ESI Market History Endpoint

D43dun · December 21, 2022, 1:04pm

Dang DDoSing knucklheads.

After seeing this error when testing the ESI, lead me here. At least there is a good reason.

Any update on progress so far?

MAV_Alleile · December 23, 2022, 1:06pm

Maybe just limit the number of requests to the API from one address per day, for example? Well, or turn on at a certain time. It’s kind of boring without the API.

Golden_Gnu · December 23, 2022, 2:33pm

All ESI bans are IP bans. problems only happens when the attacker are evading the IP ban, as they were in this case and have been in other cases as well. With cloud services like AWS IP rotation is pretty easy. So any limitation by IP will probably be ineffective, as attackers will just rotate the IP. That is why a solution is auth, as you can not rotate eve characters as easy as you can rotate IPs. ESI probably just isn’t hardened enough, because, people used to be super thankful for it and treat it with respect, being good API citizens.

Ethan02 · December 24, 2022, 7:08am

Now also serving static CSV exports that cover the price or order volume (not trade!) history of all items in an entire region on a day or week basis via https://static.adam4eve.eu/. Should help reduce the effort to scrape the API.

Attidack · December 28, 2022, 4:31am

The best way I’ve found to handle api calls like this would be to put it behind cloudfront which will cache similar requests and return them without touching your API, ec2 instance, lambda, or whatever you have configured.
It will also cache it at different locations so not only will you have insanely fast cached results, but you’ll also have it geographically closest to the IP making the call so it will be that much faster.

D43dun · December 31, 2022, 3:20pm

Caching on a CDN is a solution, given that once generated on a daily basis, is static for the rest of the day.

Also, auth would help weed out anyone truly hammering that API. At the very least, make it harder for a to-be DDoSer.

Mokaam_Racor · January 5, 2023, 12:48pm

It is really unfortunate that this end point is down. My own service which many traders use was 100% reliant on this data particularly and there is nothing like it out there, so my site is down until this is (hopefully) up again soon. Ethan’s data is something different though I’m very grateful for what he does.

Also just let this data be a static download, it was already a pain to call every item for every region you required one by one even if you only had to do it once per day.

MAV_Alleile · January 12, 2023, 9:38am

It can do even nginx.

Lars_Fidard · January 23, 2023, 3:51am

This endpoint was taken down after a DDoS on 4 November. 80 days later and it’s still down. I’m sorry to say but that was a hell of a successful DDoS.

And from what I can tell, no news since this topic was created, more than a month ago. Any updates on this issue would be appreciated.

Geo_Eclipse_Oksaras · January 23, 2023, 1:25pm

ESI - Public Character Data

Via @CCP_Swift

I will add a bit more context as to some of the ESI failures, as it’s, unfortunately, more widespread than this endpoint. he Market data endpoint has been down, and now two relating to character corporation history (though afaik not alliance history), are down or impaired.

The TL;DR for why these endpoints were taken offline is that there is a third-party developer, or a series of third-party devs, using AWS and requesting information from these endpoints so frequently that it puts the rest of the server at risk. These are on the scale of a 6,000% increase in hourly requests. Typically we’d use IP bans to stop the attack and then players would reach out to us, however, that strategy is no longer working in a climate where AWS can assign another IP immediately.

The team is aware of how severe these outages are and are actively pursuing solutions that will restore functionality and give us more tools to block errant programs or bad actors without taking the entire service offline.

Just a few days ago, ccp swift went into further detail what happened and why its not a quick fix

Laurel_Celeste · February 9, 2023, 11:47pm

I think it’s safe to say that the wait for the ESI Market History endpoint has now (2023-02-10) reached a critical stage. Over two months without access to this essential api endpoint is having a huge impact on many tools, developers, and players.

The fact that the endpoint had to be taken down due to the constant spikes in CPU use and the subsequent performance issues is concerning, and it’s clear that immediate action needed to be taken. The market is a crucial component for the game, and the failure of this specific endpoint is having a severe impact on the entire community.

The plans to redesign or add authentication to the endpoint are a step in the right direction, but I think it’s imperative that the work being done is expedited as much as possible. The longer this issue persists, the more damage it will cause to the community and the game as a whole.

I implore the teams involved to find a solution to this situation as soon as possible. The community has been patient for too long, and it’s high time that a resolution is found. I hope that everyone involved is working diligently to restore the market and its endpoint to full functionality.

We can’t afford to wait any longer, and I hope that a solution is found soon. Thank you for the update (although to late and to less) and effort being made to resolve this situation.

GO!

Akumi_Neko_Gaming · February 20, 2023, 11:23pm

is there no rate limiter in place?

Aiko_Danuja · February 21, 2023, 8:43am

They “temporarily” removed the bounty system in October 2020.

CCP just deleting the game piece by piece.

MAV_Alleile · February 23, 2023, 9:21am

when?

Crash_888 · March 1, 2023, 3:38pm

any update?

Aiko_Danuja · March 18, 2023, 11:32pm

anyone home?

Sasha_Winston · March 21, 2023, 7:05pm

MAV_Alleile · April 9, 2023, 7:28am

AmperXan · April 14, 2023, 3:16am

@CCP_Zelus In the short term, has the team considered working with the larger partners and building a static IP whitelist for the API?

CCP_Zelus · April 14, 2023, 11:30am

It’s a good thought in the event that anything like this happens in the future, we actually considered it as well as a form of mitigation, but the system was designed to be open to all, then closed to specific IPs as required (i.e a blacklist system).

We also don’t want to punish any (new) developers trying to access the endpoints trying to develop apps that are using dynamic IP ranges that need constant updates too.