Create mitigations for account creation spam attack [public task]
Open, Needs TriagePublic

Description

At this time we have a rogue external bot creating 10000 of accounts an hour, primarily at mediawikiwiki If we could see if we lower the throttle to one account per IP address to see if this reduces the impact. If there was a means to even turn off API creations for mediawikiwiki that would be helpful.

We have a temporary abusefilter in place that is inhibiting much account creation
https://meta.wikimedia.org/wiki/Special:AbuseFilter/195
though we are not able to write a really sweet filter for the usernames in use. We have edged back to a somewhat conservative filter that has a bit of leakage, though looks to be allowing the good accounts through.

I have a message about the abuse filter at https://meta.wikimedia.org/w/index.php?title=Stewards%27_noticeboard

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFri, Dec 28, 2:24 PM
Billinghurst updated the task description. (Show Details)Fri, Dec 28, 2:29 PM
Billinghurst updated the task description. (Show Details)
Nemo_bis added a subscriber: Nemo_bis.EditedFri, Dec 28, 2:32 PM

Without checking what IP addresses are being used, there is no reason to think this would help anything. From the looks of it, they have thousands of IP addresses to use for this.
https://grafana.wikimedia.org/d/000000004/authentication-metrics?orgId=1&from=1545955201000&to=1546041540000&var-entrypoint=*

A simple sysop-level range block may be more effective, and as a local administrator I would vastly prefer it.

Update: here are some example IP addresses, courtesy Billinghurst and abusefilter blocks:
https://www.mediawiki.org/w/index.php?title=Special:Log&offset=20181228134634&limit=200&type=block&user=

Mentioned in SAL (#wikimedia-operations) [2018-12-28T15:28:05Z] <bawolff@deploy1001> Synchronized private/PrivateSettings.php: Attempt to adjust captcha settings for T212667 (duration: 00m 46s)

Mentioned in SAL (#wikimedia-operations) [2018-12-28T15:28:05Z] <bawolff@deploy1001> Synchronized private/PrivateSettings.php: Attempt to adjust captcha settings for T212667 (duration: 00m 46s)

So it appears that the spammer is making many wrong guesses at captchas, before hitting the right one. So i tried to adjust captcha settings to be more strict. I'm not sure if that will really help anything though. Thought it was worth a shot.

Masti added a subscriber: Masti.Fri, Dec 28, 3:31 PM
Stryn added a subscriber: Stryn.Fri, Dec 28, 3:59 PM

The bot keeps trying hard at https://www.mediawiki.org/w/index.php?title=Special:AbuseLog. We should watch the filter so it doesn't get autothrottled and disabled for too many hits in a short timespan.

Mentioned in SAL (#wikimedia-operations) [2018-12-28T18:02:04Z] <bawolff@deploy1001> Synchronized private/PrivateSettings.php: T212667 - adjust account creation (duration: 00m 47s)

Change 481528 had a related patch set uploaded (by MarcoAurelio; owner: MarcoAurelio):
[operations/mediawiki-config@master] Temporary remove AbuseFilter autoshutoff for mediawikiwiki

https://gerrit.wikimedia.org/r/481528

Change 481528 merged by jenkins-bot:
[operations/mediawiki-config@master] Temporary remove AbuseFilter autoshutoff for mediawikiwiki

https://gerrit.wikimedia.org/r/481528

Mentioned in SAL (#wikimedia-operations) [2018-12-28T18:14:50Z] <bawolff@deploy1001> Synchronized wmf-config/InitialiseSettings.php: 97446843a27 T212667 - Temp increase abusefilter emergency cutoff on mw.org to deal with spam attack (duration: 00m 46s)

@Billinghurst To add subscribers to tasks in the future, I recommend going "Add Action" (above the comment box) -> "Change Subscribers", Instead of creating a whole comment.

Mentioned in SAL (#wikimedia-operations) [2018-12-29T12:34:57Z] <bawolff@deploy1001> Synchronized private/PrivateSettings.php: T212667 - make spam mitigation global (duration: 00m 49s)

Change 481543 had a related patch set uploaded (by MarcoAurelio; owner: MarcoAurelio):
[operations/mediawiki-config@master] Amend mediawiki AbuseFilter configuration

https://gerrit.wikimedia.org/r/481543

Change 481543 had a related patch set uploaded (by MarcoAurelio; owner: MarcoAurelio):
[operations/mediawiki-config@master] Amend mediawiki AbuseFilter configuration

https://gerrit.wikimedia.org/r/481543

This patch sets the same AF configuration used at Meta-Wiki. To be merged when it is safe to re-throttle filters again.

Mentioned in SAL (#wikimedia-operations) [2018-12-29T13:30:23Z] <bawolff@deploy1001> Synchronized private/PrivateSettings.php: T212667 - adjust spam block (duration: 00m 44s)

Bawolff renamed this task from Emergency measure: Set wgAccountCreationThrottle => 2 to Create mitigations for account creation spam attack [public task].
1997kB added a subscriber: 1997kB.Sat, Dec 29, 2:11 PM

Change 481546 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[operations/mediawiki-config@master] Temporary increase account creation

https://gerrit.wikimedia.org/r/481546

Change 481546 merged by jenkins-bot:
[operations/mediawiki-config@master] Temporary make account creation limits more restrictive

https://gerrit.wikimedia.org/r/481546

Mentioned in SAL (#wikimedia-operations) [2018-12-29T14:30:23Z] <bawolff@deploy1001> Synchronized wmf-config/InitialiseSettings.php: T212667 fe72284c Adjust account throttle limits (duration: 00m 46s)

Change 481543 merged by jenkins-bot:
[operations/mediawiki-config@master] Amend mediawiki AbuseFilter configuration

https://gerrit.wikimedia.org/r/481543

Mentioned in SAL (#wikimedia-operations) [2018-12-29T14:53:50Z] <bawolff@deploy1001> Synchronized wmf-config/InitialiseSettings.php: T212667 218371fd35 - Adjust mw.org abusefilter emergency shutoff threshold down to 0.3 (duration: 00m 46s)

Mentioned in SAL (#wikimedia-operations) [2018-12-30T02:07:32Z] <bawolff@deploy1001> Synchronized private/PrivateSettings.php: fine-tune antispam measure T212667 (duration: 00m 47s)

Mentioned in SAL (#wikimedia-operations) [2019-01-04T15:42:14Z] <bawolff@deploy1001> Synchronized private/PrivateSettings.php: T212667 - More aggressive anti-spam measures for account creation on kowiki (duration: 00m 48s)