* Rich Kulawiec:
> On Sun, Sep 18, 2016 at 03:56:30PM +0200, Florian Weimer wrote:
>> * Rich Kulawiec:
>> > For example: if the average number of outbound SSH connections
>> > established per hour per host across all hosts behind CGNAT is 3.2,
>> > and you see a host making 1100/hour: that's a problem. It might be
>> > someone who botched a Perl script; or it might be a botted host
>> > trying to brute-force its way into something.
>> If you do this, you break Github.
> 1. I didn't know that: *how* does this break Github?
Github users create several orders of magnitude more SSH connections
than average users because the most convenient way to set up
read/write access is to use SSH. Depending on how you use Github, you
might update lots and lots of local repositories from Github at
certain times of the day.
> 2. This is just an *example* of how to use the technique. It's not
> meant to be literal. The general approach of determining the statistical
> characteristics of "normal" and then flagging things that are "way
> outside normal" works -- but of course it requires sufficient knowledge
> to account for things like Github usage and/or infrequent events and/or
> usage spikes triggered by real-world events, etc.
Sure, and people already do this, and are not very flexible about it.
Support staff isn't briefed, and claim they do such stochastic
behavior adjustment across all (server) products, which I find
difficult to believe.
I'm worried that this leads to a future where tunnelling everything
over HTTP(S) is no longer sufficient. You have to make it look like a
web server or browser, too. Everything else risks triggering
That's the anti-thesis of good protocol design.