FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AppSec - Public Internet Exposure and Source (Attacker) IP

Go to solution
mov_grusconi
Newcomer

‎10 Apr 2024 02:49 PM

Let me start by saying that I am new to the topic of Application Security (AoppSec) and I am using the Dynatrace Demo environment (https://{environmentid}.apps.dynatrace.com).

Coming to detail, the following is not clear to me regarding a reported attack (see attached screenshots, URL: https://{environmentid}.apps.dynatrace.com/ui/apps/dynatrace.classic.attacks/ui/security/attacks/170... ?gtf=-2h&gf=all):

  • A. the vulnerable process group (vulnerability: SpringBoot) does not have "Public internet exposure"
  • B. this process group is vulnerable to "SQL injection" attack
  • C. the attacker's (source) IP is an Austrian IP (83.164.160.102, Linz)

How is it possible that an external IP (C.) had access to an internal resource not exposed on the internet (A.)?

More generally, how does Dynatrace:

  1. catalog the "Public internet exposure" of a process or resource?
  2. find the attacker's client IP (simply look at the HTTP header x-client-ip: 83.164.160.102 which however may not be reliable)?

Thanks,

Gabriele.

Labels:
0 Kudos
Reply
1 REPLY 1

Go to solution
c_schwarzbauer
Dynatrace Champion
Dynatrace Champion

‎22 Apr 2024 05:34 PM - edited ‎24 Apr 2024 03:08 PM

Dear Gabriele,

going directly to your general questions:

  1. "Public internet exposure" is not triggered by a single public IP alone, as we learned that this would be way too flaky. Instead we introduced an algorithm that relies more on the diversity of the seen IPs, which basically works like this:
    • all the IP addresses seen in the last hour are evaluated
    • from those IPs, the private IP ranges are eliminated
    • the remaining IPs are grouped by subnets
    • as soon as the diverse subnets hit a certain (low) threshold, public internet exposure is triggered
  2. The attacker's client IP is determined like this:
    • look at certain HTTP headers, like X-Client-IP, X-Forwarded-For, ... (for a full list, see the default header list at Settings > Web and mobile monitoring > IP determination, note: this list is currently not configurable)
    • if no such HTTP headers are available, look at the client IP of the socket connection (as also written here: https://docs.dynatrace.com/docs/.../manage-attacks#client-ip-address)

Based on your feedback, we will also discuss how we can improve the existing documentation to reflect this information.

HTH, Chris

 

EDIT: refined my comment to make it clear, that the HTTP header list is currently not configurable.

Reply
Ask a question

Featured Posts