Follow

Token Distribution Report

The tutorial video below covers the same topics as this article.

The Token Distribution report shows how your unique tokens are being used and distributed across machines. The tokens included in this report are the same as those specified in API settings for each of your API domains. Use this report to review the top offending tokens and IP addresses. Then, blacklist troublesome IPs using your access control list (ACL).

Accessing the Token Distribution Report

  1. Log in to the Distil Networks Portal.
    API_Sec_Select.png
  2. Click API Security on the banner menu. 
    Reports_Select.png
  3. Click Reports on the left panel menu.
    Token_Distribution_Select.png
  4. Click Token Distribution.
    Search_and_Select_Domain.png
  5. Search for and then select a specific API domain.

Reviewing the Token Distribution Report

The Token Distribution report includes:

Search_and_Date.png

Reviewing Abusive Authentication Tokens

When the toggle is set to Token, the Violating Tokens by Bad Bot Requests graph displays the total number of unique IP addresses used by a single token. Use this information to quickly discover which tokens are experiencing IP cycling or other abuse by overuse (e.g., a token intended for a single user that is linked to tens, hundreds, or thousands of IP addresses).

For example, a company’s business model assigns one authentication token to each user, or IP address. In the example above, a single token is being used by nearly 2,000 IP addresses—a clear sign of abuse in which a single token is reused by many users.

The data is also provided in a tabular view, which includes:

  • Token Name – Name of the token as originally defined on the API Settings page for the API domain.
  • Token Value – Hash of the token used to access your API. 
  • Total Abusive Requests – Total number of violating requests tied to an abusive token.
  • Total Unique IPs – Total number of IP addresses associated with a token. Select a record from this column to drill down to specific abusive IPs, and then add them to your ACL.
  • Total Requests – Total number of requests associated with a token, including neutral, whitelisting, and abusive requests.


Reviewing Abusive IP Addresses
When the format toggle is set to IP, the graph shows the total number of tokens associated with a single IP address. Use this information to quickly learn which IPs are abusing your authentication tokens (such as an unwanted or unknown user hijacking a known token for malicious use).

For example, a company allows users limited access to APIs via free tokens. Malicious users may sign up multiple times and cycle through free tokens to bypass the restriction and get extended API access.

 Toggle_-_IP.png

As another example, an organization assigns authentication tokens to its employees so they may access proprietary content and data. Shown above, a single user, or IP address, is tied to 13 tokens. This could be an indication of token abuse, in which a single user is attempting to hijack authentication tokens belonging to others.

The data is also provided in a tabular view, which includes:

  • IP – IP address associated with abusive requests. Select a record from this column to drill down to specific abusive IPs and then add them to your ACL.
  • Total Abusive Requests – The total number of violating requests tied to an IP. 
  • Unique Tokens – The total number of tokens associated with an unique IP address. 
  • Total Requests – The total number of requests associated with an IP, including neutral, whitelisted, and abusive requests.

Blacklisting IPs Via the Token Distribution Report
Once you have identified a troublesome IP address(es) using the Token Distribution report, you can use access controls to blacklist them and stop future attempts:

 

  1. Switch the format toggle to IP.
    Blacklist_IP.png
  2. Select an IP to open the Whois and Access Control dialog box.
  3. Select a Domain and Security Setting Rule to target the settings for a specific domain.
  4. Click Blacklist.
  5. Click Blacklist <selected IP address> to save the settings and blacklist the IP address from making future attempts.

 

NOTE: You can also whitelist any IP address. These are never blocked despite any traps they may trigger. This option can be especially useful to allow internal tool access, such as automation test tools, which can be mistaken as malicious bots. To do so, follow the steps above, but click Whitelist in step 5.

 

Another way to blacklist IP addresses using the Token Distribution report is to first identify a troublesome token and then drill down to the offending IPs:

 

  1. Switch the format toggle to Token.
    Total_Unique_IPs.png
  2. Click the Total Unique IPs associated with the troublesome token.
    Blacklist_IP.png
  3. Click the IP associated with the troublesome token to open the Whois and Access Control dialog box.
  4. Select a Domain and Security Setting Rule to target the settings for a specific domain.
  5. Click Blacklist.
  6. Click Blacklist <selected IP address> to save the settings and blacklist the IP address from making future attempts.

 

NOTE: You can also whitelist any IP address. These are never blocked despite any traps they may trigger. This option can be especially useful to allow internal tool access, such as automation test tools, which can be mistaken as malicious bots. To do so, follow the steps above, but click Whitelist in step 5.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments