Reputation matters. Imagine a service that scores the behavior of millions of computers on the Internet. Imagine that your aunt’s computer is infected and sending out spam. Or a host in the cloud is compromised and port scanning your neighborhood. The service records that information and then distributes it to threat intelligence teams and security devices all around the world.
That service already exists – it’s available as the BrightCloud IP Reputation service from the company Webroot, which is just down the way from my house. I went over there one day and asked them how it worked. Webroot uses honeypots, sensors and endpoints all across the Internet to collect millions of malicious addresses into their reputation database.
The reason I was interested is because this is an IP reputation service behind our threat intelligence feed that we deliver to our own customers. We call this reputation subscription IP Intelligence (IPI). The service is delivered every day to each subscribing F5 BIG-IP.
The service is maintained in real-time and incremental updates are sent to the subscribers every few minutes. This means that when a new malicious host is detected by Webroot, each subscribing BIG-IP around the world can block it.
The reputation of each IP address is stored as a tuple in the database. Each address is accompanied by a field that describes which malicious behaviors the address is exhibiting:
Sending spam email (open mail relays)
Phishing end users into divulging credentials (phishing proxies)
Attack coordination (botnet command and control hosts)
Anonymized traffic (TOR exit nodes)
Network reconnaissance (known scanners)
Customers using the F5 Access Policy Manager (APM) module or the F5 web application firewall (ASM) can configure how those modules use IPI with pretty screens. All other customers can check the reputation of incoming or outgoing traffic by applying this categorization in the Local Traffic Manager (LTM). Check out how simple an IPI iRule is.
That particular iRule would drop any incoming connection that had a bad reputation of any kind – but it could be tweaked to allow some types while blocking others.
Webroot and F5 recently collaborated on a demonstration tool to show the threat intelligence value of IPI. A firewall administrator can feed a firewall log file into a local copy of the “Threat Intelligence Analyzer” to see the analysis.
Here’s what the tool looks like:
By the way, keeping security in mind, we figured that administrators would rather download a tool rather than upload their firewall logs somewhere else.
Who is attacking my home network?
I run what I consider to be a fairly sophisticated router at my house. I use the D-Link DIR-655 Xtreme N Wireless router. Yes it has three antennas, a rudimentary firewall, virtual applications and, of course, it can log to an external syslog server.
I collected a few weeks’ worth of firewall logs, applied some greps and seds and fed the log into the IP Threat Analyzer. It categorized just over 33% of the addresses hitting my house as malicious.
Most of the evil traffic (53%) comes from compromised hosts trying to send spam through my house. I used to run my own mailer so maybe my domain is remembered out there in spam world. Around a third (29%) of the addresses are from probes looking for vulnerable Windows (XP?) hosts. These will always be with us I think – it’s just like the background radiation from the big bang.
Mostly I’m worried about the 3% that are anonymous proxy addresses. Real hackers use anonymous proxies all the time to stay ahead of law-enforcement. I wonder what they are looking for at my place.
Interesting, isn’t it?
I think my next step will be to reroute all incoming traffic through the BIG-IP in my home lab so that I can block all of these attacks at layer 3 with IP Reputation and just stop worrying about it.
Here’s a comprehensive video on the Threat Analyzer.