- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
Detect attempts by an attacker to exfiltrate sensitive information using a Resource Enumeration attack.
The attack is based on finding endpoints that return a resource when given an ID, and whose security relies on the ID being only known to authorized users. When such endpoints are found, the attacker can iterate over all possible ID values until finding valid ones and then leak sensitive information.
Such vulnerable endpoints are common since authentication is sometimes cumbersome to implement and the large range of possible IDs appear secure enough. Billing systems are a common example.
Monitor APM traces from REST endpoints expecting an ID. Traces coming from local IPs are discarded in order to passlist internal microservices traffic.
Traces left are aggregated in small groups sharing the same targeted service, source IP and endpoint. Status codes are then compared. If over 100 requests with 4xx status code are found and at least one request with a 200 code is also detected, the endpoint is deemed under attack by the IP. We interpret the 4xx requests as the unsuccessful scanning and the 200 request as a correctly guessed ID.
A Low
signal is then generated.