Note: WebSocket API attack detection is only supported when ASE is running in Inline mode.

Client identifier determination – IP address or cookie

In each API, the presence of the cookie parameter in the API JSON file (see API Security Enforcer Admin Guide for information) determines whether attacks are reported based on cookie identifier or IP address. An environment with multiple APIs can support a mixture of identifier types in a single ABS system. Use cases include the following:

  • API JSON with cookie parameter – When the cookie parameter is configured, most attacks are reported with cookie identifiers, the exception being pre-authentication attacks (for example, client login attacks). Configuring the Cookie parameter is recommended when cookies are present as it is a unique client identifier that eliminates the issues identified below with IP addresses.
  • API JSON without cookie parameter – When the cookie parameter is not configured, all the attacks are reported with the client IP address which is determined based on the following:
  • XFF header present: The first IP address in the XFF list is used as the client identifier. When forwarding traffic, load balancers and other proxy devices with XFF enabled add IP addresses to the XFF header to provide application visibility of the client IP address. The first IP address in the list is typically associated with the originating IP address.
Note: XFF is not always a reliable source of the client IP address and can be spoofed by a malicious proxy.
  • No XFF header: When no XFF header is present, the source IP address of the incoming traffic is used as the client identifier. In this configuration, make sure that the incoming traffic is using public or private IP addresses associated with the actual client devices, not a load balancer or proxy device on your premise.
Note: When a load balancer or other proxy without XFF enabled is the source of the inbound traffic, then all client traffic will be associated with the load balancer IP addresses. This configuration will not provide effective attack reporting.

To change from a cookie to an IP identifier for an existing API, save the API JSON with a new name. ABS then re-trains the model for this API and starts detecting IP-based attacks. For more information on configuring API JSON files, see API Security Enforcer Admin Guide.

Note: OAuth2 token based attacks are not reported for WebSocket APIs.

The following tables list the attacks detected by ABS for WebSocket APIs for cookie and IP:

Cookie based detected attacks:

Attack Type Description id
Summary Attack Report Provides a summary of all attacks detected. 0
WS Cookie Attack WebSocket session management service receiving an abnormal number of cookies. 50
WS DoS Attack Inbound streaming limits exceeded on a WebSocket service. 52
WS Data Exfiltration Attack Data is being extracted via a WebSocket API service. 53

IP based detected attacks

Attack Type Description id
Summary Attack Report Provides a summary of all attacks detected. 0
WS Identity Attack WebSocket identity service receiving excessive upgrade requests. 51
WS DoS Attack Inbound streaming limits exceeded on a WebSocket service. 52
WS Data Exfiltration Attack Data is being extracted via a WebSocket API service. 53