Excessive account creations from an IP

Goal

Detect excessive account creations from an IP.

This may be caused by a malicious actor trying to create bots on your platform or abuse discounts to new users.

Strategy

Count the number of user signups generated coming from a single IP.

Require the signup to be flagged using a user event.

A Medium signal is then generated if more than 5 signups from a single IP over 5 minutes are found.

Triage and response

  1. Investigate the IP activity and validate that it is legitimate.
  2. Extract the list of created account to lock/delete them.
  3. Consider blocking the IP if the account creations are malicious.