The Power of IP Intelligence (IPI)
I am excited to write about IP Inteligence (IPI) which is very powerful and easy to implement feature. Let’s start by understanding what is IPI. IP intelligence is a database of malicious IP address which is maintained by a third party company called Brightcloud. This feature can be enabled by getting an add on license on BIG-IP. Once the license is activated on BIG-IP, IPI needs to connect to bright cloud to download and update the database, for that BIG-IP should have internet connectivity. It can be direct internet connectivity or via proxy.
IPI is more like a set and forget feature, which means once implemented no manual intervention is required. Since it is a security feature, mostly it is assumed that this feature works only with BIG-IP products like AFM, Advanced WAF, ASM or APM but it is not true. This feature can be implemented on BIG-IP LTM and other BIG-IP products as well. In this article we will discuss the benefits of having IPI and how easy it is to implement it on F5 BIG-IP LTM.
Now to understand the benefit of IPI let us understand what happens before and during attack. I am sure everyone knows that when there is a DDOS attack, it eats up bandwidth and system resources. But do you know that before performing attack, attackers usually do reconnaissance, perform scans to find out vulnerable application /systems. For doing such malicious activity attacker usually remain low profile and sends comparatively small number of requests. Those requests usually gets mixed up with normal requests and goes untracked.
It means it is possible that during normal operations:
- Attackers may be sending malicious requests to do reconnaissance.
- Attackers may be performing scans to find out vulnerable application/systems
- Those malicious requests are eating up systems resources and bandwidth.
Now what will change if you have implemented IPI:
- Any request coming from a IPI which is known to be malicious by IPI will be blocked.
- By blocking all requests coming from malicious IPs, IPI will free up system resources and bandwidth for legitimate requests.
- By default database updates automatically after every 5 minutes, so no manual intervention is required.
Now we have understood how beneficial is IPI lets find out how to implement IPI on BIG-IP LTM.
To implement IPI there are some prerequisites as follows:
- IPI license
- A user with admin privileges
- BIG-IP must have internet connectivity
- Downtime incase BIG-IP is standalone. Incase BIG-IP is in HA, license can be activated on standby unit first to avoid downtime.
Implementation of IPI is quite simple.
- Activate the license
- Verify IPI status
- Create iRule
- Apply iRule to the virtual server
- Check logs
- Activate the add on license on BIG-IP, for that you may refer below mentioned articles.
K2595: Activating and installing a license file from the command line
K7752: Licensing the BIG-IP system using GUI
- Verify if IPI is working, for that you may run follow commands. If the IPI is able to download and update the database you will similar output.
# tmsh show sys iprep-status
<Sample output>
------------------------------------------------------------------------
Sys::IP Reputation Database Status
------------------------------------------------------------------------
Last time the server was contacted for updates 08/30/2022 03:37:48
Last time an update was received 08/30/2022 03:37:50
Total number of IP Addresses in the database 3783404
Number of IP Addresses received in the last update 43
Last time the server was contacted for IPv6 updates 08/30/2022 03:37:48
Last time an IPv6 update was received 08/29/2022 21:37:51
Total number of IPv6 Addresses in the database 48033
- To check the IP reputation of an IP, run the following command. Replace <x.x.x.x> with the IP address.
Incase the IP is malicious you may get similar output.
iprep_lookup <x.x.x.x>
opening database in /var/IpRep/F5IpRep.dat
Size of IP reputation database = 27134905
iprep threats list for ip = x.x.x.x is:
bit 0 - Spam Sources
Bit 1 - Windows Exploits
bit 4 - Scanners
Incase the IP is not malicious you may get similar output
opening database in /var/IpRep/F5IpRep.dat, /var/IpRep/F5IpV6Rep.dat
size of IP reputation database = 26483828, 912627
iprep_lookup not found for ip = x.x.x.x
- By default database updates every 5 minutes, but if required you may change it by using following command. Interval can be changed anything between 1 minutes to 525600 minutes (1 year).
This command shows the configured value
#list sys db iprep.intervalmin
sys db iprep.intervalmin {
value "5"
}
To modify default interval value run follow command and choose the value as required. Below command will change the default interval value from 5 minutes to 10 minutes.
# modify sys db iprep.intervalmin value 10
- Now the IPI database is downloaded and updated, create iRule , I am sharing two sample iRules, one is to check client IP and block if found malicious, second iRule will check IP address in XFF header and if any IP in XFF header found to be malicious by IPI request will be blocked. A point to be noted here that second iRule will kick on application layer which mean three way handshake is already done.
- To create iRule you may follow below mentioned steps.
- Go to Local Traffic > iRules and press ‘create’ button.
- Enter the name of iRule and copy paste the iRule most appropriate for you
- Press finished to create the iRule.
