Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Block LoadImpact from DDOS'ing tile.openstreetmap.org #288

Open
Firefishy opened this Issue Mar 12, 2019 · 2 comments

Comments

Projects
None yet
2 participants
@Firefishy
Copy link
Member

Firefishy commented Mar 12, 2019

Yesterday (11/March/2019) one of our caches was effectively Denial of Service attacked by LoadImpact.com when a 3rd party used LoadImpacts service against tile.openstreetmap.org

User-Agent: "LoadImpactRload/3.2.0 (Load Impact; http://loadimpact.com);"

However starting at 11:07:50, two hosts were responsible for a rather abnormal number of flows:
* 52.56.94.104 - 37,121 flows in 125 seconds starting 11:07:50, 101,294 flows in 213 seconds starting 11:09:50.
* 18.130.125.174 - 24,325 flows in 125 seconds starting 11:07:50, 87,360 flows in 276 seconds starting 11:08:47

Loadimpact does not honour the robots.txt exclusion already on the site: https://tile.openstreetmap.org/robots.txt

@tomhughes

This comment has been minimized.

Copy link
Member

tomhughes commented Mar 12, 2019

Go for it - they're in breach of the policy anyway as they are effectively acting as a library but not identifying the real end user.

@Firefishy

This comment has been minimized.

Copy link
Member Author

Firefishy commented Mar 23, 2019

For clarity for others reading this ticket: The most likely scenario is a customer of Load Impact used Load Impact's Browser session recorder, the site being recorded was using map tiles from tile.openstreetmap.org. The recorded session was then re-played using the load impact service with 1000s of users causing a massive traffic spike.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.