Re: [Sks-devel] SKS intermittently stalls with 100% CPU & rate-limiting

[Moritz Wirth]

Hi,

seems like that is the "problem":

https://bitbucket.org/skskeyserver/sks-keyserver/issues/60/denial-of-service-via-large-uid-packets
https://bitbucket.org/skskeyserver/sks-keyserver/issues/57/anyone-can-make-any-pgp-key-unimportable

Best regards,

Moritz

Am 17.06.18 um 02:18 schrieb Pete Stephenson:
> Hi all,
>
> My server, ams.sks.heypete.com, has been suffering from periods where
> the amount of CPU used by the sks process goes to 100% for a few minutes
> at a time. During this time, my Apache reverse proxy produces errors of
> the following type (client IP address obfuscated for their privacy):
>
> [Sun Jun 17 00:00:31.414596 2018] [proxy:error] [pid 4648:tid
> 139657505371904] [client CLIENT_IP:40327] AH00898: Error reading from
> remote server returned by /pks/lookup
>
> This happens across a range of client IP addresses, so it doesn't appear
> to be a single malicious user. Rather, it seems that something is
> causing the sks process to stall and connections to it time out.
>
> After a minute or two, CPU usage drops to the normal value of a few
> percent up to 15%, with queries being promptly answered until the CPU
> usage spikes again and things stall out.
>
> The server is in close sync with its peers, with no particular issues on
> the recon side.
>
> Any ideas what might be causing this? I'm running 1.1.6 on Debian, and
> things have generally been working well for several years. For good
> measure, I recently deleted the key database and recreated it from a
> fresh dump, but that had no effect.
>
> Potentially related: several clients, evidently corporate mail servers
> that query the SKS pool for every email they send or receive, are making
> dozens of queries per second to my server. Is it reasonable to impose
> rate limits on such clients (e.g. no more than X queries in Y seconds)?
> If so, what would reasonable values be for X and Y?
>
> Thank you.
>
> Cheers!
> -Pete
>