A decoy API is configured in the API Security Enforcer (ASE) and requires no changes to backend servers. It appears as part of the API ecosystem and is used to detect the attack patterns of hackers.
When a hacker accesses a decoy API, ASE sends a predefined response (defined inresponse_message parameter in the API JSON file) to the client request and collects the request information as a footprint to analyze API ecosystem attacks. ASE does not forward decoy API request traffic to backend servers.
Decoy API traffic is separately logged in files named with the following format: decoy_pid_<pid_number>__yyyy-dd-mm-<log_file_rotation_time> (for example, decoy_pid_8787__2017-04-04_10-57.log). Decoy log files are rotated every 24 hours and stored in the opt/pingidentity/ase/logs directory.
ASE provides the following decoy API types in inline mode:
- In-context decoy APIs
- Out-of-context decoy APIs