Manual Chapter :
Enabling IP Address Intelligence
Applies To:
Show VersionsBIG-IP AAM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP APM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP Analytics
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP Link Controller
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP LTM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP PEM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP AFM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP DNS
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP ASM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
Enabling IP Address Intelligence
Overview: Enabling IP address intelligence
An
IP intelligence database
is a list of IP addresses with questionable
reputations. IP addresses gain a questionable reputation and are added to the database as a
result of having performed exploits or attacks, or these addresses might represent proxy servers,
scanners, or systems that have been infected. You can prevent system attacks by excluding traffic
from malicious IP addresses. The IP Intelligence database is maintained online by a third
party.The BIG-IP® system can connect to an IP intelligence database, download
the contents, and automatically keep the database up to date. You use iRules® to instruct the system on how to use IP address intelligence information. For
example, iRules can instruct the system to verify the reputation of and log the originating IP
address of all requests.
You can also use the IP address intelligence information within security policies in the Application Security Manager™ to log or block requests from IP addresses with questionable reputations.
Downloading the IP intelligence
database
The requirements for using IP
Intelligence are:
- The system must have an IP Intelligence license.
- The system must have an Internet connection either directly or through an HTTP proxy server (see proxy configuration values below).
- The system must have DNS configured (go to).
When an HTTP proxy server is configured, DNS configuration is not always required. However, in some cases, such as when the
proxy.host
is not defined as the IP address, DNS is required.IP Intelligence is enabled by default
if you have a license for it. You only need to enable it if it was previously
disabled.
- Log in to the command line for the BIG-IP system.
- To determine whether IP intelligence auto-update is enabled, type the following command:tmsh list sys db iprep.autoupdateIf the value of theiprep.autoupdatevariable isdisable, IP intelligence is not enabled. If it isenable, your task is complete. No further steps are necessary.
- If disabled, at the prompt, typetmsh modify sys db iprep.autoupdate value enableThe system downloads the IP intelligence database and stores it in the binary file,/var/IpRep/F5IpRep.dat. It is updated every 5 minutes.
- If the BIG-IP system is behind a firewall, make sure that the BIG-IP system has external access tovector.brightcloud.comusing port443.That is the IP Intelligence server from which the system gets IP Intelligence information.
- If the BIG-IP system connects to the Internet using a forward proxy server, set these system database variables.
- Typetmsh modify sys db proxy.host valueto specify the �hostname
- Typetmsh modify sys db proxy.port valueto specify the port number of the proxy server.port_number
- Typetmsh modify sys db proxy.username valueto specify the user name to log in to the proxy server.username
- Typetmsh modify sys db proxy.password valueto specify the password to log in to the proxy server.password
The IP Intelligence feature remains
enabled unless you disable it with the command
tmsh modify sys db
iprep.autoupdate value disable
. Creating an iRule to log IP intelligence information
Before you can create an iRule to log IP Intelligence information, your system must have IP Intelligence enabled.
You use iRules to log IP Intelligence categories to the file
/var/log/ltm
. This is an example of the type of iRule you can write.- On the Main tab, click.The iRule List screen opens, displaying any existing iRules.
- ClickCreate.The New iRule screen opens.
- In theNamefield, type a name, such asmy_irule.The full path name of the iRule cannot exceed 255 characters.
- In theDefinitionfield, type the iRule using Tool Command Language (Tcl) syntax.For example, to log all IP addresses and any associated IP Intelligence categories, type the following iRule:when CLIENT_ACCEPTED { log local0. "IP Intelligence for IP address [IP::client_addr]: [IP::reputation [IP::client_addr]]" }For complete and detailed information iRules syntax, see the F5 Networks DevCentral web site (http://devcentral.f5.com).
- ClickFinished.The new iRule appears in the list of iRules on the system.
When traffic is received from an IP address with a questionable reputation and that is included in the IP intelligence database, the system prints the IP Intelligence information in the
/var/log/ltm
log.For complete and detailed information about iRules syntax, see the F5 Networks DevCentral web site,
http://devcentral.f5.com
.Creating an iRule to reject requests with questionable IP addresses
Before you can create an iRule to
reject requests based on an IP address reputation, your system must have IP Intelligence
enabled.
You can use iRules to reject requests from IP addresses that
have questionable reputations and are listed in the IP intelligence database. This is an
example of the type of iRule you can write.
- On the Main tab, click.The iRule List screen opens, displaying any existing iRules.
- ClickCreate.The New iRule screen opens.
