Forum Discussion

Mykola_Tkachenk's avatar
Icon for Nimbostratus rankNimbostratus
May 07, 2018

VPN detection

Hello. I Received such from from marketing guy, for working with content providers:


Solution for VPN/Anonymous Proxy detection? This functionality is a mandatory requirement for all IP distribution of content.


Can I it implement in F5, and how?


3 Replies

  • The IP Intelligence subscription can help you to block these types of connections. (source P Intelligence Service Datasheet)


    The IP Intelligence service identifies and blocks IP addresses associated with a variety of threat sources, including:


    Windows exploits: Includes active IP addresses offering or distributing malware, shell code, rootkits, worms, or viruses.


    Web attacks: Includes cross-site scripting, iFrame injection, SQL injection, cross domain injection, or domain password brute force.


    Botnets: Includes botnet command and control channels and infected zombie machines controlled by the bot master.


    Scanners: Includes all reconnaissance, such as probes, host scan, domain scan, and password brute force.


    Denial of service: Includes DoS, DDoS, anomalous SYN flood, and anomalous traffic detection.


    Reputation: When enabled, denies access to IP addresses currently known to be infected with malware or to contact malware distribution points.


    Phishing: Includes IP addresses hosting phishing sites or other kinds of fraud activities, such as click fraud or gaming fraud.


    Proxy: Includes IP addresses providing proxy and anonymization services, as well as The Onion Router (TOR) anonymizer addresses.


  • sebomb's avatar
    Icon for Nimbostratus rankNimbostratus

    Good evening.

    We had similar requirement in our application to block all VPN traffic. We had IP Intelligence (IPI) setup via our Application Security Manager.

    It seems to work well for preventing automated exploit attempts but it was not effective for VPN Detection. As a workaround solution for now we have been using VPN IP Database as a blocklist feed... so far it has been working great