Manual Chapter : Setting Up IP Intelligence Blocking

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 15.0.0, 14.1.0
Manual Chapter

Setting Up IP Intelligence Blocking

Overview: Setting up IP intelligence blocking

In Application Security Manager, you can use IP Intelligence blocking in a security policy to block requests from IP addresses that have questionable reputations. IP addresses from which attacks or spam have originated are included in an IP intelligence database, along with the category describing the problem. The BIG-IP system must connect to the IP intelligence database before you can use IP Intelligence blocking.
You can configure a security policy to log (alarm) or block requests from IP addresses of questionable reputation, and to perform different actions depending on the categories of problems. For example, you can block requests from IP addresses associated with Windows exploits and log requests from scanners.
You can create a whitelist of IP addresses that might be in the database, and allow them to access the web application regardless of their IP reputation. This is a way to ensure that traffic from known sources is not blocked because of IP Intelligence data.
You can also use iRules to instruct the system how to use IP Intelligence information.

Task summary

Downloading the IP intelligence database

The requirements for using IP Intelligence are:
  • The system must have an IP Intelligence license.
  • The system must have an Internet connection either directly or through an HTTP proxy server (see proxy configuration values below).
  • The system must have DNS configured (go to
    System
    Configuration
    Device
    DNS
    ).
When an HTTP proxy server is configured, DNS configuration is not always required. However, in some cases, such as when the
proxy.host
is not defined as the IP address, DNS is required.
IP Intelligence is enabled by default if you have a license for it. You only need to enable it if it was previously disabled.
To enable IP Intelligence on the BIG-IP system, you enable auto-update to download the IP intelligence database to the system.
  1. Log in to the command line for the BIG-IP system.
  2. To determine whether IP intelligence auto-update is enabled, type the following command:
    tmsh list sys db iprep.autoupdate
    If the value of the
    iprep.autoupdate
    variable is
    disable
    , IP intelligence is not enabled. If it is
    enable
    , your task is complete. No further steps are necessary.
  3. If disabled, at the prompt, type
    tmsh modify sys db iprep.autoupdate value enable
    The system downloads the IP intelligence database and stores it in the binary file,
    /var/IpRep/F5IpRep.dat
    . It is updated every 5 minutes.
  4. If the BIG-IP system is behind a firewall, make sure that the BIG-IP system has external access to
    vector.brightcloud.com
    using port
    443
    .
    That is the IP Intelligence server from which the system gets IP Intelligence information.
  5. If the BIG-IP system connects to the Internet using a forward proxy server, set these system database variables.
    1. Type
      tmsh modify sys db proxy.host value
      hostname
      to specify the host name of the proxy server.
    2. Type
      tmsh modify sys db proxy.port value
      port_number
      to specify the port number of the proxy server.
    3. Type
      tmsh modify sys db proxy.username value
      username
      to specify the user name to log in to the proxy server.
    4. Type
      tmsh modify sys db proxy.password value
      password
      to specify the password to log in to the proxy server.
The IP Intelligence feature remains enabled unless you disable it with the command
tmsh modify sys db iprep.autoupdate value disable
.
You can create iRules to instruct the system how to handle traffic from IP addresses with questionable reputations, or use Application Security Manager to configure IP Intelligence blocking.

Blocking IP addresses with bad reputations

You can configure a security policy to log and block requests from source IP addresses that, according to an IP intelligence database, have a bad reputation and could cause a potential attack.
  1. On the Main tab, click
    Security
    Application Security
    IP Addresses
    IP Intelligence
    .
    The IP Intelligence screen opens.
  2. In the
    Current edited policy
    list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. Select the
    IP Intelligence
    check box.
    The screen refreshes, and displays additional configuration options.
  4. For the
    IP Address Whitelist
    setting, click the arrow to go to a screen where you can specify any IP addresses you want to allow, even if they are found in the IP intelligence database.
    The system adds any whitelist IP addresses to the centralized IP address exceptions list. The exceptions list is common to both brute force prevention and web scraping detection configurations.
    The system updates the whitelist with the allowed IP addresses.
  5. In the IP Intelligence Categories area, select
    Alarm
    or
    Block
    , or both, for the categories of IP addresses you are interested in.
    • Select
      Alarm
      to cause the system to log the IP Intelligence data (IP Intelligence category and status) on the Requests screen whenever a request is from a source IP address in that category.
    • Select
      Block
      to stop requests sent from a source IP address that matches that category
    To select all categories at once, click the
    Alarm
    or
    Block
    column name check boxes.
  6. Click
    Save
    .
The system matches source IP addresses to those in the IP Intelligence database. When a match is found, the violation
Access from malicious IP address
occurs. The system determines what category of reputation the IP address has, then logs or blocks the IP address according to how the IP Intelligence categories are set.

Reviewing IP intelligence statistics

After you set up IP intelligence blocking on the Application Security Manager, you can review statistics concerning how many requests were received from IP addresses with questionable reputations. You can also view the requests from those IP addresses.
  1. On the Main tab, click
    Security
    Reporting
    Application
    .
    The Charts screen opens.
  2. In the Charts area, next to
    View by
    , click
    IP Intelligence
    .
    The chart shows details about IP addresses that were used to send the illegal requests, grouped according to their reputation in the IP intelligence database.
  3. Hover over the pie chart or look at the Details table below it to see the categories of IP addresses with questionable reputations.
  4. Under Chart Path on the left, click
    View Requests
    to see the requests from IP addresses in the IP intelligence database.
    The Requests list opens.
  5. Click any request to view details about the request.
    The screen expands to show more information about the request. IP Intelligence information is shown in the
    Source IP Address
    field in the request details. The details include the category of the malicious IP address and information about when the IP intelligence database was last updated.
  6. If you have set up remote logging, you can also review IP intelligence data on the remote logger.
Based on the statistics and IP Intelligence categories that the IP addresses fall into, you can adjust what happens (alarm or block) when the system receives requests from IP addresses in different categories.

