Requests from Microsoft IP Addresses

Torbjörn Granlund tg at gmplib.org
Mon Jun 19 11:09:34 CEST 2023


I think we now understand what happened.

It has everything to do with how Github works.

It started when the FFmpeg project changed their GI script to clone GMP
for every of their checkin.  This is a bad idea, but not a terrible
idea.  (The right way would be to keep a local checkout and pull changes
to it.)

Now, FFmpeg is "forked" in Github, and Github works in a very peculiar
way with such forks; it pulls in changes from the project from which a
fork was created, and runs GI tests on the result.

There seems to be several hundreds of forks of FFmpeg.  So each FFmpeg
checkin triggered hundreds of clone requests to the GMP server.

The conclusion is that, Github performed a DDoS attack on us for each
FFmpeg commit.  Poor design.  Horrible design.

Now FFmpeg changed their scripts again to instead download the tar file
from gnu.org.  That's less stupid, but gnu.org will get hundreds of
pointless downloads for each FFmpeg checkin.  (A plain download costs a
small fraction of a clone, so this is an improvement.  But it could
still be considered to be a DDoS attack; I leave it to the folks at FSF
to deal this this.)

The result of this all is that we lost many hours, and that Microsoft
(who owns Github and provides it with servers) now cannot reach
gmplib.org.  We won't be removing the Microsoft blocks as we don't
expect Github to change the way they are operating.


-- 
Torbjörn
Please encrypt, key id 0xC8601622


More information about the gmp-devel mailing list