Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add monitoring for common spam patterns #1678

Merged
merged 3 commits into from Apr 1, 2019

Conversation

Projects
None yet
4 participants
@sgrif
Copy link
Contributor

commented Mar 18, 2019

We've noticed some common patterns in recent spam attacks. While our
response time on these has been ok, we can look for some of these common
patterns and page whoever is on-call earlier than we'd otherwise notice.
The exact patterns we look for is considered sensitive information, and
thus not in the repo and should not be discussed publicly.

Note that I've opted to look for crates that are likely spam, rather
than volume. Volume is more likely to have false positives, and is
better handled by more aggressive rate limiting.

This assumes that we consider a spam attack to be something we always
want to page for. Since we have better coverage of someone watching
discord most hours, we could alternatively have this post in a private
channel, and let whoever is awake determine if it's worth paging over.

If someone does get paged, it's assumed that this will get resolved
either by them taking action to remove the crates, or if the crate is
legitimate, by updating the config vars to remove that pattern.

sgrif added some commits Mar 18, 2019

Add monitoring for common spam patterns
We've noticed some common patterns in recent spam attacks. While our
response time on these has been ok, we can look for some of these common
patterns and page whoever is on-call earlier than we'd otherwise notice.
The exact patterns we look for is considered sensitive information, and
thus not in the repo and should not be discussed publicly.

Note that I've opted to look for crates that are likely spam, rather
than volume. Volume is more likely to have false positives, and is
better handled by more aggressive rate limiting.

This assumes that we consider a spam attack to be something we always
want to page for. Since we have better coverage of someone watching
discord most hours, we could alternatively have this post in a private
channel, and let whoever is awake determine if it's worth paging over.

If someone does get paged, it's assumed that this will get resolved
either by them taking action to remove the crates, or if the crate is
legitimate, by updating the config vars to remove that pattern.
@carols10cents

This comment has been minimized.

Copy link
Member

commented Mar 21, 2019

Can you privately share the patterns you're thinking of setting these environment variables to initially?

@jtgeibel

This comment has been minimized.

Copy link
Member

commented Mar 22, 2019

What do you think about also adding a check to monitor the count of crates where created_at is within the last hour? If that number is high, say over 60, then we could alert as well. This could work along side the rate limiting, to catch people evading it with multiple accounts.

@jtgeibel

This comment has been minimized.

Copy link
Member

commented Apr 1, 2019

@bors r+

@bors

This comment has been minimized.

Copy link
Contributor

commented Apr 1, 2019

📌 Commit fb3da01 has been approved by jtgeibel

bors added a commit that referenced this pull request Apr 1, 2019

Auto merge of #1678 - sgrif:sg-monitor-spam, r=jtgeibel
Add monitoring for common spam patterns

We've noticed some common patterns in recent spam attacks. While our
response time on these has been ok, we can look for some of these common
patterns and page whoever is on-call earlier than we'd otherwise notice.
The exact patterns we look for is considered sensitive information, and
thus not in the repo and should not be discussed publicly.

Note that I've opted to look for crates that are likely spam, rather
than volume. Volume is more likely to have false positives, and is
better handled by more aggressive rate limiting.

This assumes that we consider a spam attack to be something we always
want to page for. Since we have better coverage of someone watching
discord most hours, we could alternatively have this post in a private
channel, and let whoever is awake determine if it's worth paging over.

If someone does get paged, it's assumed that this will get resolved
either by them taking action to remove the crates, or if the crate is
legitimate, by updating the config vars to remove that pattern.
@bors

This comment has been minimized.

Copy link
Contributor

commented Apr 1, 2019

⌛️ Testing commit fb3da01 with merge 44060f3...

@bors

This comment has been minimized.

Copy link
Contributor

commented Apr 1, 2019

☀️ Test successful - checks-travis
Approved by: jtgeibel
Pushing 44060f3 to master...

@bors bors merged commit fb3da01 into rust-lang:master Apr 1, 2019

2 checks passed

homu Test successful
Details
percy/crates.io Visual review automatically approved, no visual changes found.
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.