Defending Savannah from DDoS Attacks
10 months ago
- #Cybersecurity
- #GNU Savannah
- #DDoS
- Savannah is under a massive DDoS attack since January 2025, with IP blocklist metrics reaching five million by February 2025.
- GNU Savannah is a software development forge operated by the GNU Project and hosted by the FSF, hosting both GNU and non-GNU free software packages.
- Savannah's infrastructure is split across multiple virtual machines for different functionalities, with HTTP/HTTPS hosts for source code reading being the primary target of abuse.
- Analysis of log files revealed that the DDoS attacks involve many different user agents overlapping simultaneously, complicating mitigation efforts.
- Ipset was introduced as a tool to manage large collections of IP addresses, effectively handling over five million unique IPv4 addresses without significant performance degradation.
- Carrier-Grade NAT (CG-NAT) posed a new challenge, leading to the creation of allowlists for confirmed 'real user' behaviors to exempt them from bans.
- The continuous defense against DDoS attacks is resource-intensive but remains a high priority for the Savannah team.
- Companies are urged to use version control tools for cloning repositories instead of scanning them over the web, follow robots.txt rules, and identify their bots properly.