undefined | Better HN

0 pointstime0ut7mo ago0 comments

Interesting day. I've been on an incident bridge since 3AM. Our systems have mostly recovered now with a few back office stragglers fighting for compute.

The biggest miss on our side is that, although we designed a multi-region capable application, we could not run the failover process because our security org migrated us to Identity Center and only put it in us-east-1, hard locking the entire company out of the AWS control plane. By the time we'd gotten the root credentials out of the vault, things were coming back up.

Good reminder that you are only as strong as your weakest link.

0 comments

SOLAR_FIELDS7mo ago

This reminds me of the time that Google’s Paris data center flooded and caught on fire a few years ago. We weren’t actually hosting compute there, but we were hosting compute in AWS EU datacenter nearby and it just so happened that the dns resolver for our Google services elsewhere happened to be hosted in Paris (or more accurately it routed to Paris first because it was the closest). The temp fix was pretty fun, that was the day I found out that /etc/hosts of deployments can be globally modified in Kubernetes easily AND it was compelling enough to want to do that. Normally you would never want to have an /etc/hosts entry controlling routing in kube like this but this temporary kludge shim was the perfect level of abstraction for the problem at hand.

citizenpaul7mo ago

> temporary kludge shim was the perfect level of abstraction for the problem at hand.

Thats some nice manager deactivating jargon.

LPisGood7mo ago

Manager deactivating jargon is a great phrase - it’s broadly applicable and also specific.

SOLAR_FIELDS7mo ago

Yeah that sentence betrays my BigCorp experience it’s pulling from the corporate bullshit generator for sure

johndubchak7mo ago

+1...hee hee

jordanb7mo ago

Couldn't you just patch your coredns deployment to specify different forwarders?

SOLAR_FIELDS7mo ago

Probably. This was years ago so the details have faded but I do recall that we did weigh about 6 different valid approaches of varying complexity in the war room before deciding this /etc/hosts hack was the right approach for our situation

nahumba7mo ago

This is the en of the thread of the first comment. Now i can find below the second comment

1970-01-017mo ago

I remember Facebook had a similar story when they botched their BGP update and couldn't even access the vault. If you have circular auth, you don't have anything when somebody breaks DNS.

crote7mo ago

Wasn't there an issue where they required physical access to the data center to fix the network, which meant having to tap in with a keycard to get in, which didn't work because the keycard server was down, due to the network being down?

kylecazar7mo ago

Wishful thinking, but I hope an engineer somewhere got to ram a door down to fix a global outage. For the stories.

jedberg7mo ago

Way back when I worked at eBay, we once had a major outage and needed datacenter access. The datacenter process normally took about 5 minutes per person to verify identity and employment, and then scan past the biometric scanners.

On that day, the VP showed up and told the security staff, "just open all the doors!". So they did. If you knew where the datacenter was, you could just walk-in in mess with eBay servers. But since we were still a small ops team, we pretty much knew everyone who was supposed to be there. So security was basically "does someone else recognize you?".

4 more replies

wolpoli7mo ago

The story was that they had to use an angle grinder to get in.

4 more replies

bluGill7mo ago

I assume they needed their own air supply because the automatic poison gas system was activating. Then they had to dodge lazers to get to the one button that would stop the nuclear missle launch.

add a bunch of other poinless scifi and evil villan lair tropes in as well...

1 more reply

lazide7mo ago

Not an active datacenter, but I did get to use a fire extinguisher to knock out a metal-mesh-reinforced window in a secure building once because no one knew where the keys were for an important room.

Management was not happy, but I didn’t get in trouble for it. And yes, it was awesome. Surprisingly easy, especially since the fire extinguisher was literally right next to it.

1 more reply

lenerdenator7mo ago

Not to speak for the other poster, but yes, they had people experiencing difficulties getting into the data centers to fix the problems.

I remember seeing a meme for a cover of "Meta Data Center Simulator 2021" where hands were holding an angle grinder with rows of server racks in the background.

