On Mon, 15 May 2017 16:19:37 -0700, "Aaron C. de Bruyn via NANOG" said:
Combine that with fail2ban. When one user has more than 60 writes in 60 seconds *or* a write contains a well-known cryptolocker name (i.e. *DECRYPT_INSTRUCT*)
Oddly enough, we've seen *lots* of spammers that are *totally* able to auto-tune their spew rate to whatever you set the knob to. Set it to 3,293, and it will quickly adjust to 3,250 or so. Knock the knob down to 67, it will tune down to 65. There's no reason to expect that the same methods won't be used again. If it's an entire network of vulnerable systems, it's perfectly reasonable for malware to pick one system (the one with the least number of likely-valuable files) as a sacrificial goat and burn it down, just to see where you've set the knobs, and then fly under the radar for the rest of the network. If malware waits till 5:01PM Friday or whenever it detects the user has left for the weekend, and does a careful search of file extensions for files most likely to be valuable enough to make the victim pay the ransom, and does them at 3 per minute, how bad is the situation Monday morning? So you restrict file change rate to 1 per hour or something draconian when the user isn't at the keyboard. What is the likely amount of time the malware can get away with doing 3 files a minute in the background while the user *is* using the system, before they hit an encrypted file and realize there's a problem (hint - avoid files modified in the last few days and target more static files)? What is the likely amount of time you can restrict the user to 2 files per minute before they come looking for you with an ax? Remember - the first rule of designing security is that if you haven't already thought through the first several iterations of blatantly obvious ways to work around your proposal, and dealt with them, it's guaranteed that the bad guys will do so for you. Remember this as well - the entire reason why Snowden walked away with so many files was because the NSA was not using all the available security features *because it put too much of a crimp in legitimate analyst activity*. It's also why almost nobody outside military and spook systems actually deploys MLS/MCS security. Given that we've been at this for well over 4 decades now, and we *still* can't actually do it right, you should be *very* suspicious of any proposal that says "Just count the number of opens, tie it to fail2ban, handwave yadda yadda handwave *SECURE*".