@tdp_org@mastodon.social
@tdp_org@mastodon.social avatar

tdp_org

@tdp_org@mastodon.social

Lead Architect @ BBC. Snowboarder, skateboarder. Oxfordshire, UK. Opinions mine. He/Him.
Interested in #serverless #nodejs #googlecloud #terraform #bigquery #analytics #web #cdn #http #tls #http2 #http3 #security #infosec #privacy #webperformance #webperf etc.

This profile is from a federated server and may be incomplete. Browse more on the original instance.

tdp_org, to SEO
@tdp_org@mastodon.social avatar

We recently noticed a fair bit of traffic on www.bbc.co.uk & www.bbc.com from a User Agent which identifies itself as "ByteSpider" (& has a @bytedance.com email address).

Lots of docs on the web state it doesn't obey robots.txt but ByteDance have told us it does:

> ...in the robots.txt files
> user-agent:Bytespider
> Disallow:/

Thought that might be worth documenting as it might be a recent change & several of us searched but found zero docs from ByteDance

tdp_org, to webdev
@tdp_org@mastodon.social avatar

Lazy post:
Are there common web clients which do not support TLS SNI but do support TLS1.2+?

tdp_org,
@tdp_org@mastodon.social avatar

@gsuberland Yep, we definitely see those. The better ones identify themselves via their UA string which is helpful.
I don't really care much if we break scripts/pollers, just don't want to cut real people off.
We've continued to support non-SNI clients for a long time but it's looking like we might be able to stop doing that soon. Defintely makes things simpler and means we don't need to use so much address space etc.🙌🏻

tdp_org,
@tdp_org@mastodon.social avatar

@northalpha @gsuberland @heiseonline We see lots of that for sure. In fact our domain names are built in to a number of appliances for just that reason.
Feels like there should be a better solution e.g. ISPs offering an endpoint but we are where we are👍

tdp_org,
@tdp_org@mastodon.social avatar

@gsuberland @northalpha @heiseonline Definitely. Something along those lines would be amazing.
They could limit the burden by e.g. only sorting HEAD requests. It really wouldn't be that bad to do and world be much more reliable than hitting various 3rd parties who may or may not be up and may or may not change their config and break people's tests.

tdp_org, to webdev
@tdp_org@mastodon.social avatar

Google's indexers/crawlers/bots are ~75% of all indexer/crawler/bot traffic to www.bbc.co.uk & www.bbc.com.

I wonder what it is they do that's so drastically different to everyone else? Why do they need to make so many requests?

tdp_org, to webdev
@tdp_org@mastodon.social avatar

After a chat with some colleagues earlier, I pulled 7 days of our access logs for www.bbc.co.uk & www.bbc.com because they wanted a list of unique user agents. I've never looked at this before.
We had 9.7 million unique user agents in those 7 days. WTAF?
Granted, only 50k with >= 1k requests but still...

tdp_org,
@tdp_org@mastodon.social avatar

@miki It's a colossal mix of both but for sure plenty are bots. Aside from the content indexing and scraping, lots of orgs use us to check whether their internet connection is working. I do like the vote of confidence but the global volume of those is a bit painful to deal with sometimes TBH.

tdp_org, to random
@tdp_org@mastodon.social avatar

I was just thinking, feels like a good idea to have say quarterly team-wide reviews specifically on cost optimisation. Deciding where best to spend the effort to reduce costs.
Does anyone do something like this?
We've got lots of cost optimisation work going on but I'm not aware of anything this regular/specific.

tdp_org, to random
@tdp_org@mastodon.social avatar

Just bumped the VM spec that hosts the school websites i host.
Feels a bit sad that a GB of RAM is no longer enough for 2 websites which get maybe a couple of hundred page views per day.
Back in the day, we used to host tens of much busier sites on similar spec servers.

tdp_org,
@tdp_org@mastodon.social avatar

@larsmb 100% agreed. It's the classic "solution sized to environment" eh?
Maybe instead of 2G Tuesdays, we should have have 256MB Tuesdays.

