What happened

• port scanning is a common part of network based exploits, and so many server hosts prohibit using them for portscanning. Hetzner, where our donated mybinder.org lives, is one such host.
• They had been sending us abuse notices for end users sometimes exhibiting port scanner like activity (even if not portscanning), and if we don't respond to abuse notices on time, our servers get locked, reducing mybinder.org capacity and reliability
• We developed Add a tcp flow based process killer cryptnono/cryptnono#46 in the cryptnono project (our antiabuse set of tools) to kill processes automatically that exhibit port scanning behavior, thus reducing the likelyhood of us triggering our server host's abuse policies.
• This has been finally deployed to mybinder.org now (Enable tcpflowkiller jupyterhub/mybinder.org-deploy#3436), with help from https://github.com/rgaiacs (from GESIS)
• We may roll this out to 2i2c public binderhubs in the future based on patterns we observe

Any pull quotes?

Why is it valuable

• As providers of public compute, it's our responsibility to do what we can to make sure people can't use our infrastructure to abuse others. This is part of us being responsible citizens of the internet.
• Hetzner and hosts like that have many benefits (link to our earlier blog post), and tools like this help keep hubs and binders running fine on such hosts as they have different abuse policies than the big commercial cloud providers
• AWS and other tools have proprietary ways to combat abuse (like AWS GuardDuty). We (2i2c) could have spent our time investing in developing rules there. Instead, contributing to cryptnono helps provide the same set of features in a cloud agnostic way, in line with our principles (link to appropriate principles?)

Links to learn more

• Link A
• Link B

Media and images

Acknowledgements