On Sun, Sep 18, 2016 at 03:56:30PM +0200, Florian Weimer wrote:
* Rich Kulawiec:
For example: if the average number of outbound SSH connections established per hour per host across all hosts behind CGNAT is 3.2, and you see a host making 1100/hour: that's a problem. It might be someone who botched a Perl script; or it might be a botted host trying to brute-force its way into something.
If you do this, you break Github.
1. I didn't know that: *how* does this break Github? 2. This is just an *example* of how to use the technique. It's not meant to be literal. The general approach of determining the statistical characteristics of "normal" and then flagging things that are "way outside normal" works -- but of course it requires sufficient knowledge to account for things like Github usage and/or infrequent events and/or usage spikes triggered by real-world events, etc. The more you do it, and the longer you do it, the better you'll get at it. (But of course the false positive rate will never be zero. That's why the question of what to do when anomalies happen isn't easy: poke a human? throttle? block? further analysis?) ---rsk