cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AppSec - Public Internet Exposure and Source (Attacker) IP

mov_grusconi
Newcomer

Let me start by saying that I am new to the topic of Application Security (AoppSec) and I am using the Dynatrace Demo environment (https://{environmentid}.apps.dynatrace.com).

Coming to detail, the following is not clear to me regarding a reported attack (see attached screenshots, URL: https://{environmentid}.apps.dynatrace.com/ui/apps/dynatrace.classic.attacks/ui/security/attacks/170... ?gtf=-2h&gf=all):

  • A. the vulnerable process group (vulnerability: SpringBoot) does not have "Public internet exposure"
  • B. this process group is vulnerable to "SQL injection" attack
  • C. the attacker's (source) IP is an Austrian IP (83.164.160.102, Linz)

How is it possible that an external IP (C.) had access to an internal resource not exposed on the internet (A.)?

More generally, how does Dynatrace:

  1. catalog the "Public internet exposure" of a process or resource?
  2. find the attacker's client IP (simply look at the HTTP header x-client-ip: 83.164.160.102 which however may not be reliable)?

Thanks,

Gabriele.

1 REPLY 1

c_schwarzbauer
Dynatrace Champion
Dynatrace Champion

Dear Gabriele,

going directly to your general questions:

  1. "Public internet exposure" is not triggered by a single public IP alone, as we learned that this would be way too flaky. Instead we introduced an algorithm that relies more on the diversity of the seen IPs, which basically works like this:
    • all the IP addresses seen in the last hour are evaluated
    • from those IPs, the private IP ranges are eliminated
    • the remaining IPs are grouped by subnets
    • as soon as the diverse subnets hit a certain (low) threshold, public internet exposure is triggered
  2. The attacker's client IP is determined like this:
    • look at certain HTTP headers, like X-Client-IP, X-Forwarded-For, ... (for a full list, see the default header list at Settings > Web and mobile monitoring > IP determination, note: this list is currently not configurable)
    • if no such HTTP headers are available, look at the client IP of the socket connection (as also written here: https://docs.dynatrace.com/docs/.../manage-attacks#client-ip-address)

Based on your feedback, we will also discuss how we can improve the existing documentation to reflect this information.

HTH, Chris

 

EDIT: refined my comment to make it clear, that the HTTP header list is currently not configurable.

Featured Posts