problems. In February, 2022, Drew DeVault, the founder of SourceHut, described the behavior of Google’s Go Module Mirror as a denial of service transmission. After two years of complaints from DeVault, Google’s Golang team earlier this year agreed to keep its software from harming other people’s computers.
Granlund was not completely satisfied with Blacker’s explanation, or the weakness of the server(s) project – which, until the recent upgrade of the AMD Epyc 7402P, was not very strong Intel Xeon E5-1650 v2.
“Our systems are very powerful, they are server class machines with many cores and lots of RAM, and the connection is 1GbE at the highest level,” he replied.
“This is not legitimate use of the internet server. Your response suggests that it is our fault, that we need to have more powerful servers to tolerate this behavior. Really?”
That was Saturday, June 17, and Granlund fired back at Blacker noting that the traffic was continuing and that he was continuing to block Microsoft addresses in response.
On June 18, the author of FFmpeg-Builds published a document warning developers who weaken the environment to update their scripts. It checks where the repo came from and, if it’s not the original one, returns a message to the developer’s terminal:
As of last week, the traffic on the road was not a problem.
“Our servers are still accessible, but that’s why we added all Microsoft networks to our firewall,” the GMP project explains on its website. “We understand that we are far from the first project to take action against Github.”
They seem to think they have the right to leave the smaller sites
The Register asked Granlund if he was satisfied with the Microsoft-GitHub response, and he told us that he had only heard from Blacker once.
“I blocked about 40 IP addresses from accessing our server,” he said.
“A week after this started, there was no traffic from the same IP addresses, maybe 100 Microsoft addresses in total, with about 40. The difference was that these traffic only started a small load, and a log line in the firewall.
“The problem is solved. I don’t care if they can’t access gmplib.org anymore. I find it interesting how Github/Microsoft think about it now. They seem to think they have the right to leave the small pages. “
GitHub did not immediately respond to a request for comment. ®
PS: If you’ve seen Let’s Encrypt’s TLS-cert expiration for an hour this month, there’s technical analysis here by developer and cryptographer Andrew Ayer.
#Microsofts #GitHub #fire #DDoSing #important #open #source #site
