CERN Accelerating science

News, announcements and future developments of CDS services at CERN

Author: Nicola Tarocco

A Post-Mortem analysis on the recent DDoS attack

In past days, the CDS website experienced an unprecedented Distributed Denial of Service (DDoS) attack. A DDoS is a malicious attempt to disrupt the normal traffic of a targeted server by overwhelming the target with a flood of Internet traffic. You can find here more information.

What happened

On Monday, April 22, 2024, at approximately 11:30 AM, our monitoring systems detected a significant increase in traffic to the website. Analysis of the incoming HTTP requests revealed a Distributed Denial of Service (DDoS) attack. As a result, the CDS website became inaccessible to most users.

As an initial response, we promptly reached out to the CERN Computer Security Team for assistance. Furthermore, we posted an announcement regarding the incident on the CERN Service Portal Status Board, referencing number OTG0149709. Additionally, we communicated the incident via our official Mattermost channel, accessible to CERN users, and we added an informational banner to the website for those who were able to access it.

First actions

We have quickly realized that mitigating the attack would take longer than anticipated. At 12:30 PM, we made the decision to restrict access to the website solely from within the CERN network. This measure ensured that CERN users could still access the website while allowing us to concentrate on implementing countermeasures.

Around 3:30 PM, it appeared that the attack rate had decreased. In collaboration with CERN Computer Security Team, we made the decision to reopen access to the website from outside the CERN network. However, less than an hour later, the attack resumed, with an even higher volume of traffic. We decided to close access again.

Resolution

Due to the overwhelming majority of incoming requests originating from a specific geographical location, we made the difficult decision to block access to the website from that entire area. Simultaneously, we reinstated access from outside the CERN network. This countermeasure was implemented on Tuesday, April 23, 2024, at approximately 3:30 PM. As an additional security measure, we completely disabled IPv6 connections. All operations have been performed by CERN Computer Security Team in collaboration with us and the Network team.

The restrictions on users accessing CDS from certain locations will remain in place until we confirm that the attack has ceased. We are continuously monitoring incoming traffic in order to lift these restrictions as soon as possible.

The reasons and specifics behind this attack targeting CDS remain unclear. We have provided all available logs and information to the CERN Computer Security Team, who will conduct the necessary investigations and take appropriate actions.

Next steps

As it is the first time that we experience such a large-scale and distributed attack, it’s evident that we were unprepared. However, this experience has provided valuable insights and lessons for both our team, the CERN Computer Security and Network teams. We’re actively leveraging these takeaways to enhance our infrastructure and ensure readiness for any future occurrences.

While the CERN Computer Security and Network teams are currently analyzing logs and enhancing detection and mitigation tools to accelerate response times, our immediate focus will be on improving our alarming systems. Additionally, we are prioritizing enhancements to our DDoS protection mechanisms. Furthermore, efforts are underway to establish a reliable internal infrastructure as a contingency in the event of external compromise, ensuring continued access to the website for CERN users.

More technical details

During the initial stages of the DDoS attack, we observed a traffic volume of roughly 5,000 requests per minute. However, the incoming traffic within the CERN network was constantly increasing (we observed the number of 20,000 requests per minute, and growing UPDATE: we observed the number of 3.5M requests per hour).

While these figures may not seem excessively high, the CDS infrastructure is not designed to handle such volumes, as we aim to avoid over-sizing the infrastructure when unnecessary. By comparison, traffic on CDS typically reaches around 500 requests per minute, with peaks of 1,000 requests per minute.

Despite implementing counter-measures such as blocking numerous IPs or scaling up our infrastructure to accommodate more traffic, the number of requests continued to escalate during the attack. It appeared that the attacker was capable of increasing the size of the attack.

A sophisticated attack

Implementing counter-measures for attacks of this scale is challenging. The attack vector exhibited a high level of sophistication.