"Meta Data Center Simulator 2021: As Real As It Gets (TM)"

UltraSane7mo ago

Yes for some insane reason facebook had EVERYTHING on a single network. The door access not working when you lose BGP routes is especially bad because normal door access systems cache access rules on the local door controllers and thus still work when they lose connectivity to the central server.

holowoodman7mo ago

Depends. Some have a paranoid mode without caching, because then a physical attacker cannot snip a cable and then use a stolen keycard as easily or something. We had an audit force us to disable caching, which promptly went south at a power outage 2 months later where the electricians couldn't get into the switch room anymore. The door was easy to overcome, however, just a little fiddling with a credit card, no heroic hydraulic press story ;)

2 more replies

avidphantasm7mo ago

This sounds similar to AWS services depending on DynamoDB, which sounds like what happened here. Even if under the hood parts of AWS depend on Dynamo, it should be a walled-off instance separate from Dynamo available via us-east-1.

1 more reply

junon7mo ago

Yep. And their internal comms were on the same server if memory serves. They were also down.

simplyluke7mo ago

I was there at the time, for anyone outside of the core networking teams it was functionally a snow day. I had my manager's phone number, and basically established that everyone was in the same boat and went to the park.

Core services teams had backup communication systems in place prior to that though. IIRC it was a private IRC on separate infra specifically for that type of scenario.

3 more replies

bcrl7mo ago

That's similar to the total outage of all Rogers services in Canada back on July 7th 2022. It was compounded by the fact that the outage took out all Rogers cell phone service, making it impossible for Rogers employees to communicate with each other during the outage. A unified network means a unified failure mode.

Thankfully none of my 10 Gbps wavelengths were impacted. Oh did I appreciate my aversion to >= layer 2 services in my transport network!

YokoZar7mo ago

That's kind of a weird ops story, since SRE 101 for oncall is to not rely on the system you're oncall for to resolve outages in it. This means if you're oncall for communications of some kind, you must have some other independent means of reaching eachother (even if it's a competitor phone network)

bcrl7mo ago

That is heavily contingent on the assumption that the dependencies between services are well documented and understood by the people building the systems.

1 more reply

ttul7mo ago

There is always that point you reach where someone has to get on a plane with their hardware token and fly to another data centre to reset the thing that maintains the thing that gives keys to the thing that makes the whole world go round.

beefnugs7mo ago

So sick of billion dollar companies not hiring that one more guy

ttul7mo ago

That is perhaps why they are billion dollar companies and why my company is not very successful.

vladvasiliu7mo ago

> Identity Center and only put it in us-east-1

Is it possible to have it in multiple regions? Last I checked, it only accepted one region. You needed to remove it first if you wanted to move it.

raverbashing7mo ago

Security people and ignoring resiliency and failure modes: a tale as old as time

AndrewKemendo7mo ago

Correct. That does make it a centralized failure mode and everyone is in the same boat on that.

I’m unaware of any common and popular distributed IDAM that is reliable

fheisler7mo ago

Not sure if this counts fully as 'distributed' here, but we (Authentik Security) help many companies self-host authentik multi-region or in (private cloud + on-prem) to allow for quick IAM failover and more reliability than IAMaaS.

There's also "identity orchestration" tools like Strata that let you use multiple IdPs in multiple clouds, but then your new weakest link is the orchestration platform.

mooreds7mo ago

Disclosure: I work for FusionAuth, a competitor of Authentik.

Curious. Is your solution active-active or active-passive? We've implemented multi-region active-passive CIAM/IAM in our hosted solution[0]. We've found that meets needs of many of our clients.

I'm only aware of one CIAM solution that seems to have active-active: Ory. And even then I think they shard the user data[1].

0: https://fusionauth.io/docs/get-started/run-in-the-cloud/disa...

1: https://www.ory.com/blog/global-identity-and-access-manageme... is the only doc I've found and it's a bit vague, tbh.

1 more reply

bravetraveler7mo ago

> I’m unaware of any common and popular distributed IDAM that is reliable

Other clouds, lmao. Same requirements, not the same mistakes. Source: worked for several, one a direct competitor.

barbazoo7mo ago

Wow, you really *have* to exercise the region failover to know if it works, eh? And that confidence gets weaker the longer it’s been since the last failover I imagine too. Thanks for sharing what you learned.

shdjhdfh7mo ago

You should assume it will not work unless you test it regularly. That's a big part of why having active/active multi-region is attractive, even though it's much more complex.

ej_campbell7mo ago

That wouldn't have even caught that, most likely unless they verified they had no incidental tie ins with us-east-1.

jpollock7mo ago

The last place I worked actively switched traffic over to the backup nodes regularly (at least monthly) to ensure we could do it when necessary.

