FXA Account Creation Abuse Detection
Tracks the time between account creation request per IP address.
1. Sample Configuration
filename = 'fxa_abuse.lua'
message_matcher = "Type == 'logging.fxa.auth_server.nginx.access' && Fields[request] =~ '^POST /v1/account/create'"
ticker_interval = 60
preserve_data = true
message_variable = "Fields[http_x_forwarded_for]"
-- max_items = 25000 -- maximum number of unique items to track
alert = {
disabled = false,
prefix = true,
throttle = 5,
modules = {
email = {recipients = {"trink@mozilla.com"}},
},
thresholds = {
min_count = 200, -- minimun number of entries before triggering an alert (default 50)
-- max_mean = 1.0 -- maximum average amount of time, in seconds, between requests that is considered abusive
}
}
source code: fxa_abuse.lua