Creating an iRule to log IP intelligence information

Before you can create an iRule to log IP Intelligence information, your system must have IP Intelligence enabled.
You use iRules to log IP Intelligence categories to the file
/var/log/ltm
. This is an example of the type of iRule you can write.
  1. On the Main tab, click
    Local Traffic
    iRules
    .
    The iRule List screen opens, displaying any existing iRules.
  2. Click
    Create
    .
    The New iRule screen opens.
  3. In the
    Name
    field, type a name, such as
    my_irule
    .
    The full path name of the iRule cannot exceed 255 characters.
  4. In the
    Definition
    field, type the iRule using Tool Command Language (Tcl) syntax.
    For example, to log all IP addresses and any associated IP Intelligence categories, type the following iRule:
    when CLIENT_ACCEPTED { log local0. "IP Intelligence for IP address [IP::client_addr]: [IP::reputation [IP::client_addr]]" }
    For complete and detailed information iRules syntax, see the F5 Networks DevCentral web site (
    http://devcentral.f5.com
    ).
  5. Click
    Finished
    .
    The new iRule appears in the list of iRules on the system.
When traffic is received from an IP address with a questionable reputation and that is included in the IP intelligence database, the system prints the IP Intelligence information in the
/var/log/ltm
log.
For complete and detailed information about iRules syntax, see the F5 Networks DevCentral web site,
http://devcentral.f5.com
.

Creating an iRule to reject requests with questionable IP addresses

Before you can create an iRule to reject requests based on an IP address reputation, your system must have IP Intelligence enabled.
You can use iRules to reject requests from IP addresses that have questionable reputations and are listed in the IP intelligence database. This is an example of the type of iRule you can write.
  1. On the Main tab, click
    Local Traffic
    iRules
    .
    The iRule List screen opens, displaying any existing iRules.
  2. Click
    Create
    .
    The New iRule screen opens.
  3. In the
    Name
    field, type a name, such as
    my_irule
    .
    The full path name of the iRule cannot exceed 255 characters.
  4. In the
    Definition
    field, type the iRule using Tool Command Language (Tcl) syntax.
    For example, to reject requests from IP addresses listed in the IP intelligence database because they could be Windows Exploits or Web Attacks, type the following iRule:
    when HTTP_REQUEST { set ip_reputation_categories [IP::reputation [IP::client_addr]] set is_reject 0 if {($ip_reputation_categories contains "Windows Exploits")} { set is_reject 1 } if {($ip_reputation_categories contains "Web Attacks")} { set is_reject 1 } if {($is_reject)} { log local0. "Attempted access from malicious IP address [IP::client_addr] ($ip_reputation_categories), request was rejected" HTTP::respond 200 content "<HTML><HEAD><TITLE>Rejected Request</TITLE> </HEAD><BODY>The request was rejected. <BR> Attempted access from malicious IP address</BODY></HTML>" } }
    For complete and detailed information about iRules syntax, see the F5 Networks DevCentral web site (
    http://devcentral.f5.com
    ).
  5. Click
    Finished
    .
    The new iRule appears in the list of iRules on the system.
When the system receives traffic from an IP address that is included in the IP intelligence database, the system prints the IP Intelligence information in the
/var/log/ltm
log.

IP intelligence categories

Along with the IP address, the IP intelligence database stores the category that explains the reason that the IP address is considered untrustworthy.
Category Name
Description
Spam Sources
IP addresses tunneling spam messages through proxy, anomalous SMTP activities and forum spam activities.
Windows Exploits
Active IP addresses that have exercised various exploits against Windows resources by offering or distributing malware, shell code, rootkits, worms, or viruses using browsers, programs, downloaded files, scripts, or operating system vulnerabilities.
Web Attacks
IP addresses involved in cross site scripting, iFrame injection, SQL injection, cross domain injection, or domain password brute force.
Botnets
IP addresses of computers that are infected with malicious software (Botnet Command and Control channels, and infected zombie machines) and are controlled as a group by a Bot master, and are now part of a botnet. Hackers can exploit botnets to send spam messages, launch various attacks, or cause target systems to behave in other unpredictable ways.
Scanners
IP addresses that are involved in reconnaissance, such as probes, host scan, domain scan, and password brute force, typically to identify vulnerabilities for later exploits.
Denial of Service
IP addresses involved in application DoS Attacks, or anomalous traffic detection.
Infected Sources
Active IP addresses that issue HTTP requests with a low reputation index score, or that are known malicious web sites offering or distributing malware, shell code, rootkits, worms, or viruses.
Phishing Proxies
IP addresses that host phishing sites, and other kinds of fraud activities, such as ad click fraud or gaming fraud.
Anonymous Proxy
IP addresses that are associated with web proxies that shield the originator's IP address (such as proxy and anonymization services).
Cloud-based Services
IP addresses and networks that are used by cloud providers.
Mobile Threats
IP addresses of malicious and unwanted mobile applications.
Tor Proxies
IP addresses acting as exit nodes for the Tor Network. Exit nodes are the last point along the proxy chain and make a direct connection to the originator’s intended destination.