Vlákno názorů k článku CrowdSec: chraňte své servery a pomáhejte tvořit reputaci IP adres od Zdenek - - Jak chtějí zařídit, aby útočník neposlal do centrální...

Jak chtějí zařídit, aby útočník neposlal do centrální databáze falešnou stížnost na napadení z adresy root.cz? Kdokoliv se může zapojit, tedy falešných stěžovatelů může být řada. A nejde jen o zombie počítače, úplně stačí poskytovatel bez kontroly zdrojové IP.

Good point.

Every network member sharing his signals gets a trust rank (TR). By consistently sending valuable and accurate information back, the TR gets better over time. A daemon reporting for months, with 100% accuracy, valuable information will eventually reach the maximum TR. Feeding the system with wrong information would result in a severe and immediate loss of TR. This mechanism is made to avoid poisoning.

All TR can partake in the consensus, but only the highest TR rank can publish to the database without needing validation from our own honeypot network. It nevertheless has to pass the test of the Canary list, meaning the IP reported shouldn’t be one of the canary. Canaries are in fact whitelisted IP, known to be trustworthy, like the Google bot, Microsoft updates, etc. If a scenario is too sensitive or twitchy, it might shoot a canary. This mechanism is made to avoid false positives.