Ssssh.... If you tell everyone that's what you do, people will just rename the binary...
The trick to protections like this is to not tell anyone how they work, and to run them only occasionally. Ie. once a week, ban half of users who are running xmrig.exe. Also include users who signed up with the same email address, phone number or IP address as the detected users and who have a consistently high CPU use - these are probably successful bypasses of your simple process name based filter.
That way bad actors have a very hard time figuring out exactly what your protections are or how they work. If they were to get an immediate ban as soon as they fired up xmrig.exe, then they'd quickly think to rename it or recompile it or run it under wine or a host of other ideas. Yet having a random selection of their accounts banned seemingly at random means they learn nothing.
Obviously you need a process for users accidentally caught in the net to get their accounts reactivated, and if you're a service like githuib you should probably let the user have a grace period to do that before killing their entire business...
So if you only ban half of illegitimate accounts once a week, does this mean I just need to launch my mining code registration scripts also once a week, ideally just after I see some of my accounts have been banned?
And doing this will get me a full week's of free mining on half my miners (if I'm the only one in the world pursuing this strategy) or most of my miners if the banning campaign is capped and also hits other abusers? It sounds like a great deal, honestly.
For most places you can get free compute power, a week's mining revenue might only be a few cents.
As long as the account sign-up process requires a captcha or phone number for the most spam-like signups, you'll keep their profits low enough to deter most people.
Good luck finding that post and linking it to the provider. That set aside, except for DDoS defense, we've run into no problems at all when talking very openly about how we operate. Seems naive at first glance, but we've had a good 10+ year run (so far!). Works for us, might not for others.
> Good luck finding that post and linking it to the provider.
No need to link it to the provider. If one provider does things that way, you want to block their method. (And, of course, the odds are overwhelming that the other providers are doing the same thing.)
It seems like a Whois search about the domain that's in your Hacker News profile yields lots of interesting information. Your previous comments seem to indicate that's a provider you work for. Maybe it's not related though. Or maybe it's just a way of doing PR. I know nothing.
The trick to protections like this is to not tell anyone how they work, and to run them only occasionally. Ie. once a week, ban half of users who are running xmrig.exe. Also include users who signed up with the same email address, phone number or IP address as the detected users and who have a consistently high CPU use - these are probably successful bypasses of your simple process name based filter.
That way bad actors have a very hard time figuring out exactly what your protections are or how they work. If they were to get an immediate ban as soon as they fired up xmrig.exe, then they'd quickly think to rename it or recompile it or run it under wine or a host of other ideas. Yet having a random selection of their accounts banned seemingly at random means they learn nothing.
Obviously you need a process for users accidentally caught in the net to get their accounts reactivated, and if you're a service like githuib you should probably let the user have a grace period to do that before killing their entire business...