Here is an example of a single HTTP request (with the IP address masked):

<masked ip> - - [23/Apr/2024:12:59:59 +0200] "POST /6270607l7c07z7ldmt031x/6270607l7c07z7ldmt031x-6270607l7c07z7ldmt031x/ HTTP/1.1" 404 "-" "Mozilla/5.0 (Linux; U; Android 12; V2027 Build/SP1A.210812.003; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/123.0.6312.118 Mobile Safari/537.36 OPR/77.0.2254.69831" 0 1246 16756

As you can observe, identifying a consistent pattern to safely and effectively distinguish between legitimate and malicious traffic is challenging due to the following reasons:

  • The URL path and HTTP verb appeared to be entirely random, with most requests resulting in a 404 error.
  • The User-Agent was generated randomly.
  • We detected over 46,000 different IPs originating from various locations.
  • Each IP was responsible for a relatively low number of requests.

It was also unexpected to discover that attempting to block a large number of IPs could put pressure on many software components in the infrastructure.

Conclusion

Access to the website was restored within a few hours, successfully stopping the attack. However, this DDoS attack is still ongoing, and access to CDS from certain locations will remain blocked until it stops.

It is now even clearer to us that defending against such attacks requires a high level of expertise and investment in robust infrastructure and tools.

As service providers, we are grateful for the expertise and competence of the specialized teams at CERN. Their dedication ensures that we can effectively address challenges and maintain the reliability of our services.

The new Zenodo is live!

In the entire 2023, until October, our team worked in closed collaboration with the Zenodo team to launch the new version, now based on InvenioRDM, the turn-key research data management repository platform.

You can read more about this very important milestone in the official blog post and the OpenAire blog.

The future CDS

This is also a fundamental step for the future version of CDS, which is also based on InvenioRDM. Thanks to this new Zenodo launch, InvenioRDM is now a battle-tested platform, and it will receive constant improvements to make sure that it fulfils the needs of researchers worldwide.

We have learned a ton preparing the new version of Zenodo, not only developing features, but also preparing the infrastructure. With all these lessons-learned, the new CDS will be a more reliable and performant platform.

Next steps

We will work until the end of this year 2023 to analyze the features available today in CDS, and identify the ones that are essential to migrate to the new version.

We are working on a detailed migration plan, and we will get in contact with the main communities to better understand their needs and ensure a smooth transition from the current CDS to the new one, in 2024.

We are very excited, and we are looking forward to seeing the new CDS being used at CERN!

Updates on the new CDS

Summer has already started 😎 and, in the previous months, we have worked hard to integrate the latest development in the new CDS platform.

The result looks beautiful!

The new CDS platform is the brand-new version of the current CERN institutional repository, a modern and easy-to-use website where CERN users can archive and share their research, multimedia content or departmental documents.

You can now preview and try out the latest features in our test instance https://sandbox-cds-rdm.web.cern.ch (reachable from inside CERN campus). Just to mention a few, we have integrated users and groups CERN databases; newly uploaded publications will now have a DOI out-of-the box, ready to be shared and cited; files are securely stored in EOS file system. And there is much more.

The “Browse” section contains links to collections and categories to the former CDS platform: we will slowly migrate data to this brand-new CDS.

The footer of the new CDS website contains useful links to make sure that you will find the information that you need.

The production instance https://new-cds.cern.ch will be soon start to be used by some selected communities at CERN, and we will gather feedback to continuously improve it and make it as easy as possible to use.

After summer, more features will be coming 🚀: we will make it very easy to restrict and share documents with other users, and we will work on the administration panel to fully manage records and users in the system.

This version is just the base for the future CDS. More features will be needed to support all current use cases. To that end, we will be contacting and working together all main users so that we can define together the plan for completion of this future Institutional Repository.

If you wish to, open the new CDS website, login, try it out and share feedback with us!

The new CDS, based on InvenioRDM

With the LTS release (v9) and the latest release (v10), InvenioRDM has reached the maturity needed for production-ready digital repository websites. InvenioRDM is a generic data management repository, developed by our team in collaboration with many partners all over the world. Free to use and open-source.

The InvenioRDM demo website.

As already done by several partners (e.g. Caltech University, TU Graz University, TU Wien University), our team worked hard to create a preview version of the future CDS, available at https://sandbox-cds-rdm.web.cern.ch.

The new CDS website, based on InvenioRDM.

As first milestone, we have created and deployed the new instance of CDS and also migrated a selected set of records, metadata-only. This initial setup will allow us to iterate with the process of data migration, expanding incrementally the number of records and improving the data quality.

