Real-time API deception attack blocking
ASE detects any client probing a decoy API. When a client probes an out-of-context decoy API, ASE logs but does not drop the client connection. However, if the same client tries to access a legitimate path in the in-context decoy API, then ASE block the client in real-time. Here is a snippet of an ASE access log file showing real time decoy blocking:
[Tue Aug 14 22:51:49:707 2018] [thread:209] [info] [connectionid:1804289383] [connectinfo:100.100.1.1:36663] [type:connection_drop] [api:decoy] [request_payload_length:0] GET /decoy/test/test HTTP/1.1 User-Agent: curl/7.35.0 Accept: / Host: app The blocked client is added to the blacklist which can be viewed by running the view_blacklist CLI command: /opt/pingidentity/ase/bin/cli.sh -u admin -p admin view_blacklist Realtime Decoy Blacklist 1) type : ip, value : 100.100.1.1