GossiTheDog, to random
@GossiTheDog@cyberplace.social avatar

Apparently RansomedVC couldn’t go 4 minutes without sticking their dick in something again.

tdp_org,
@tdp_org@mastodon.social avatar

@GossiTheDog 😬 I'm hoping not "proudly"

tdp_org,
@tdp_org@mastodon.social avatar

@GossiTheDog 🕊️

tdp_org, to random
@tdp_org@mastodon.social avatar

Hey RadioTimes - What about Scotland & Northern Ireland?

tdp_org,
@tdp_org@mastodon.social avatar

Urgh, after much searching it turns out that this is actually (confusingly, IMO) correct and it's only on viaplay (whatever TF that is).👎🏻

tdp_org,
@tdp_org@mastodon.social avatar

@GossiTheDog YASR - Yet Another Subscription Required😭

tdp_org, to random
@tdp_org@mastodon.social avatar

There seems to be a lot of "0 day" in the reporting of CVE-2023-44487. It's not a 0 day, it's an N day - it's been actively exploited for weeks now.
That'd an important distinction because it means there's already working attack code out there (& no doubt the attacker will be making the most of it before everyone patches).

tdp_org, to random
@tdp_org@mastodon.social avatar

"I can't send email more than 500 miles"
A classic I'd not seen before, a colleague just shared the link.
https://web.mit.edu/jemorris/humor/500-miles

tdp_org, to webdev
@tdp_org@mastodon.social avatar

If you run a publicly available website/service, keep an eye on https://www.cve.org/CVERecord?id=CVE-2023-44487.

It'll be announced at midday UTC today (10th Oct 2023).

If there isn't an update you can deploy quickly for your affected services immediately (there should be for the better known software, they've had advance notice) then you should consider disabling the affected element until there is.

Can't share more right now but it's important so don't forget (& tell your friends!).

tdp_org,
@tdp_org@mastodon.social avatar

Cloudflare just published details:
https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/

tdp_org,
@tdp_org@mastodon.social avatar

So for nginx, https://my.f5.com/manage/s/article/K000137106 says that a high value for keepalive_requests makes you more vulnerable so a practical mitigation until the update is available seems to be to set that low. The default is 1000 which feels reasonable for general workloads to me.

tdp_org,
@tdp_org@mastodon.social avatar

AWS Blog too: https://aws.amazon.com/blogs/security/how-aws-protects-customers-from-ddos-events/

tdp_org,
@tdp_org@mastodon.social avatar

There's an nginx patch in progress which I just spotted on the dev mailing list. Looks like it tracks the number of resets per connection and limits it. Feels like a reasonable mitigation and that matches what I know at least one of the CDNs has done.

tdp_org,
@tdp_org@mastodon.social avatar

Looks like the nginx patch will be available tomorrow:
https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/

Change notes:

> ...a limit of no more than 2 * max_concurrent_streams new streams per one event loop iteration was introduced...

...

> ...refused streams are now limited to maximum of max_concurrent_streams and 100...

tdp_org,
@tdp_org@mastodon.social avatar

The CVE info has been released now, a bit after the blog posts but better late than never: https://www.cve.org/CVERecord?id=CVE-2023-44487
Lots of refs to vendor docs on there so if you run http/2 on your publicly available web servers/services, you should check for advice.

tdp_org,
@tdp_org@mastodon.social avatar

@steveworkman Not sure about MSFT but Akamai have a post but it's behind login: https://community.akamai.com/customers/s/feed/0D54R0000AFHFUl

  • All
  • Subscribed
  • Moderated
  • Favorites
  • anitta
  • kavyap
  • DreamBathrooms
  • InstantRegret
  • magazineikmin
  • cubers
  • GTA5RPClips
  • thenastyranch
  • Youngstown
  • rosin
  • slotface
  • tacticalgear
  • ethstaker
  • modclub
  • JUstTest
  • Durango
  • everett
  • Leos
  • provamag3
  • mdbf
  • ngwrru68w68
  • cisconetworking
  • tester
  • osvaldo12
  • megavids
  • khanakhh
  • normalnudes
  • lostlight
  • All magazines
    •