Possible attack - many requests with status code 404

In case the EVENT_WR-Y-attack-601 warning (Possible attack - {NUM} requests with status code 404 within {NUM} seconds) appears frequently, this can have the following causes:

  • Bad links inside or outside the application.
  • Forceful browsing, especially if all requests come from the same IP address.
  • A misconfiguration of Airlock Gateway.

This event is generated if 10 or more requests result in status code 404 within 1 minute.

Since unnecessary requests affect the overall system performance, the cause(s) should be addressed soon. This event can be customized in frequency and number of log messages it is based on. See Customizing events for more information.

Research and countermeasures

Research the cause(s) before taking any countermeasures.

  • Analyze why the 404 responses occur:
  • Are there missing files? Which files cannot be found, and why?
  • Are there broken links in the application that a user repeatedly uses?
  • Does forceful browsing possibly trigger the event?

Use the Gateway URL encryption feature to protect your application as a countermeasure for forceful browsing effectively. See URL encryption.