We learned that lesson by having to do emergency failovers and having some problems. :)

shawabawa37mo ago

for what it's worth, we were unable to login with root credentials anyway

i don't think any method of auth was working for accessing the AWS console

kondro7mo ago

Sure it was, you just needed to login to the console via a different regional endpoint. No problems accessing systems from ap-southeast-2 for us during this entire event, just couldn’t access the management planes that are hosted exclusively in us-east-1.

nijave7mo ago

Like the other poster said, you need to use a different region. The default region (of course) sends you to us-east-1

e.x. https://us-east-2.console.aws.amazon.com/console/home

reenorap7mo ago

It's a good reminder actually that if you don't test the failover process, you have no failover process. The CTO or VP of Engineering should be held accountable for not making sure that the failover process is tested multiple times a month and should be seamless.

sroussey7mo ago

If you don’t regularly restore a backup, you don’t have one.

hinkley7mo ago

Too much armor makes you immobile. Will your security org be held to task for this? This should permanently slow down all of their future initiatives because it’s clear they have been running “faster than possible” for some time.

Who watches the watchers.

ej_campbell7mo ago

Totally ridiculous that AWS wouldn't by default make it multi-region and warn you heavily that your multi-region service is tied to a single region for identity.

The usability of AWS is so poor.

skywhopper7mo ago

They don’t charge anything for Identity Center and so it’s not considered an important priority for the revenue counters.

ct5207mo ago

I always find it interesting how many large enterprises have all these DR guidelines but fail to ever test. Glad to hear that everything came back alright

ransom15387mo ago

People will continue to purchase Mutli-AZ and multi-region even though you have proved what a scam it is. If east region goes down, ALL amazon goes down, feel free to change my mind. STOP paying double rates for multi region.

ozim7mo ago

Sounds like a lot of companies need to update their BCP after this incident.

michaelcampbell7mo ago

"If you're able to do your job, InfoSec isn't doing theirs"

j / k navigate · click thread line to collapse

0 comments

SOLAR_FIELDS7mo ago

citizenpaul7mo ago

> temporary kludge shim was the perfect level of abstraction for the problem at hand.

Thats some nice manager deactivating jargon.

LPisGood7mo ago

Manager deactivating jargon is a great phrase - it’s broadly applicable and also specific.

SOLAR_FIELDS7mo ago

Yeah that sentence betrays my BigCorp experience it’s pulling from the corporate bullshit generator for sure

johndubchak7mo ago

+1...hee hee

jordanb7mo ago

Couldn't you just patch your coredns deployment to specify different forwarders?

SOLAR_FIELDS7mo ago

nahumba7mo ago

This is the en of the thread of the first comment. Now i can find below the second comment

1970-01-017mo ago

I remember Facebook had a similar story when they botched their BGP update and couldn't even access the vault. If you have circular auth, you don't have anything when somebody breaks DNS.

crote7mo ago

kylecazar7mo ago

Wishful thinking, but I hope an engineer somewhere got to ram a door down to fix a global outage. For the stories.

jedberg7mo ago

4 more replies

wolpoli7mo ago

The story was that they had to use an angle grinder to get in.

4 more replies

bluGill7mo ago

I assume they needed their own air supply because the automatic poison gas system was activating. Then they had to dodge lazers to get to the one button that would stop the nuclear missle launch.

add a bunch of other poinless scifi and evil villan lair tropes in as well...

1 more reply

lazide7mo ago

Not an active datacenter, but I did get to use a fire extinguisher to knock out a metal-mesh-reinforced window in a secure building once because no one knew where the keys were for an important room.

Management was not happy, but I didn’t get in trouble for it. And yes, it was awesome. Surprisingly easy, especially since the fire extinguisher was literally right next to it.

1 more reply

lenerdenator7mo ago

Not to speak for the other poster, but yes, they had people experiencing difficulties getting into the data centers to fix the problems.

