We use a multi-tiered approach:

1.      Monitoring- We do a daily check for unusual usage amounts. Anything that is far outside of the norm, for our users, triggers further investigation.

2.      Compromised account blocking. Any user whose account shows usage that looks like systematic downloading is blocked. This block remains until they change their password and contacts us.

3.      Specific IP blocking- IP addresses that show suspicious patterns of access are blocked in our IPtables.

4.      Problem countries blocking- Most of our issues come from a small number of countries, about 12. We use GeoIP data to black hole connections coming from those countries.

We still have some attempts, but for the most part, they are halfhearted. We went from 5 breaches per year that would result in vendors cutting us off to around one every 18 months.

 

A nice side effect of this is that we are in our authentication system every day. This lets us keep it in a highly tuned state.

 

 

 

Recently, one of our online resources was blocked by the publisher because it was systematically downloaded by compromised accounts from other countries. We found out the accounts and tried to block the IPs, and also asked the owners of the accounts changed their password. But it does not work. The hackers still steal our journal articles.

 

If any of you have the experience of dealing with this kind of problem, I would like to get your ideas. You may contact me directly if you like.

 

Thank you in advance.

 

 

 

To unsubscribe from the SERIALST list, click the following link:
http://listserv.nasig.org/scripts/wa-NASIG.exe?SUBED1=SERIALST&A=1