- In theNamefield, type a name, such asmy_irule.The full path name of the iRule cannot exceed 255 characters.
- In theDefinitionfield, type the iRule using Tool Command Language (Tcl) syntax.For example, to reject requests from IP addresses listed in the IP intelligence database because they could be Windows Exploits or Web Attacks, type the following iRule:when HTTP_REQUEST { set ip_reputation_categories [IP::reputation [IP::client_addr]] set is_reject 0 if {($ip_reputation_categories contains "Windows Exploits")} { set is_reject 1 } if {($ip_reputation_categories contains "Web Attacks")} { set is_reject 1 } if {($is_reject)} { log local0. "Attempted access from malicious IP address [IP::client_addr] ($ip_reputation_categories), request was rejected" HTTP::respond 200 content "<HTML><HEAD><TITLE>Rejected Request</TITLE> </HEAD><BODY>The request was rejected. <BR> Attempted access from malicious IP address</BODY></HTML>" } }For complete and detailed information about iRules syntax, see the F5 Networks DevCentral web site (http://devcentral.f5.com).
- ClickFinished.The new iRule appears in the list of iRules on the system.
When the system receives traffic from
an IP address that is included in the IP intelligence database, the system prints the IP
Intelligence information in the
/var/log/ltm
log.Checking the
reputation of an IP address
Before you can verify the reputation of an IP address, your system must have IP address
intelligence enabled.
You can verify the reputation of a specific IP
address.
- Log in to the command line for the BIG-IP system.
- At the prompt, typeiprep_lookupIP_addresswhereIP_addressis the address whose reputation you want to verify. For example, to verify1.1.1.1:iprep_lookup 1.1.1.1 opening database in /var/IpRep/F5IpRep.dat size of IP reputation database = 41693298 iprep threats list for ip = 1.1.1.1 is: bit 4 - Scanners bit 5 - Denial of ServiceThe system looks up the IP address, and if it is in the database, the command output displays the IP address intelligence categories that show the reason. In this case,1.1.1.1is a source of potential port or network scans and DoS attacks. If the IP address is not found in the IP intelligence database, the system returns the messageiprep_lookup not found for ip =.<ip_address>
Checking the status
of the IP intelligence database
You can display the status of the IP Intelligence
database to learn when it was last updated and the number of questionable IP addresses
it contains.
- Log in to the command line for the BIG-IP system.
- To display IP intelligence database status, typetmsh show sys iprep-status.The system displays the status. For example:----------------------------------------------------------------------- Sys::IP Reputation Database Status ----------------------------------------------------------------------- Last time the server was contacted for updates 04/21/2012 09:33:31 Last time an update was received 04/21/2012 09:33:31 Total number of IP Addresses in the database 5516336 Number of IP Addresses received in the last update 136
IP intelligence
categories
Along with the IP address, the IP intelligence database
stores the category that explains the reason that the IP address is considered
untrustworthy.
Category Name |
Description |
---|---|
Spam Sources |
IP addresses tunneling spam messages through
proxy, anomalous SMTP activities and forum spam activities. |
Windows Exploits |
Active IP addresses that have exercised
various exploits against Windows resources by offering or distributing
malware, shell code, rootkits, worms, or viruses using browsers,
programs, downloaded files, scripts, or operating system
vulnerabilities. |
Web Attacks |
IP addresses involved in cross site scripting,
iFrame injection, SQL injection, cross domain injection, or domain
password brute force. |
Botnets |
IP addresses of computers that are infected
with malicious software (Botnet Command and Control channels, and
infected zombie machines) and are controlled as a group by a Bot master,
and are now part of a botnet. Hackers can exploit botnets to send spam
messages, launch various attacks, or cause target systems to behave in
other unpredictable ways. |
Scanners |
IP addresses that are involved in
reconnaissance, such as probes, host scan, domain scan, and password
brute force, typically to identify vulnerabilities for later
exploits. |
Denial of Service |
IP addresses involved in application DoS
Attacks, or anomalous traffic detection. |
Infected Sources |
Active IP addresses that issue HTTP requests
with a low reputation index score, or that are known malicious web sites
offering or distributing malware, shell code, rootkits, worms, or
viruses. |
Phishing Proxies |
IP addresses that host phishing sites, and
other kinds of fraud activities, such as ad click fraud or gaming fraud.
|
Mobile Threats |
IP addresses of malicious and unwanted mobile
applications. |
Tor Proxies |
IP addresses acting as exit nodes for the Tor
Network. Exit nodes are the last point along the proxy chain and make a
direct connection to the originator’s intended destination. |