Dashboard Terminology

Bandwidth Consumption:

What do the total bandwidth consumption and upload bandwidth mean?

This indicates the total amount of data transferred through the Prophaze appliance during the reporting period. (incoming and outgoing).
Upload bandwidth represents the data uploaded from your network to the internet.

How does Prophaze handle large file uploads that could consume significant bandwidth?

Prophaze has features to manage large file uploads, such as:

Throttling upload speeds to prevent overwhelming bandwidth.
Setting size limits for uploads to prevent abuse.
Integrating with Cloud storage solutions for efficient handling of large files.

Geo Attack Distribution:

What countries are the attacks originating from?

The map shows the geographical distribution of IP addresses associated with the blocked/detected attacks. This can help identify potential sources of threats.

Attack Types:

What do A03:2021-Injection and A04:2021-Insecure Design mean? Naming conventions

These codes represent specific attack categories identified by Prophaze.

A03:2021-Injection indicates attempts to inject malicious code into your system.
A04:2021-Insecure Design points to vulnerabilities in website or application design that attackers try to exploit.

Top 10 Attack IP Addresses:

What should I do about the IP addresses listed here?

If in active mode it will automatically be blocked and if in learning mode it will only be detected (Prophaze will do these parts.)

You can consider blocking these specific IPs at your network firewall if the attacks are persistent and originate from the same sources.

Top 10 Attack Originating Countries:

Does this mean all traffic from these countries is malicious?

No, it only indicates that attacks originated from IP addresses located in those countries. Legitimate traffic can also come from these regions. Which won't be blocked.
We can block the traffic coming from a particular country.

Top 10 User IP addresses:

What do these IP addresses represent?

This list shows the top 10 IP addresses that generated the most traffic during the reporting period.

Most Used HTTP Methods:

What do the different HTTP methods (GET, POST, HEAD, OPTIONS) represent?

These are standard methods used in HTTP communication between web browsers and servers.

GET is used to retrieve information from a server.
POST is used to send data to a server.

IP Address Information:

What information is provided for each attack attempt?

The table shows:

Date and Time of the attack attempt
IP Address of the attacker
Country associated with the IP address
Two options: "Permanently Block IP address" and "Allow IP address"
"Explore" button leads to more details about the specific attack.

Taking Action:

What does "Permanently Block IP address" do?

This option instructs the security solution to block all future traffic attempts from that specific IP address.

What does "Allow IP address" do?

Choosing this option would allow traffic from that specific IP address despite the potential attack attempt.

How are attacks identified and grouped by IP address?

The security solution analyzes traffic patterns and compares them against known attack signatures or threat intelligence to identify suspicious activity.

What factors should I consider before blocking an IP address?

False positives: Security systems can sometimes misidentify legitimate traffic as attacks. Investigate before blocking to avoid impacting authorized users.
IP reputation: Check if the IP is known to be malicious using online tools or threat intelligence feeds.

Impact on legitimate users: Blocking a shared IP address might affect other users behind that IP. Consider alternative mitigation strategies if necessary.

Are there other ways to manage attacks besides blocking IP addresses?

Rate limiting: Restrict the number of requests an IP address can send within a specific timeframe.
Challenge-response mechanisms: Implement CAPTCHAs or other challenges to differentiate between bots and human users.
Security rules customization: Create custom rules based on specific threat intelligence to target attack patterns.

What is SQL injection?

SQL injection is a cyberattack technique where malicious code is injected into website forms or database queries. This code can then be used to steal sensitive data, modify information, or disrupt website functionality.

Do we get the information about what was the targeted URI (Uniform Resource Identifier)?

Yes, we get information like the below given example:

/wp-content/plugins/about.php - This suggests the attacker might have targeted a specific plugin on a WordPress website.

Can we know the severity of the attack?

Yes, depending upon the attacks they are categorized as high and low.

High - This indicates a potentially serious attack that could have compromised the website or user data.

Request Details:

What information is included in the request headers?

This section shows details about the attacker's browser, encoding preferences, and connection type.

Do we get to know what type of attack it was?

Yes, we get all the information about different kinds of attacks like:

An SQL injection attempt. This means the attacker tried to inject malicious code into a web page to potentially steal data or gain unauthorized access to the system

How did Prophaze detect the attack?

Prophaze identified specific characters or patterns in the request body that are commonly used in SQL injection attempts (e.g., "print_r"). Other similar methods are also used depending on the attack patterns.

What did the attacker try to achieve?

SQL injection attempts can be used for various malicious purposes, such as:

Stealing sensitive information from the database (usernames, passwords).
Modifying data stored in the database.
Taking control of the database server.

PreviousOnboarding Process NextAttack Section

Last updated 1 year ago