Re: PlayStationNetwork blocking of CGNAT public addresses

[Rich Kulawiec <rsk () gsp org>]

On Sun, Sep 18, 2016 at 01:30:52PM +0100, Tom Smyth wrote:
> 2)do some "canary in the mine" monitoring for obviously malicious traffic
> (loads of SMTP traffic outbound) and lots of connection requests to SSH
> servers ...   if you see that traffic from behind your CGNAT device .. just
> temporarily block the internal ip of the user until they clean up their
> devices.

Seconded.  This is something I've recommended for years (decades, I suppose
by now).  Simple measurements of what's "normal" for your operation in
terms of connection rates, types, etc., are easy to make.  That in turn
enables measurements of what's abnormal and that in turn enables manual
or automatic actions.  For example: if the average number of outbound
SSH connections established per hour per host across all hosts behind CGNAT
is 3.2, and you see a host making 1100/hour: that's a problem.  It might be
someone who botched a Perl script; or it might be a botted host trying
to brute-force its way into something.

These kinds of measurements are relatively easy to make and don't require
invading user privacy.  They won't catch everything, of course, but they're
not intended to.  They may catch enough to solve the problem in front of
you at the moment *and*, if they do that, they may reduce the scope/scale
of the rest of the problems to make them more tractable via other techniques.

---rsk