On Sun, Sep 18, 2016 at 01:30:52PM +0100, Tom Smyth wrote:
2)do some "canary in the mine" monitoring for obviously malicious traffic (loads of SMTP traffic outbound) and lots of connection requests to SSH servers ... if you see that traffic from behind your CGNAT device .. just temporarily block the internal ip of the user until they clean up their devices.
Seconded. This is something I've recommended for years (decades, I suppose by now). Simple measurements of what's "normal" for your operation in terms of connection rates, types, etc., are easy to make. That in turn enables measurements of what's abnormal and that in turn enables manual or automatic actions. For example: if the average number of outbound SSH connections established per hour per host across all hosts behind CGNAT is 3.2, and you see a host making 1100/hour: that's a problem. It might be someone who botched a Perl script; or it might be a botted host trying to brute-force its way into something. These kinds of measurements are relatively easy to make and don't require invading user privacy. They won't catch everything, of course, but they're not intended to. They may catch enough to solve the problem in front of you at the moment *and*, if they do that, they may reduce the scope/scale of the rest of the problems to make them more tractable via other techniques. ---rsk