2018-07-11: Anonymised api usage denial of service attack

This issue is intended to be public. Please do not expose any private information in this issue. Use https://gitlab.com/gitlab-com/infrastructure/issues/4550 when discussing confidential details

image

Since 21h00UTC 2018-07-09 thousands of hosts across several countries have been issuing queries to a large number of GitLab API paths on a certain endpoint. Anonymous usage of this endpoint has increased from about 50 requests per hour before the attack to over 150,000 requests per hour since the attack started.

In order to mitigate the attack, we are enabling authentication on this endpoint while we focus on improving the SQL performance of the endpoint. This will affect less than 0.1% of legitimate requests, which will now require authentication, but will lessen the effect of the attack on GitLab.com.

If you are using the API without authentication, please review the documentation on how to authenticate requests here: https://docs.gitlab.com/ee/api/#authentication

We are working on mitigating this incident, and expect to have the mitigation completed within the 20 minutes.

Edited by Andrew Newdigate