On Fri, Nov 02, 2018 at 09:15:12AM +0000, Peter Palfrader wrote: > On Thu, 01 Nov 2018, Noah Meyerhans wrote: > > > It was pointed out on IRC that this is intentional, per > > https://salsa.debian.org/dsa-team/mirror/dsa-puppet/blob/master/modules/roles/manifests/snapshot_web.pp > > > > IMO blocking random (and large) chunks of EC2 is not a good idea, as the > > collateral impact is potentially huge. I'd like to suggest a more > > targeted way of throttling individual clients that doesn't have such > > broad impact. The iptables connlimit module comes to mind, but there are > > undoubtedly other options. > > It's not random. Still, I agree that blocking large chunks is not > ideal. > > We would welcome you working with us on finding actual rate limiting > configurations that work. So far, many have suggested but nobody has > actually delivered anything.
I have tentatively removed the block on AWS in https://salsa.debian.org/dsa-team/mirror/dsa-puppet/commit/6510538f5a1a525e62e85be0d887c1f1b3e0e3fd We'll see how that goes. Cheers, Julien
