OCLC EZproxy security rules explained

    

Applies to

Answer

OCLC worked with various database vendors to develop these rules, which are designed to reflect what is generally considered "normal usage." However, the rules are flexible and can be adjusted to either tighten or relax the limits, depending on your specific requirements.

 

The OCLC EZproxy security rules are designed to monitor and control various aspects of traffic, usage patterns, and potential abuse within an EZproxy environment. Each rule tracks specific metrics (such as bandwidth usage, login attempts, or downloads) over set time frames, then takes action like logging or blocking when thresholds are exceeded. Below is a breakdown of each rule:

 

1. EnforceOCLCByteLimit if bytes_transferred over 2000000000 per 60 then block
What it does: This rule blocks users if they transfer more than 2 GB (2,000,000,000 bytes) within a 60-minute window.
Purpose: To prevent excessive data consumption or potential abuse, like large-scale data scraping.

2. OCLCByteLimit1G if bytes_transferred over 1000000000 per 60 then log
What it does: Logs a warning if a user transfers more than 1 GB (1,000,000,000 bytes) within a 60-minute period.
Purpose: This is a monitoring rule that flags high data transfers, potentially indicating large file downloads or heavy usage, without blocking the user.

3. OCLCCountryLimit if country over 2 per 1440 then log
What it does: Logs an event if a user accesses EZproxy from more than two different countries within a 24-hour period (1440 minutes).
Purpose: To detect unusual behavior, such as account sharing or a compromised account being used from multiple countries.

4. EnforceOCLCCountryLimit if country over 4 per 1440 then block
What it does: Blocks a user if they are detected accessing from more than four different countries within a 24-hour window.
Purpose: Enforces stricter control over geographically inconsistent access, which could indicate a compromised account.

5. OCLCLoginFailureLimit if login_failure over 10 per 60 then log
What it does: Logs an event if a user experiences more than 10 login failures within a 60-minute window.
Purpose: Tracks failed login attempts, potentially detecting brute-force attacks or credential misuse without blocking the user.

6. EnforceOCLCIPLImit if network_address over 20 per 60 then block
What it does: Blocks a user if their IP address changes more than 20 times within a 60-minute period.
Purpose: Rapid IP address changes may indicate VPN usage or an attempt to hide the user's location, possibly pointing to suspicious activity.

7. OCLCIPLimit10day if network_address over 10 per 1440 then log
What it does: Logs an event if a user changes their IP address more than 10 times within a 24-hour period.
Purpose: A softer control to log IP changes and monitor unusual behavior or proxy hopping, without blocking access.

8. OCLCIPLimit10 if network_address over 10 per 60 then log
What it does: Logs an event if a user's IP address changes more than 10 times within a 60-minute period.
Purpose: This rule tracks frequent IP changes, which might indicate an attempt to evade geographic or usage limits.

9. OCLCPDFByteLimit if pdf_bytes_transferred over 500000000 per 60 then log
What it does: Logs an event if a user transfers more than 500 MB of PDF files within a 60-minute window.
Purpose: Monitors large-scale PDF downloads, possibly indicating mass downloading of articles or books.

10. OCLCPDFByteLimitlong if pdf_bytes_transferred over 500000000 per 1440 then log
What it does: Logs an event if a user transfers more than 500 MB of PDF files within a 24-hour period.
Purpose: Similar to the previous rule, but over a longer time frame to monitor sustained large PDF downloads.

11. OCLCPDFLimit2 if pdf_download over 150 per 60 then log
What it does: Logs an event if a user downloads more than 150 PDFs within a 60-minute window.
Purpose: Tracks unusually high volumes of PDF downloads in a short time, likely indicating possible abuse or excessive downloading of library resources.

12. OCLCPDFLimitshort if pdf_download over 50 per 5 then log
What it does: Logs an event if a user downloads more than 50 PDFs within a 5-minute window.
Purpose: A short-term rule for detecting burst PDF downloads, which may suggest automated tools are being used to scrape content.

13. OCLCPDFLimitlong if pdf_download over 300 per 1440 then log
What it does: Logs an event if a user downloads more than 300 PDFs in a 24-hour window.
Purpose: Designed to detect heavy downloading of PDF documents over the course of a day.

General Explanation:
Log Rules: These rules don’t block access but log activities to flag potentially suspicious behaviors like high data transfers, many IP changes, or large volumes of PDF downloads. The logged data helps administrators analyze usage patterns and detect abuse.
Block Rules: These rules block access if specific thresholds are exceeded, such as excessive data transfers, too many login failures, or rapid IP address changes. These measures are designed to protect resources and maintain service integrity by preventing abusive usage.

In summary, these rules are focused on balancing legitimate access while preventing abusive behavior like excessive downloading, data scraping, unauthorized multi-location access, or compromised accounts.

Additional information

For more information, see this article on Tuning your security rules configuration.

Page ID

60696