Classifying Your API Traffic with Distil

April 11, 2016
In this tutorial video, you'll learn how to use the Traffic Classifications report to view all of the request types that have been accessing APIs across your entire account. NOTE: This doesn’t include browser-related information, such as browser type or cookies, as seen in the web security reports. API request traffic is classified as: Abusive – Requests have violated rules and/or are manually blocked via your access control list (ACL). Neutral – Requests are passing through without having violated any rules. Whitelist – Requests have been manually allowed via your ACL. Accessing the Traffic Classification Report Follow these steps to access the Traffic Classification report: 1. Log in to the Distil Networks portal. 2. Click API Security on the banner menu. 3. Click Reports on the left panel menu. 4. Click Traffic Classifications. Reviewing the Traffic Classifications Report The Traffic Classifications Report includes: Filter by domain – Show traffic classification data for a specific domain associated with your account. Date Filter – Specific date range highlighted by the Traffic Classifications Report. Breakdown of classifications – Number of requests associated with each of the three client classifications—abusive, neutral, and whitelist. Daily API Requests – The lower portion of the display provides a color-coded graphical representation of the requests to your APIs: Red: Abusive Blue: Neutral Green: Whitelist Click the Abusive Clients classification to view the Summary of Violations table. It displays a breakdown of all malicious IP addresses targeting your API and features several viewing options: Date Filter – Select a specific date range to view. Violation Filter – Click to view specific violation categories. Choices include All Violation Categories, Blacklisted, Token Management, and Rate Limiting. Violation – Violation triggered by abusive requests. Category – Category associated with the violation. Total Requests – Total number of requests associated with the violation. Top 5 Violations by No. of Requests – This portion of the display offers a graphical representation of the top violations associated with abusive requests. Top 10 IPs by Abusive Requests – Displays a tabular view of most abusive IP addresses targeting your APIs. Select any record from the Summary of Violations table to single out IP addresses that are most harmful to your APIs. Blacklisting IPs via the Traffic Classification Report Once you have identified a troublesome IP address(es) from the Traffic Classifications Report, you can use Access Controls to blacklist them and stop future attempts: Select an IP to open the Access Controls dialog box. NOTE: You can optionally select a Domain and Security Setting Rule to target the settings to a specific domain. Do not make a selection if you wish to blacklist the IP from all of your protected API domains. Click Blacklist. Click Select Above to save the settings and blacklist the IP address from future attempts. NOTE: You can also whitelist any IP address using the Access List Options. Whitelisted IPs will never be blocked despite any traps they may trigger. This option can be especially useful to allow internal tool access, such as automation test tools, which can be mistaken as malicious bots. To do so, follow the steps above, but click Whitelist in step 2.
Previous Video
When Bots Attack! Stopping OWASPs New Top 20 Automated Threats
When Bots Attack! Stopping OWASPs New Top 20 Automated Threats

The OWASP Top 10 Vulnerabilities, last published in 2013, has been a valuable list of criteria by which any...

Next Video
Ticket Scalping: The Battle Between Ticketing And Bots
Ticket Scalping: The Battle Between Ticketing And Bots

Below view a slide deck from Distil Networks and Queue-it discussing the evolution of bots, their impact on...