PingIntelligence

Real-time Detected attacks for inline ASE

API Security Enforcer (ASE) supports real time attack detection and blocking for:

  • API Pattern Enforcement – validate traffic to ensure it is consistent with the application programming interface (API) definition

  • API Deception – blocks hackers probing a Decoy API

In real-time, ASE blocks hackers which violate pattern enforcement or probe decoy APIs. Hacker information is reported to API Behavioral Security (ABS) which generates ASE detected attack reports (type ID 101). Use the following ABS REST API to view the report:

https://192.168.11.138:8080/v4/abs/attack?later_date=2018-07-16&earlier_date=2018-07-16&api=atmapp&type=101

Real-time ASE detected attack based on OAuth2 token activity

{
 "company": "ping identity",
 "attack_type": "Invalid API Activity",
 "name": "api_attack_type",
 "description": "Clients using invalid method/protocol/content-type",
 "earlier_date": "Thu Jan 25 18:00:00:000 2018",
 "later_date": "Fri Dec 28 18:00:00:000 2018",
 "api_name": "atm_app_oauth",
 "ips": [],
 "cookies": [],
 "access_tokens": [
 {
 "access_token": "token_protocol",
 "details": [
 {
 "access_time": "Fri Jan 26 20:58:04:770 2018",
 "attack_code": "protocol"
 },
 {
 "access_time": "Fri Jan 26 21:16:17:851 2018",
 "attack_code": "protocol"
 }
 ]
 },
 {
 "access_token": "token_method",
 "details": [
 {
 "access_time": "Fri Jan 26 20:58:04:819 2018",
 "attack_code": "method"
 },
 {
 "access_time": "Fri Jan 26 21:16:17:903 2018",
 "attack_code": "method"
 }
 ]
 },
 {
 "access_token": "token_contenttype",
 "details": [
 {
 "access_time": "Fri Jan 26 20:58:04:819 2018",
 "attack_code": "content_type"
 },
 {
 "access_time": "Fri Jan 26 21:16:17:903 2018",
 "attack_code": "content_type"
 }
 ]
 }
 ]
}

Real-time ASE detected attack based on pattern enforcement violation

{
 "company": "ping identity",
 "attack_type": "Invalid API Activity",
 "cookie": "JSESSIONID",
 "name": "api_attack_type",
 "description": "Clients using invalid method/protocol/content-type",
 "earlier_date": "Thu Jan 25 18:00:00:000 2018",
 "later_date": "Fri Dec 28 18:00:00:000 2018",
 "api_name": "atm_app_public",
 "ips": [],
 "cookies": [
 {
 "cookie": "session_contenttype1",
 "details": [
 {
 "access_time": "Fri Jan 26 21:17:10:662 2018",
 "attack_code": "content_type"
 }
 ]
 },
 {
 "cookie": "session_method",
 "details": [
 {
 "access_time": "Fri Jan 26 20:58:06:656 2018",
 "attack_code": "method"
 },
 {
 "access_time": "Fri Jan 26 21:17:10:662 2018",
 "attack_code": "method"
 }
 ]
 },
 {
 "cookie": "session_contenttype",
 "details": [
 {
 "access_time": "Fri Jan 26 20:58:06:656 2018",
 "attack_code": "content_type"
 },
 {
 "access_time": "Fri Jan 26 21:17:10:662 2018",
 "attack_code": "content_type"
 }
 ]
 },
 {
 "cookie": "session_protocol",
 "details": [
 {
 "access_time": "Fri Jan 26 20:58:04:873 2018",
 "attack_code": "protocol"
 },
 {
 "access_time": "Fri Jan 26 21:16:47:314 2018",
 "attack_code": "protocol"
 }
 ]
 },
 {
 "cookie": "session_method1",
 "details": [
 {
 "access_time": "Fri Jan 26 21:17:10:662 2018",
 "attack_code": "method"
 }
 ]
 },
 {
 "cookie": "session_protocol1",
 "details": [
 {
 "access_time": "Fri Jan 26 21:16:47:314 2018",
 "attack_code": "protocol"
 }
 ]
 }
 ],
 "access_tokens": []
}

Enabling ASE detected attacks

Steps

  • To enable real-time ASE detected attacks, run the following command on the ASE command line:

    /opt/pingidentity/ase/bin/cli.sh -u admin -p admin enable_ase_detected_attack
ASE Detected Attack is now enabled

Disabling ASE detected attacks

Steps

  • To disable real-time ASE detected attacks, run the following command on the ASE command line:

    /opt/pingidentity/ase/bin/cli.sh -u admin -p admin disable_ase_detected_attack
ASE Detected Attack is now disabled

    When you disable ASE detected attacks, the attacks are deleted from the deny list.