on 22-Sep-2022 15:35
I am excited to write about IP Inteligence (IPI) which is very powerful and easy to implement feature. Let’s start by understanding what is IPI. IP intelligence is a database of malicious IP address which is maintained by a third party company called Brightcloud. This feature can be enabled by getting an add on license on BIG-IP. Once the license is activated on BIG-IP, IPI needs to connect to bright cloud to download and update the database, for that BIG-IP should have internet connectivity. It can be direct internet connectivity or via proxy.
IPI is more like a set and forget feature, which means once implemented no manual intervention is required. Since it is a security feature, mostly it is assumed that this feature works only with BIG-IP products like AFM, Advanced WAF, ASM or APM but it is not true. This feature can be implemented on BIG-IP LTM and other BIG-IP products as well. In this article we will discuss the benefits of having IPI and how easy it is to implement it on F5 BIG-IP LTM.
Now to understand the benefit of IPI let us understand what happens before and during attack. I am sure everyone knows that when there is a DDOS attack, it eats up bandwidth and system resources. But do you know that before performing attack, attackers usually do reconnaissance, perform scans to find out vulnerable application /systems. For doing such malicious activity attacker usually remain low profile and sends comparatively small number of requests. Those requests usually gets mixed up with normal requests and goes untracked.
It means it is possible that during normal operations:
Now what will change if you have implemented IPI:
Now we have understood how beneficial is IPI lets find out how to implement IPI on BIG-IP LTM.
To implement IPI there are some prerequisites as follows:
Implementation of IPI is quite simple.
K7752: Licensing the BIG-IP system using GUI
<Sample output>
------------------------------------------------------------------------
Sys::IP Reputation Database Status
------------------------------------------------------------------------
Last time the server was contacted for updates 08/30/2022 03:37:48
Last time an update was received 08/30/2022 03:37:50
Total number of IP Addresses in the database 3783404
Number of IP Addresses received in the last update 43
Last time the server was contacted for IPv6 updates 08/30/2022 03:37:48
Last time an IPv6 update was received 08/29/2022 21:37:51
Total number of IPv6 Addresses in the database 48033
opening database in /var/IpRep/F5IpRep.dat
Size of IP reputation database = 27134905
iprep threats list for ip = x.x.x.x is:
bit 0 - Spam Sources
Bit 1 - Windows Exploits
bit 4 - Scanners
Incase the IP is not malicious you may get similar output
opening database in /var/IpRep/F5IpRep.dat, /var/IpRep/F5IpV6Rep.dat
size of IP reputation database = 26483828, 912627
iprep_lookup not found for ip = x.x.x.x
sys db iprep.intervalmin {
value "5"
}
To modify default interval value run follow command and choose the value as required. Below command will change the default interval value from 5 minutes to 10 minutes.
# modify sys db iprep.intervalmin value 10
- Enter the name of iRule and copy paste the iRule most appropriate for you
- Press finished to create the iRule.
Sample iRules
iRule 1
when CLIENT_ACCEPTED {
set ip_reputation_categories [IP::reputation [IP::client_addr]]
set is_reject 0
if {($ip_reputation_categories contains "Windows Exploits")}{set is_reject 1 }
if {($ip_reputation_categories contains "Web Attacks")}{set is_reject 1 }
if {($ip_reputation_categories contains "Botnets")}{set is_reject 1 }
if {($ip_reputation_categories contains "Scanners")}{set is_reject 1 }
if {($ip_reputation_categories contains "Denial of Service")}{set is_reject 1 }
if {($ip_reputation_categories contains "Infected Sources")}{set is_reject 1 }
if {($ip_reputation_categories contains "Anonymous Proxy")}{set is_reject 1 }
if {($ip_reputation_categories contains "Phishing Proxies")}{set is_reject 1 }
if {($ip_reputation_categories contains "Spam Sources")}{set is_reject 1 }
if {($ip_reputation_categories contains "Mobile Threats")}{set is_reject 1 }
if {($ip_reputation_categories contains "Cloud-based Services")}{set is_reject 1 }
if {($ip_reputation_categories contains "Tor Proxies")}{set is_reject 1 }
if {($is_reject)} {
log local0. "Attempted access from malicious IP address [IP::client_addr] which falls in category ($ip_reputation_categories) was rejected"
drop
}
}
iRule 2
when HTTP_REQUEST {
if {[HTTP::header exists "X-Forwarded-For"]}{
foreach XFF [HTTP::header values X-Forwarded-For] {
foreach XFFIP [split [string map {" " ""} $XFF] ","] {
set ip_reputation_categories [IP::reputation $XFFIP]
set is_reject 0
if {($ip_reputation_categories contains "Windows Exploits")}{set is_reject 1 }
if {($ip_reputation_categories contains "Web Attacks")}{set is_reject 1 }
if {($ip_reputation_categories contains "Botnets")}{set is_reject 1 }
if {($ip_reputation_categories contains "Scanners")}{set is_reject 1 }
if {($ip_reputation_categories contains "Denial of Service")}{set is_reject 1 }
if {($ip_reputation_categories contains "Infected Sources")}{set is_reject 1 }
if {($ip_reputation_categories contains "Anonymous Proxy")}{set is_reject 1 }
if {($ip_reputation_categories contains "Phishing Proxies")}{set is_reject 1 }
if {($ip_reputation_categories contains "Spam Sources")}{set is_reject 1 }
if {($ip_reputation_categories contains "Mobile Threats")}{set is_reject 1 }
if {($ip_reputation_categories contains "Cloud-based Services")}{set is_reject 1 }
if {($ip_reputation_categories contains "Tor Proxies")}{set is_reject 1 }
if {($is_reject)} {
log local0. "Attempted access from malicious IP address [IP::client_addr] and XFF IP ($XFFIP) which falls in category ($ip_reputation_categories) was rejected"
drop }
}
}
}
}
Note: In case you do not want to block any request from IP detected as malicious by IPI and just want to monitor, please remove ’drop’ from above irule or add ‘#’ in front of ‘drop’ to comment it out.
Incase logging is not required you may remove the log command or add # in front of log command.
Important links and information.
Hi @KeesvandenBos,
Thank you for your comment. Yes IPI can also be used under FLOW_INIT event and it is a great option.