In the first quarter of this year, we will continue working on the InvenioRDM product, adding more features and integrating them in the new CDS website.

We will also start an analysis of the feature-set available in the current CDS, but still missing in the new platform: thanks to this, we will be able to come up with a plan for the next steps.

We are very excited to finally see the new CDS taking shape! Stay tuned for future announcements!

Progress before summer holidays

These first 6 months of the year 2022 have been quite busy. The CDS team focused on the development of InvenioRDM, the future research data management digital repository platform that will be the core of the future CDS version.

At the same time, production services need to be taken care of. While performing maintenance operations, we also worked on bug fixes and some technical features.

Future CDS platform – cds.cern.ch

With a small break of the development activities, we took half a day to discuss and define how we will kick off the new CDS platform: we came up with what we think will be a good strategy, and we hope to have the first dev/test instance by the end of the year, including a small subset of data migrated from the current CDS to the new one.

Even if it will be a long journey, we are very excited to get started!

InvenioRDM v9 and 9.1

The team contributed to the development of the latest 2 releases: InvenioRDM v9.0 and v9.1. These new releases enable curators to create their own communities of documents, to better self-organize content and make it easier for users to submit and find content. Each community is clearly identified, thanks to the new header with the name and the logo.

The way new documents are added to a community is managed via requests: when submitting a new document to a community, a new request is created where the submitted and the community’s curator can have a conversation with commenting. The request can be approved or rejected.

CDS Videos just got faster – videos.cern.ch

We have implemented a new feature in CDS Videos: the post-processing of uploaded videos got 2x faster! This is particularly visible when large video files are uploaded: the first two tasks, the extraction of the metadata, embedded in the video file, and the extraction of the video’s thumbnails now take half of the time.

Maintenance…

Databases for all the services have been upgraded to the latest versions, to ensure safety and security. The transcoding software, used in CDS Videos, have also been upgraded by our colleagues from the Webcast team, so that we can take advantage of the latest fixes and features.

On the 5th of July 2022, CDS suffered some slowness due to a very high amount of traffic, requesting some photos embedded in the CERN Home website. While being slower than normal conditions, the CDS website managed to serve more than a million requests, with a pick of 800 requests/second (thanks to connection queues).

While we are happy to see that our platform was up and running in such unusual conditions, we have identified some improvements, and we are working to change our infrastructure to be more performant when serving files.

What’s next

During summer, many absences are foreseen. The team will continue working on InvenioRDM v10: its features are critical to the future version of CDS. We are also planning to upgrade the web lectures player for an improved user experience when watching recorded talks, seminar or events.

Happy summer vacations! 🏖 ⛰ 🏜

Plans for the last months of 2021

What’s happening on CDS until the end of the year?

Currently (summer 2021), the team is working on consolidating the recently released CERN Library Catalogue platform with bug fixes and some new features, such as bulk extensions for loans, improving e-mails and ad-hoc features for the daily operation of the CERN Library.

The CDS Videos platform is very much used at CERN during the past and current extended teleworking period due to the COVID-19 pandemic. It requires improvements and fixes. The team will be busy improving the upload experience of new videos to be much more smooth and fixing bugs.

At the same time, we will start a new analysis phase to identify the best approach to migrate the current CDS website to a new modern, user-friendly web platform based on InvenioRDM in collaboration with the CERN experiments. We will share more information on how the future platform will look like, stay tuned!

CERN Library Catalogue website screenshot

The new CERN Library Catalogue is live!

The CDS team has worked very hard to build the new Library Catalogue website and it is now live (released on April 2021). The website has been built in close collaboration with the CERN Library team but also with RERO, a competence and service centre for libraries in Switzerland.

The website contains all books, e-books, journals and standards available at CERN and allows CERN users to loan physical copies or access digital versions of such literature. The content that was previously available in CDS has been migrated to the new platform.

The new CERN Library Catalogue website is an Integrated Library System (ILS) software: while building the solution for CERN, the CDS team has created a reusable, open source, generic platform InvenioILS that can be used by other organization in the world, based on the open source digital repositories framework Invenio.

Powered by WordPress & Theme by Anders Norén