VissSep 2, 2025
@cR0w @jerry for this circumstance, the right infrastructure is "just logging". so long as the logs contain things like source ip, user they tried to auth as, user agent, and timestamp - just those alone, across a few hundred million lines of log data will show you way more than you expect.
Show threadJerry πŸ¦™πŸ’πŸ¦™
@Viss @cR0w It's a good idea for a project. I'll have to see if there is a way to get Fastly to create logs that contain that sort of information, else I'll have to join up a few different sources.
Sep 2, 2025 at 9:11pmWeb
Show threadGAYINTSep 2, 2025
@jerry @Viss @cR0w πŸ‘€
Show threadVissSep 2, 2025
@jerry @cR0w dm me if you want pointers/intel/help
Show threadPotatoSep 3, 2025
@jerry @Viss @cR0w if you have the time and are willing to spend it on such a project, you could consider reaching out to @NGIZero they give you grants to open source project that make the internet a better place!
Show threadSeanie Byrne 🦑Sep 4, 2025
@jerry @Viss @cR0w
The key insight is to find your login failure to success ratio, it remains remarkably steady (with the exception of holidays eg. Christmas). If the failure rate goes above this ratio you’re under attack. This enables you to window expensive algorithms to that timeframe, it could be days or weeks, with overlapping attacks, but it helps with analyzing data.