undefined | Better HN

0 pointsjhinra7y ago0 comments

I think 90% is high for a few reasons:

1) Rate limiting of login attempts takes a bite out of the large numbers you're talking about. If we are only looking at retail companies without rate limiting, well, duh, I guess >90% makes sense, but I expect a large portion of the global e-commerce retail segment _does_ employ rate limiting of logins.

2) The report lists, "Averages derived from customers’ login traffic before Shape Enterprise Defense was deployed on login applications" - so this is absolutely a biased sample. These are clients that signed up for help stopping this problem.

3) It bugs me how ambiguous the report is about how they aggregate to 90%. I worry it's a simple [total fraudulent logins] / [total login attempts] across all their client retailers, which will be heavily biased by the retailers that don't have login limiting, and doesn't really describe the situation. A much better number I'd like is the median percentage of fraudulent logins attempts across retailers.

0 comments

jsoverson7y ago

1) Proxies and botnets obscure origin and make attacks appear globally distributed so basic rate limiting has little effect on these attacks.

2) Extrapolated averages on incomplete data are certainly suspect, they are meant to be taken with a grain of salt and are most applicable to people in the affected industries for them to validate against their own data. FWIW The highest percentage of malicious, automated traffic that I've seen has been 99% which, yes, is crazy and should sound unbelievable.

3) Noted, definitely. It is certainly a tough number to nail down because it is very dependent on all the things you mention. I trust our data because we've been at this the longest, were the earliest, and we see a lot of the unadulterated attack traffic that has gotten through many existing defenses so we see the stark difference on day one.

Disclaimer: I contributed to the report in question (but was not consulted or related to the posted article)

thunfischbrot7y ago

Most legitimate users will also not have to log in each time they visit, making the ratio even less surprising.

ggggtez7y ago

I think an important thing is that you should consider that attackers will log in at the maximum rate limit allowed. The traffic may even be greater than the rate limit, and they'll have some requests dropped by the server. But it still represents and attempted login regardless.

So, yes, even with rate limiting, you can still easily hit 99% fradulent attempts. Obviously you'd be foolish to actually process all of those, and likely the attackers would realize they were rate limited and would slow down for their own best interest, but it's not a guarantee that they actually do obey the rate limit.

j / k navigate · click thread line to collapse