Preventing Crypto Mining abuse on GitLab.com SaaS

Recently, there has been a massive uptick in abuse of free pipeline minutes available on GitLab.com and on other CI/CD providers to mine cryptocurrencies. In addition to the cost increases, the abuse creates intermittent performance issues for GitLab.com users and requires our teams to work 24x7 to maintain optimal services for our customers and users. To discourage and reduce abuse, starting May 17th, 2021, GitLab will require new free users to provide a valid credit card in order to use shared runners on GitLab.com. However, a user will be able to run pipelines without providing a credit card if they use their own runner and disable shared runners. Although imperfect, we believe this will reduce the abuse.

Learn more in this announcement blog post.

1 Like

Mmm while cryptocurrency is a cancer on civilization. The usage of credit cards is quite US centric and we already have one European contributor going “well shit”.

Does the rule applies to forks of a non-free-plan org that has public repos?

Will there ever be the ability to share project runners with forks in merge requests, even if it’s ACL based and we have to grant permissions? It’s the current headache for us anyway, that would actually help gitlab by allowing us to move more things to our org runners

1 Like

Will there ever be the ability to share project runners with forks in merge requests, even if it’s ACL based and we have to grant permissions? It’s the current headache for us anyway, that would actually help gitlab by allowing us to move more things to our org runners

On the sharing of project runners, we do have Allow fork pipelines to run in parent project (&3278) · Epics · GitLab.org · GitLab, where we are looking at allowing forks to generate pipelines or run in parent project.

3 Likes

@mroszko Thanks for the feedback and questions. In addition to credit cards, debit cards also be used.

4 Likes

Is it possible to use GitLab Pages without shared runners on a free account (without credit card verification)?

I currently use shared runners with the simple plain HTML template (.gitlab-ci.yml · master · GitLab Pages examples / plain-html · GitLab) to host a static site on GitLab Pages.

While I wouldn’t mind registering my credit card with GitLab, I don’t like this sets the bar high for new users.

Perhaps enabling 2FA could also be considered a way to verify users.

Also maybe GitLab could work together with GitHub and other CI platforms to create a public shame/ban list for people abusing CI platforms for crypto mining.

1 Like

2FA doesn’t solve anything. VOIP numbers you can get hundreds for a few dollars and highly automatable by bots.

A shame list literally does nothing. The users are hiding anonymously, they wash their IPs via VPNs and have bots generate hundreds of accounts. Welcome to the openness of the internet.

Debit/credit cards at least require an identity or for an user to commit wire fraud by using stolen card details. Wire fraud can be prosecuted criminally, while terms of service violations are civil manners that are barely enforceable.

I do worry a bit for gitlab here because stolen card details are incredibly easy to come by. My company got our ecommerce system hit a few months ago with bots using our store for tens of thousands of card numbers to test if they were valid, not even to place real orders. Our merchant processor wasn’t happy but :shrug:, we had to turn on captchas for carts on all users.

1 Like

Tanuki San brother could help with triaging workload and users in a smart way. Maybe even throttling them.

We have created a new user which is now blocked for running CI pipelines. I can verify him using a credit card and it shows a success message. However, after a reload of the page or when he tries to trigger the pipeline again, the same error message appears. Does anyone face the same issue?

1 Like

Yes. i have this problem too. And also gitLab pay take from me 2x $1. I see this in my bank billing system - it was my attempts for this :frowning: GitLab, can you get my money back ? I can show you my bank billing

@mikhail.kanavalov, the amount is an authorisation only; you’re not being charged for it but the funds do get “allocated”. This authorisation expires within a few days and the $2 are released so you can use it.

@nineoh, if you can consistently reproduce this error, I’d urge you to create a bug so the GitLab team can look into it: https://gitlab.com/gitlab-org/gitlab/-/issues/new

Hi @thiagocsf , thanks for your reply. We were able to manage it now. The employee for who the new user was had to use his own credit card to verify himself. However, for companies it would be nice if it worked with a company credit card, too.

1 Like

This might be another issue. I’ve already validated my account but it still asks for validation after refresh. It seems it doesn’t remember anything, please help!

@ZR87 as per previous post above by @thiagocsf I suggest you open a bug so the Gitlab team can look into it. A post on the forum won’t be enough for it to be addressed. Just check first to make sure no-one else has opened an issue/bug for it already.

Hi, I have the same trouble with verification of my new Gitlab account. The pipeline failed, but on the failed pipeline run detail page there is no “verfication banner” and link displayed like in the video in your blog. In my personal account I can also not add a credit card for verification, there it says I should go back to the group. I just want to start to work as developer my new job but have this kind of trouble. :frowning: What should I do?

Meanwhile, I have not my credit card or debit card. But, I have and use wallet currency from Indonesia. Begin pipeline running, get verification first because I create my GitLab Account in Dzulqa’dah 1442 H (June 2021).

Wallet currency or electornical currency from Indonesia use phone number and verification with ID card (= KTP). Thanks for information.

Companies don’t issue credit cards for each and every one of their employees just to use a feature in GitLab, this is basically barring the majority of legit users from using free minutes in their private projects.

2 Likes

This change of policy / implementation of verification is a problematic issue for our new employees.
The announcement blog post mentions:

Prospects that are unable or unwilling to provide a card can reach out to sales for assistance

When doing so, sales simply replies with a canned response that more or less states that we “should stop using the shared runners and running our own runners instead”.

Our company is a “Consumption User” on the SaaS platform for which we purchase additional CI minutes every month. Telling your customers to stop using a the SaaS runners (for which they have paid) and run DIY runners does not seem like a customer friendly solution to me.

While I understand the reasoning behind wanting your customers to validate themselves to stop (crypto-)abuse the implementation of it is lacking in my opinion.

  1. A credit-card is not as common in Europe as it is in America. Additionally: employees tend to not want to share/use their own personal credit/debit information for business usage. Most (if not all) of our employees create a dedicated GitLab account for business usage to keep business & personal separated.

  2. Currently a user is unable to run any pipelines until they are “validated”. Even if those pipelines run within a group that has a positive number of CI minutes.

IMHO, the check should permit the pipeline to execute if the project is part of a group that has a positive number of CI minutes. Regardless whether the user triggering the pipeline (e.g. by creating a MR) is “validated” or not. Why does the user need to validate themselves if the CI minutes being used have been paid for already? If they want to be able to run pipelines under their personal account namespace or that of any groups they created themselves this could still require verification if desired.

This should still prevent (crypto-)abuse while also making it way more practical for companies/groups to keep on using GitLab as they were doing so in the past.

4 Likes

I second the previous posters. It’s not feasible for a company to give credit card details to every dev. Isn’t there any way to “validate” a company/group/domain such that each and every user in the group or with a given domain (email) is automatically “validated”?

1 Like