Sample iRules
iRule 1
when CLIENT_ACCEPTED {
set ip_reputation_categories [IP::reputation [IP::client_addr]]
set is_reject 0
if {($ip_reputation_categories contains "Windows Exploits")}{set is_reject 1 }
if {($ip_reputation_categories contains "Web Attacks")}{set is_reject 1 }
if {($ip_reputation_categories contains "Botnets")}{set is_reject 1 }
if {($ip_reputation_categories contains "Scanners")}{set is_reject 1 }
if {($ip_reputation_categories contains "Denial of Service")}{set is_reject 1 }
if {($ip_reputation_categories contains "Infected Sources")}{set is_reject 1 }
if {($ip_reputation_categories contains "Anonymous Proxy")}{set is_reject 1 }
if {($ip_reputation_categories contains "Phishing Proxies")}{set is_reject 1 }
if {($ip_reputation_categories contains "Spam Sources")}{set is_reject 1 }
if {($ip_reputation_categories contains "Mobile Threats")}{set is_reject 1 }
if {($ip_reputation_categories contains "Cloud-based Services")}{set is_reject 1 }
if {($ip_reputation_categories contains "Tor Proxies")}{set is_reject 1 }
if {($is_reject)} {
log local0. "Attempted access from malicious IP address [IP::client_addr] which falls in category ($ip_reputation_categories) was rejected"
drop
}
}
iRule 2
when HTTP_REQUEST {
if {[HTTP::header exists "X-Forwarded-For"]}{
foreach XFF [HTTP::header values X-Forwarded-For] {
foreach XFFIP [split [string map {" " ""} $XFF] ","] {
set ip_reputation_categories [IP::reputation $XFFIP]
set is_reject 0
if {($ip_reputation_categories contains "Windows Exploits")}{set is_reject 1 }
if {($ip_reputation_categories contains "Web Attacks")}{set is_reject 1 }
if {($ip_reputation_categories contains "Botnets")}{set is_reject 1 }
if {($ip_reputation_categories contains "Scanners")}{set is_reject 1 }
if {($ip_reputation_categories contains "Denial of Service")}{set is_reject 1 }
if {($ip_reputation_categories contains "Infected Sources")}{set is_reject 1 }
if {($ip_reputation_categories contains "Anonymous Proxy")}{set is_reject 1 }
if {($ip_reputation_categories contains "Phishing Proxies")}{set is_reject 1 }
if {($ip_reputation_categories contains "Spam Sources")}{set is_reject 1 }
if {($ip_reputation_categories contains "Mobile Threats")}{set is_reject 1 }
if {($ip_reputation_categories contains "Cloud-based Services")}{set is_reject 1 }
if {($ip_reputation_categories contains "Tor Proxies")}{set is_reject 1 }
if {($is_reject)} {
log local0. "Attempted access from malicious IP address [IP::client_addr] and XFF IP ($XFFIP) which falls in category ($ip_reputation_categories) was rejected"
drop }
}
}
}
}
Note: In case you do not want to block any request from IP detected as malicious by IPI and just want to monitor, please remove ’drop’ from above irule or add ‘#’ in front of ‘drop’ to comment it out.
Incase logging is not required you may remove the log command or add # in front of log command.
- Apply the iRule to Virtual server.
Go to Local Traffic > Virtual Sever, select the virtual server then from resource tab, click on mange under iRule section to apply the iRule. - Now we have implemented iRule, so let’s check how you can see the logs.
- Check Logs
There are two options to check logs, GUI and Command line.
To check logs via GUI, Login to gui and go to to system > logs > local traffic
To check logs via Command Line- Login to command line and run any of the command
Available on Bash
#tail –f /var/log/ltm
Available on tmos
# show sys log ltm
Important links and information.
- F5 does not maintain the IP reputation database, and F5 Support cannot assist with any information about the IP reputation change request , for that customer may submit change request directly to brightcloud using http://www.brightcloud.com/tools/change-request.php
- IPI database is updated every 5 minutes.
- K13875: Managing IP reputations and the IP Address Intelligence database
- K13776: Determining the IP intelligence subscription expiration date
- K2595: Activating and installing a license file from the command line
- K7752: Licensing the BIG-IP system using GUI
Thanks!
Thank you!
isn't it better to use FLOW_INIT instead of CLIENT_ACCEPTED?Hi KeesvandenBos,
Thank you for your comment. Yes IPI can also be used under FLOW_INIT event and it is a great option.
- Akash2Nimbostratus
can we use this for both IN and Out traffic in AFM. Any KB related to implementation on AFM.
When you search f5 ip intelligence policy there are enough articles about this 😀. It handles source and destination https://techdocs.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-12-1-0/7.html