Client identifier determination – IP address or cookie
In each API, the presence of the cookie parameter in the API JSON file (see API Security Enforcer Admin Guide for information) determines whether attacks are reported based on cookie identifier or IP address. An environment with multiple APIs can support a mixture of identifier types in a single ABS system. Use cases include the following:
- API JSON with cookie parameter – When the cookie parameter is configured, most attacks are reported with cookie identifiers, the exception being pre-authentication attacks (for example, client login attacks). Configuring the Cookie parameter is recommended when cookies are present as it is a unique client identifier that eliminates the issues identified below with IP addresses.
- API JSON without cookie parameter – When the cookie parameter is not configured, all the attacks are reported with the client IP address which is determined based on the following:
- XFF header present: The first IP address in the XFF list is used as the client identifier. When forwarding traffic, load balancers and other proxy devices with XFF enabled add IP addresses to the XFF header to provide application visibility of the client IP address. The first IP address in the list is typically associated with the originating IP address.
- No XFF header: When no XFF header is present, the source IP address of the incoming traffic is used as the client identifier. In this configuration, make sure that the incoming traffic is using public or private IP addresses associated with the actual client devices, not a load balancer or proxy device on your premise.
To change from a cookie to an IP identifier for an existing API, save the API JSON with a new name. ABS then re-trains the model for this API and starts detecting IP-based attacks. For more information on configuring API JSON files, see API Security Enforcer Admin Guide.
The following tables list the attacks detected by ABS for WebSocket APIs for cookie and IP:
Cookie based detected attacks:
Attack Type | Description | id |
Summary Attack Report | Provides a summary of all attacks detected. | 0 |
WS Cookie Attack | WebSocket session management service receiving an abnormal number of cookies. | 50 |
WS DoS Attack | Inbound streaming limits exceeded on a WebSocket service. | 52 |
WS Data Exfiltration Attack | Data is being extracted via a WebSocket API service. | 53 |
IP based detected attacks
Attack Type | Description | id |
Summary Attack Report | Provides a summary of all attacks detected. | 0 |
WS Identity Attack | WebSocket identity service receiving excessive upgrade requests. | 51 |
WS DoS Attack | Inbound streaming limits exceeded on a WebSocket service. | 52 |
WS Data Exfiltration Attack | Data is being extracted via a WebSocket API service. | 53 |