API Security Enforcer (ASE) detects any client probing a decoy API. When a client probes an out-of-context decoy API, ASE logs but does not drop the client connection. However, if the same client tries to access a legitimate path in the in-context decoy API, then ASE blocks the client in real-time.
Here is a snippet of an ASE access log file showing real-time decoy blocking:
[Tue Aug 14 22:51:49:707 2018] [thread:209] [info] [connectionid:1804289383] [connectinfo:100.100.1.1:36663] [type:connection_drop] [api:decoy] [request_payload_length:0] GET /decoy/test/test HTTP/1.1
User-Agent: curl/7.35.0
Accept: */*
Host: app
The blocked client is added to the deny list which can be viewed by running the view_blacklist CLI command:
/opt/pingidentity/ase/bin/cli.sh -u admin -p admin view_blacklist
Realtime Decoy Blacklist
1) type : ip, value : 100.100.1.1