friendica/friendica-directory
7
5
Fork 4
Code Issues 16 Pull requests 1 Releases 17 Wiki Activity

Feature request: Lower server health score if it doesn't ping #54

New issue
Closed
opened 2020-09-13 20:02:11 +02:00 by realkinetix · 6 comments
realkinetix commented 2020-09-13 20:02:11 +02:00 (Migrated from github.com)
Copy link

In reading src/classes/Pollers/Server.php, it appears that if a server doesn't respond to ping, avg_ping and speed_score are set to NULL values, but then it doesn't appear that the NULL is taken in to account later on.

I believe a server returning a healthy ping should influence/modify the rest of the http probe speed results, and if a server doesn't ping it should have a health penalty applied.

In reading src/classes/Pollers/Server.php, it appears that if a server doesn't respond to ping, avg_ping and speed_score are set to NULL values, but then it doesn't appear that the NULL is taken in to account later on. I believe a server returning a healthy ping should influence/modify the rest of the http probe speed results, and if a server doesn't ping it should have a health penalty applied.
MrPetovan commented 2020-09-13 23:02:45 +02:00 (Migrated from github.com)
Copy link

When a server doesn't return any ping, it might be because the ICMP port is closed to outside traffic, which doesn't say much about how healthy it is.

When a server doesn't return any ping, it might be because the ICMP port is closed to outside traffic, which doesn't say much about how healthy it is.
realkinetix commented 2020-09-14 00:41:35 +02:00 (Migrated from github.com)
Copy link

Well, except that it generally means that too much is filtered, which often brings about other basic network health issues. People went a little crazy a decade (and more) ago with blocking ping as a security practice, but unless it's filtered carefully (which generally means leaving echo-reply on), it winds up being worse than not filtering at all.

A few outside resources on this, and I apologise if you're already familiar with all of this:

http://shouldiblockicmp.com/
https://blog.paessler.com/disabling-icmp-and-snmp-wont-increase-security-but-will-impact-network-monitoring
https://blog.securityevaluators.com/icmp-the-good-the-bad-and-the-ugly-130413e56030?gi=1bb97124826f

There definitely has been a lot to think about with it over the years, so take any of those for what they're worth. From my experience, though, running a server and service online is not really a good place to stop icmp-echo.

Relating strictly to the friendica server directory, it increases the time to evaluate a server (all other metrics being equal), and reduces the number of metrics one could be using to try and produce a useful health score for users, so, just on those points I would be tempted to push for a score modification based on the (lack of) icmp echo response.

Well, except that it generally means that too much is filtered, which often brings about other basic network health issues. People went a little crazy a decade (and more) ago with blocking ping as a security practice, but unless it's filtered carefully (which generally means leaving echo-reply on), it winds up being worse than not filtering at all. A few outside resources on this, and I apologise if you're already familiar with all of this: http://shouldiblockicmp.com/ https://blog.paessler.com/disabling-icmp-and-snmp-wont-increase-security-but-will-impact-network-monitoring https://blog.securityevaluators.com/icmp-the-good-the-bad-and-the-ugly-130413e56030?gi=1bb97124826f There definitely has been a lot to think about with it over the years, so take any of those for what they're worth. From my experience, though, running a server and service online is not really a good place to stop icmp-echo. Relating strictly to the friendica server directory, it increases the time to evaluate a server (all other metrics being equal), and reduces the number of metrics one could be using to try and produce a useful health score for users, so, just on those points I would be tempted to push for a score modification based on the (lack of) icmp echo response.
👍 1
MrPetovan commented 2020-09-14 01:12:08 +02:00 (Migrated from github.com)
Copy link

Ah, thanks for the elaboration, I didn't think about that. I guess we can substract a few max points if the ping doesn't go through.

Ah, thanks for the elaboration, I didn't think about that. I guess we can substract a few max points if the ping doesn't go through.
realkinetix commented 2020-09-14 01:30:32 +02:00 (Migrated from github.com)
Copy link

I would suggest doing a $delta -= 5 instead (or maybe even less than 5... whatever you consider one 'notch', I suppose)?

I would suggest doing a $delta -= 5 instead (or maybe even less than 5... whatever you consider one 'notch', I suppose)?
MrPetovan commented 2020-09-14 01:56:01 +02:00 (Migrated from github.com)
Copy link

There are two different ways of impacting the score: Either limiting the maximum score for a structural issue (unstable version, no access to ping) and delta for a temporary issue (HTML error code for expected accessible endpoints). This delta will be applied every time the server is checked and the temporary condition still occurs, possibly sinking the score into the negative. I don't think the blocked ping should produce this kind of outcome, but it should limit the maximum score a server can get even if everything else checks out.

There are two different ways of impacting the score: Either limiting the maximum score for a structural issue (unstable version, no access to ping) and delta for a temporary issue (HTML error code for expected accessible endpoints). This delta will be applied every time the server is checked and the temporary condition still occurs, possibly sinking the score into the negative. I don't think the blocked ping should produce this kind of outcome, but it should limit the maximum score a server can get even if everything else checks out.
realkinetix commented 2020-09-14 01:57:35 +02:00 (Migrated from github.com)
Copy link

Ah, ok, yes, lowering it every check wouldn't be the desired outcome.

Ah, ok, yes, lowering it every check wouldn't be the desired outcome.
👍 1
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
stable
v2.4.2
v2.4.1
v2.4.0
v2.3.5
v2.3.4
v2.3.3
v2.3.2
v2.3.1
v2.3.0
v2.2.1
v2.2.0
v2.1.1
v2.1.0
v2.1-rc2
v2.1-rc1
v2.0.6
v2.0.5
v2.0.4
v2.0.3
v2.0.2
v2.0.1
v2.0
Labels
Clear labels   
bug

Something isn't working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature or request

  
good first issue

Good for newcomers

  
help wanted

Extra attention is needed

  
invalid

This doesn't seem right

  
question

Further information is requested

  
wontfix

This will not be worked on

No labels
bug
duplicate
enhancement
good first issue
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: friendica/friendica-directory#54
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?