ESI Characters Corporation History

Hey everyone!

I’ve been advised that this afternoon we’ve temporarily taken down one of the ESI endpoints:

esi-characters/{character_id}/corporationhistory/" is the exact endpoint.

  • Routes will return empty lists rather than corporation history once the request cache has expired
  • This affects all versions of the endpoint: legacy, dev, latest, v1 and v2
  • Before this weekend, the average number of daily requests was around 50k per hour, however, it has been spiking to 3 million per hour.

Similar to the issue we had towards the end of the year with the Market endpoint, it seems that these requests are also coming from AWS, so banning the offending IPs won’t resolve the issue. Until the endpoint can be protected better, it will be taken offline.

As per the Market endpoints post, once I’m advised of any further developers on this I’ll relay them into this thread.

1 Like

What would be causing the spike? DdoS??

We don’t believe it’s intended to be malicious, it’s more than likely an errant third-party dev miscoded something causing it to increase the number of calls. It appears the issue started on Saturday 7 Jan at 18:13 UTC, so if you’re a budding developer that was developing something new around that time, it may be worth checking into!

We aren’t looking to punish the individual responsible for the uptick in requests, but if we do discover the individual that may have accidentally caused the issue, they’re welcome to drop me a message. I can pass that along to the development team to see if we can restore the service before the additional work is put into reinforcing the endpoint.

2 Likes

Any update that you know of for the market endpoints? Looks like several have had some ideas on how to mitigate the issues

Confirming Tactical Supremacy / aa-alumni · GitLab will be affected,

I have around two thousand users affected by this.

ETA: TBD :joy:
Do we really need endpoints though :smiling_imp:

Market endpoint down and dysfunctional, Character endpoint down. Worrying trend.

aren’t we supposed to add an User-Agent with information what application is doing the request so you can contact the developer? Why not block any request without this info?
I for once am setting it: esi-client/GuzzleFetcher.php at develop · seatplus/esi-client · GitHub

Well this was a 3rd party devs fault on this

They are stripped out before their logging, they mean nothing.

one would think they would use this or at least log this so they find malicious apps and can contact the devs … but no

1 Like

You must be new to this :stuck_out_tongue:

1 Like

While perhaps not malicious this is clearly intentional.

It’s been long enough since the market history endpoint was hit that a developer would have received their bill from AWS and thought “weird, that’s a bit expensive for a t2.micro”.

This is an insane way to approach a fix.

You just disabled a fundamental endpoint for all things recruiting. Having people joining and waiting 7 days to access Wiki, Forums, Comms, Discord when requiring authentication is just akin to tell people to f*** off from joining your Corporation. Those first days in Corp are critical to get people up to speed and setup, and instead you just slammed the door without providing any kind of alternative, or really, without even providing proper communication about it if not after days of the chance getting implemented.

Blame the 3rd party devs ■■■■■■■ things up