Forum Discussion

jlsantini's avatar
jlsantini
Icon for Altocumulus rankAltocumulus
May 09, 2024

Reliable resources for identifying IP addresses

Hello! I'm a project manager responsible for the WAF implementation in my organization.  Aside from overseeing the implementation, I'm in the trenches, so to speak, with the everyday care and feedin...
application delivery
security
  • F5_Design_Engineer's avatar
    F5_Design_Engineer
    May 10, 2024

    Hi @jlsantini,

     

    What i understand from your write up, i am probably trying to translate into the technical requirements you are looking for a feature that can be use to IP intelligence, here what i can suggest you find more details about these 2 features in F5 ASM/WAF and how to implement them mentioned below

    All these topics when implement properly will address your identifying IP address related queries and help you offload your manual task for matching IP address using excel sheet, which is not a viable solution when you can harness the features like below in F5 ASM. 

    1. IP Intelligence. - Detect malicious activity and IP addresses with help from a global threat-sensor network and IP intelligence database. Enable granular threat reporting and. To implement IPI there are some prerequisites as follows: IPI license; A user with admin privileges; BIG-IP must have internet connectivity

     

    2. Geolocation - F5 BIG-IP supports two types of IP geolocation databases: Edge and Pulse. The Edge database is based on IP traffic data, while the Pulse database uses information from mobile devices and Wi-Fi connection points. The Pulse database is more accurate, but also larger in file size, so F5 doesn't support city level for it.

    F5 updates the IP geolocation database every Tuesday based on new databases created by Digital Element each week. F5 recommends keeping geolocation up to date because IPs can change countries. 


    To download and install updated IP geolocation database files on a BIG-IP system, users can:
    Go to the GeoLocationUpdates container on the MyF5 Downloads site
    Download the updated files


    Install the files on the BIG-IP system 


    Users can check if the IP geolocation database files on the BIG-IP system are up-to-date by following the procedure in K12866: Troubleshooting IP geolocation database inaccuracies. 


    F5's geolocation feature can also capture a device's latitude by using the device's address. 

     

    IP Intelligence Categories

    Reference: IP Intelligence Categories

    Category Name Description
    Spam Sources IP addresses tunneling spam messages through proxy, anomalous SMTP activities and forum spam activities.
    Windows Exploits Active IP addresses that have exercised various exploits against Windows resources by offering or distributing malware, shell code, rootkits, worms, or viruses using browsers, programs, downloaded files, scripts, or operating system vulnerabilities.
    Web Attacks IP addresses involved in cross site scripting, iFrame injection, SQL injection, cross domain injection, or domain password brute force.
    Botnets IP addresses of computers that are infected with malicious software (Botnet Command and Control channels, and infected zombie machines) and are controlled as a group by a Bot master, and are now part of a botnet. Hackers can exploit botnets to send spam messages, launch various attacks, or cause target systems to behave in other unpredictable ways.
    Scanners IP addresses that are involved in reconnaissance, such as probes, host scan, domain scan, and password brute force, typically to identify vulnerabilities for later exploits.
    Denial of Service IP addresses involved in application DoS Attacks, or anomalous traffic detection.
    Infected Sources Active IP addresses that issue HTTP requests with a low reputation index score, or that are known malicious web sites offering or distributing malware, shell code, rootkits, worms, or viruses.
    Phishing Proxies IP addresses that host phishing sites, and other kinds of fraud activities, such as ad click fraud or gaming fraud.
    Anonymous Proxy IP addresses that are associated with web proxies that shield the originator's IP address (such as proxy and anonymization services).
    Cloud-based Services IP addresses and networks that are used by cloud providers.
    Mobile Threats IP addresses of malicious and unwanted mobile applications.
    Tor Proxies IP addresses acting as exit nodes for the Tor Network. Exit nodes are the last point along the proxy chain and make a direct connection to the originator’s intended destination.

     

    Here are some reference web links i am sharing go through them and once you find if it matches to your requirement, please feel free and please come back with more queries for helping in any particular scenario.

    I will be glad to assist you further.

     

    Initially you can go through these reference

    Module 1: IPI & Geolocation

    Module 1: IPI & Geolocation (f5.com)

    Add a Geolocation Policy

    Lab 2 - Add a Geolocation Policy (f5.com)

    Configuring geolocation enforcement using BIG-IP ASM security policy (f5.com)

    https://my.f5.com/manage/s/article/K79414542

     

    Looking up IP geolocation data using the geoip_lookup command

    https://my.f5.com/manage/s/article/K15042

     

    IP Intelligence Policies

    Lab 1 - IP Intelligence Policies (f5.com)

    https://www.f5.com/pdf/products/ip-intelligence-service-ds.pdf

    https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-13-1-0/8.html

    The Power of IP Intelligence (IPI)

    https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-implementations-14-1-0/setting-up-ip-address-intelligence-blocking.html

    Managing IP reputations and the IP Address Intelligence database

    https://my.f5.com/manage/s/article/K13875

     

    Please rate or mark it as solution in case this address your queries regarding manual IP address checking to feature rich IP intelligence and geolocation-based ASM policy inclusiveness.

    That will be helpful for others reading this blog.

     

    HTH
    🙏

     

     

     

     

     

     

     

     

jlsantini's avatar
jlsantini
Icon for Altocumulus rankAltocumulus

Thank you for the detailed information.  I have no access to the F5 to do any of this so I will share it with our WAF team.  We've been using IP Intelligence for the last month or so and we really like it.  Will the additional tools you suggest allow us to identify IP 123.45.67.8 as belonging to Fred Flintstone University?  That is what I've been able to achieve with the lookup table that I built in Splunk.  Thanks again!

JoshBecigneul's avatar
JoshBecigneul
Icon for MVP rankMVP
May 11, 2024

I don't think the IPI tool itself will provide detail for specific IPs such as ownership, other than the category it falls into. You might consider looking into a service such as  https://www.greynoise.io/ or others which may have integrations with stuff like Splunk.

My opinion is that having the data in something like Splunk for folks to be able to slice and dice logs on demand in addition to more targeted/boutique style applications is going to be worthwhile.