CloudFlare WAF causing issues with git operations
Summary
CloudFlare WAF causing issues with git operations
Timeline
All times UTC.
2020-05-20
- 17:25 Cloudflare WAF was enabled in #2147 (closed)
- 17:34 Some user communicated that that git operations were returning
403
- ~17:39 Cloudflare WAF was disabled manually
- 17:57 - cindy declares incident in Slack using
/incident declare
command.
Click to expand or collapse the Incident Review section.
Incident Review
Summary
- Service(s) affected: git
- Team attribution:
- Minutes downtime or degradation: 14 minutes
Metrics
Customer Impact
- Who was impacted by this incident? (i.e. external customers, internal customers) internal customers
- What was the customer experience during the incident? Prevented from git operations
- How many customers were affected?
- If a precise customer impact number is unknown, what is the estimated potential impact?
Incident Response Analysis
- How was the event detected? A developer posted on #production that a job was having issues cloning a repo.
- How could detection time be improved? We could have an alert for an increase in WAF blocks. RPS for the git service also dropped significantly. We might be able to alert based on the sudden increase in blocks or decrease in RPS.
- How did we reach the point where we knew how to mitigate the impact? It was in the production issue.
- How could time to mitigation be improved? With a sooner detection time, we would have been able to switch off WAF.
Post Incident Analysis
- How was the root cause diagnosed? We were able to see a spike in WAF blocks and the the "Cloudflare Specials" managed ruleset were not in "simulate" mode.
- How could time to diagnosis be improved? Not sure.
- Do we have an existing backlog item that would've prevented or greatly reduced the impact of this incident?
- Was this incident triggered by a change (deployment of code or change to infrastructure. If yes, have you linked the issue which represents the change?)? Change of configuration (#2147 (closed))
5 Whys
Lessons Learned
Corrective Actions
- Alert for sharp increase of WAF blocks
- Alert for sharp decrease in RPS for services
Guidelines
Edited by Cindy Pallares 🦉