At the moment, the main component of our fraud & abuse detection and mitigation strategy is the Customs Server. This is similar to the approach taken by the old version of Sync.

However, all logs sent to heka are also forwarded to MozDef.

Customs Server

• Code: https://github.com/mozilla/fxa-customs-server
• Feature requests

Heka

• Metrics tracking bug
• High-level FxA dashboard: production
• FxA Kibana dashboard: production and dev
• FxA Heka dashboards: production and dev

An instance of heka is running on each service and sends data to an aggregator which runs these filters.

The following abuse alerts are defined:

• FxaAccountCreationAbuse
• FxaAccountLoginAbuse

and are implemented in a single filter.

For an alert to be triggered, we need to see at least alert_min_count number of attempts with at most alert_max_mean seconds between them (on average). If the number of attempts reaches the alert_min_count but exceeds alert_max_mean, they will be displayed (on production) in these tables:

• FxaAccountCreationAbuse
• FxaAccountLoginAbuse

For the other FxA filters, Heka uses these statistical algorithms:

• roc: compares the rate of change of the previous 15-min period with the current one (and alerts when it exceeds 1.5 standard deviations)
• mww_nonparametric: looks for constant output (0.5) and detects significant decreases (e.g. 0.1) or increases (e.g 0.9)

Related docs

• FxA security design review (also see the meeting notes)
• Metrics brainstorming
• Initial fraud and abuse brainstorming
• Videur: nginx+lua validator for REST APIs