(for browsers) released!! But, it gives many benefits for ATTACKERS... • Easy to analyze API protocols • Easy to create MANY accounts (email, twitter...) → Spam floods!!!
calls, min(time) as time_min, max(time) as time_max, N as threshold, host FROM accesslog.win:time_batch(1 min) WHERE uri LIKE '/api/%' and method = 'POST' GROUP BY host HAVING count(*) >= N
as calls, min(time) as time_min, max(time) as time_max, N as threshold, host FROM accesslog.win:time_batch(1 min) WHERE uri LIKE '/api/signup/twitter%' GROUP BY host HAVING count(*) >= N
sweep tag field tag tag_prefix norikra interval 3s </fetch> </source> <match norikra.spam-detect.**> type spam_reactor whitelist ["127.0.0.1", "192.168.0.0/16"] </match>
threshold • Set the IP address to memcached (exclude whitelist) memd.set("banned-host:#{host}", 1, expires, false) memd.set("banned-host-count:#{host}", count, 86400, false) • Emit a report message router.emit("spam-report", time, {"message" => message}) WebApp BLOCKS accesses from IP address in memcached!