I remember seeing a meme for a cover of "Meta Data Center Simulator 2021" where hands were holding an angle grinder with rows of server racks in the background.

"Meta Data Center Simulator 2021: As Real As It Gets (TM)"

UltraSane7mo ago

holowoodman7mo ago

2 more replies

avidphantasm7mo ago

1 more reply

junon7mo ago

Yep. And their internal comms were on the same server if memory serves. They were also down.

simplyluke7mo ago

Core services teams had backup communication systems in place prior to that though. IIRC it was a private IRC on separate infra specifically for that type of scenario.

3 more replies

bcrl7mo ago

Thankfully none of my 10 Gbps wavelengths were impacted. Oh did I appreciate my aversion to >= layer 2 services in my transport network!

YokoZar7mo ago

bcrl7mo ago

That is heavily contingent on the assumption that the dependencies between services are well documented and understood by the people building the systems.

1 more reply

ttul7mo ago

beefnugs7mo ago

So sick of billion dollar companies not hiring that one more guy

ttul7mo ago

That is perhaps why they are billion dollar companies and why my company is not very successful.

vladvasiliu7mo ago

> Identity Center and only put it in us-east-1

Is it possible to have it in multiple regions? Last I checked, it only accepted one region. You needed to remove it first if you wanted to move it.

raverbashing7mo ago

Security people and ignoring resiliency and failure modes: a tale as old as time

AndrewKemendo7mo ago

Correct. That does make it a centralized failure mode and everyone is in the same boat on that.

I’m unaware of any common and popular distributed IDAM that is reliable

fheisler7mo ago

There's also "identity orchestration" tools like Strata that let you use multiple IdPs in multiple clouds, but then your new weakest link is the orchestration platform.

mooreds7mo ago

Disclosure: I work for FusionAuth, a competitor of Authentik.

Curious. Is your solution active-active or active-passive? We've implemented multi-region active-passive CIAM/IAM in our hosted solution[0]. We've found that meets needs of many of our clients.

I'm only aware of one CIAM solution that seems to have active-active: Ory. And even then I think they shard the user data[1].

0: https://fusionauth.io/docs/get-started/run-in-the-cloud/disa...

1: https://www.ory.com/blog/global-identity-and-access-manageme... is the only doc I've found and it's a bit vague, tbh.

1 more reply

bravetraveler7mo ago

> I’m unaware of any common and popular distributed IDAM that is reliable

Other clouds, lmao. Same requirements, not the same mistakes. Source: worked for several, one a direct competitor.

barbazoo7mo ago

shdjhdfh7mo ago

You should assume it will not work unless you test it regularly. That's a big part of why having active/active multi-region is attractive, even though it's much more complex.

ej_campbell7mo ago

That wouldn't have even caught that, most likely unless they verified they had no incidental tie ins with us-east-1.

jpollock7mo ago

The last place I worked actively switched traffic over to the backup nodes regularly (at least monthly) to ensure we could do it when necessary.

We learned that lesson by having to do emergency failovers and having some problems. :)

shawabawa37mo ago

for what it's worth, we were unable to login with root credentials anyway

i don't think any method of auth was working for accessing the AWS console

kondro7mo ago

nijave7mo ago

Like the other poster said, you need to use a different region. The default region (of course) sends you to us-east-1

e.x. https://us-east-2.console.aws.amazon.com/console/home

reenorap7mo ago

sroussey7mo ago

If you don’t regularly restore a backup, you don’t have one.

hinkley7mo ago

Who watches the watchers.

ej_campbell7mo ago

Totally ridiculous that AWS wouldn't by default make it multi-region and warn you heavily that your multi-region service is tied to a single region for identity.

The usability of AWS is so poor.

skywhopper7mo ago

They don’t charge anything for Identity Center and so it’s not considered an important priority for the revenue counters.

ct5207mo ago

I always find it interesting how many large enterprises have all these DR guidelines but fail to ever test. Glad to hear that everything came back alright

ransom15387mo ago

ozim7mo ago

Sounds like a lot of companies need to update their BCP after this incident.

michaelcampbell7mo ago

"If you're able to do your job, InfoSec isn't doing theirs"

j / k navigate · click thread line to collapse