Attack reporting
Attack reports provide information about the suspected attacks on each API. The ABS Attack API provides reports by specifying the type_id
(see descriptions in Threshold range for Tn and Tx) and receiving attack details including time frame, client identifier, and an attack code (see Changing Attack Thresholds for an explanation of attack codes). The format of the ABS attack
API is:
The hostname and port correspond to the host ABS machine.
Understanding the API report parameters
Here is a brief description of the information available in the attack reports. Not all items are included in each of the reports. Please refer to ABS external REST APIs for detailed information in each report.
-
attack_type:
Name of the attack type (for example, data exfiltration, stolen cookie) -
description:
Description of the attack. -
earlier_date:
A date which is past in time. For example, if the query range is between March 12 and March 14, then the earlier date would be March 12. -
later_date:
A date which is more recent in time. For example, if the query range is between March 12 and March 14, then the later date would be March 14. -
api_name:
The name of the API for which report is displayed. -
access_time:
The time that the hacker accessed the API -
attack_code:
Code for the variables and thresholds used to detect attacks. For example, attack_code": "varA(Tx, 25) signifies that the attack was triggered because variable A with a value of 25 exceeded the Tx threshold. Current threshold values can be checked using the Threshold API. -
ddos_info:
Theddos_info
field provides a pointer to detailed information in the MongoDB system – for example, a list of IPs that were active during a DDoS attack (note: only included in DDoS reports). The data is accessible in thelogin_dos
collection inabs_data
database. To access the data, enter the following in your MongoDB command line:
>use abs_data >db.login_dos.find({end_time:'Tue Mar 21 22:25:36:144 2017'},{'ips':1}).pretty()
Use the end_time
in the query to see the participating IPs.
The following pages provide examples of API JSON attack reports for Data Exfiltration, Stolen Cookie, and Multi-Client Login Attack.
You can use the Admin user or the restricted user to access the API reports. For the Admin user, the cookie, token or the API key is not obfuscated. |