* Rich Kulawiec:
On Sun, Sep 18, 2016 at 03:56:30PM +0200, Florian Weimer wrote:
* Rich Kulawiec:
For example: if the average number of outbound SSH connections established per hour per host across all hosts behind CGNAT is 3.2, and you see a host making 1100/hour: that's a problem. It might be someone who botched a Perl script; or it might be a botted host trying to brute-force its way into something.
If you do this, you break Github.
1. I didn't know that: *how* does this break Github?
Github users create several orders of magnitude more SSH connections than average users because the most convenient way to set up read/write access is to use SSH. Depending on how you use Github, you might update lots and lots of local repositories from Github at certain times of the day.
2. This is just an *example* of how to use the technique. It's not meant to be literal. The general approach of determining the statistical characteristics of "normal" and then flagging things that are "way outside normal" works -- but of course it requires sufficient knowledge to account for things like Github usage and/or infrequent events and/or usage spikes triggered by real-world events, etc.
Sure, and people already do this, and are not very flexible about it. Support staff isn't briefed, and claim they do such stochastic behavior adjustment across all (server) products, which I find difficult to believe. I'm worried that this leads to a future where tunnelling everything over HTTP(S) is no longer sufficient. You have to make it look like a web server or browser, too. Everything else risks triggering automated countermeasures. That's the anti-thesis of good protocol design.