The Power of IP Intelligence (IPI)

I am excited to write about IP Inteligence (IPI) which is very powerful and easy to implement feature. Let’s start by understanding what is IPI. IP intelligence is a database of malicious IP address which is maintained by a third party company called Brightcloud. This feature can be enabled by getting an add on license on BIG-IP. Once the license is activated on BIG-IP, IPI needs to connect to bright cloud to download and update the database, for that BIG-IP should have internet connectivity. It can be direct internet connectivity or via proxy. 

IPI is more like a set and forget feature, which means once implemented no manual intervention is required. Since it is a security feature, mostly it is assumed that this feature works only with BIG-IP products like AFM, Advanced WAF, ASM or APM but it is not true. This feature can be implemented on BIG-IP LTM and other BIG-IP products as well. In this article we will discuss the benefits of having IPI and how easy it is to implement it on F5 BIG-IP LTM.

Now to understand the benefit of IPI let us understand what happens before and during attack. I am sure everyone knows that when there is a DDOS attack, it eats up bandwidth and system resources. But do you know that before performing attack, attackers usually do reconnaissance, perform scans to find out vulnerable application /systems. For doing such malicious activity attacker usually remain low profile and sends comparatively small number of requests. Those requests usually gets mixed up with normal requests and goes untracked. 

It means it is possible that during normal operations:

  • Attackers may be sending malicious requests to do reconnaissance. 
  • Attackers may be performing scans to find out vulnerable application/systems
  • Those malicious requests are eating up systems resources and bandwidth.

Now what will change if you have implemented IPI:

  • Any request coming from a IPI which is known to be malicious by IPI will be blocked.
  • By blocking all requests coming from malicious IPs, IPI will free up system resources and bandwidth for legitimate requests.
  • By default database updates automatically  after every 5 minutes, so no manual intervention is required.

Now we have understood how beneficial is IPI lets find out how to implement IPI on BIG-IP LTM.

To implement IPI there are some prerequisites as follows:

  • IPI license
  • A user with admin privileges 
  • BIG-IP must have internet connectivity
  • Downtime incase BIG-IP is standalone. Incase BIG-IP is in HA, license can be activated on standby unit first to avoid downtime.

Implementation of IPI is quite simple.

  • Activate the license
  • Verify IPI status
  • Create iRule
  • Apply iRule to the virtual server
  • Check logs

 

       K7752: Licensing the BIG-IP system using GUI

  • Verify if IPI is working, for that you may run follow commands. If the IPI is able to download and update the database you will similar output.
    # tmsh show sys iprep-status

 

<Sample output>

------------------------------------------------------------------------

Sys::IP Reputation Database Status                 

------------------------------------------------------------------------

Last time the server was contacted for updates       08/30/2022 03:37:48

Last time an update was received                     08/30/2022 03:37:50

Total number of IP Addresses in the database                     3783404

Number of IP Addresses received in the last update                    43

Last time the server was contacted for IPv6 updates  08/30/2022 03:37:48

Last time an IPv6 update was received                08/29/2022 21:37:51

Total number of IPv6 Addresses in the database                     48033

 

  • To check the IP reputation of an IP, run the following command. Replace <x.x.x.x> with the IP address.

    Incase the IP is malicious you may get similar output.
    iprep_lookup <x.x.x.x>

  opening database in /var/IpRep/F5IpRep.dat

  Size of IP reputation database = 27134905

  iprep threats list for ip = x.x.x.x is: 

  bit 0 - Spam Sources

  Bit 1 - Windows Exploits

  bit 4 - Scanners

 

Incase the IP is not malicious you may get similar output
opening database in /var/IpRep/F5IpRep.dat, /var/IpRep/F5IpV6Rep.dat

size of IP reputation database = 26483828, 912627

iprep_lookup not found for ip = x.x.x.x

  • By default database updates every 5 minutes, but if required you may change it by using following command. Interval can be changed anything between 1 minutes to 525600 minutes (1 year).
    This command shows the configured value
    #list sys db iprep.intervalmin 

sys db iprep.intervalmin {

    value "5"

}

    

     To modify default interval value run follow command and choose the value as required. Below command will change the default interval value from 5 minutes to 10 minutes.
     # modify sys db iprep.intervalmin value 10

 

  • Now the IPI database is downloaded and updated, create iRule , I am sharing two sample iRules, one is to check client IP and block if found malicious, second iRule will check IP address in XFF header and if any IP in XFF header found to be malicious by IPI request will be blocked. A point to be noted here that second iRule will kick on application layer which mean three way handshake is already done.
  • To create iRule you may follow below mentioned steps.
    - Go to Local Traffic > iRules and press ‘create’ button.

      - Enter the name of iRule and copy paste the iRule most appropriate for you

      - Press finished to create the iRule.

 

Sample iRules

 

iRule 1


when CLIENT_ACCEPTED {

set ip_reputation_categories [IP::reputation [IP::client_addr]]

set is_reject 0

if {($ip_reputation_categories contains "Windows Exploits")}{set is_reject 1 }

if {($ip_reputation_categories contains "Web Attacks")}{set is_reject 1 }

if {($ip_reputation_categories contains "Botnets")}{set is_reject 1 }

if {($ip_reputation_categories contains "Scanners")}{set is_reject 1 }

if {($ip_reputation_categories contains "Denial of Service")}{set is_reject 1 }

if {($ip_reputation_categories contains "Infected Sources")}{set is_reject 1 }

if {($ip_reputation_categories contains "Anonymous Proxy")}{set is_reject 1 }

if {($ip_reputation_categories contains "Phishing Proxies")}{set is_reject 1 }

if {($ip_reputation_categories contains "Spam Sources")}{set is_reject 1 }

if {($ip_reputation_categories contains "Mobile Threats")}{set is_reject 1 }

if {($ip_reputation_categories contains "Cloud-based Services")}{set is_reject 1 }

if {($ip_reputation_categories contains "Tor Proxies")}{set is_reject 1 }

if {($is_reject)} {

log local0. "Attempted access from malicious IP address [IP::client_addr] which falls in category ($ip_reputation_categories) was rejected"

drop

}

}





 

iRule 2

when HTTP_REQUEST {

if  {[HTTP::header exists "X-Forwarded-For"]}{

    foreach XFF [HTTP::header values X-Forwarded-For] {

    foreach XFFIP [split [string map {" " ""} $XFF] ","] {

    set ip_reputation_categories [IP::reputation $XFFIP]

set is_reject 0

if {($ip_reputation_categories contains "Windows Exploits")}{set is_reject 1 }

if {($ip_reputation_categories contains "Web Attacks")}{set is_reject 1 }

if {($ip_reputation_categories contains "Botnets")}{set is_reject 1 }

if {($ip_reputation_categories contains "Scanners")}{set is_reject 1 }

if {($ip_reputation_categories contains "Denial of Service")}{set is_reject 1 }

if {($ip_reputation_categories contains "Infected Sources")}{set is_reject 1 }

if {($ip_reputation_categories contains "Anonymous Proxy")}{set is_reject 1 }

if {($ip_reputation_categories contains "Phishing Proxies")}{set is_reject 1 }

if {($ip_reputation_categories contains "Spam Sources")}{set is_reject 1 }

if {($ip_reputation_categories contains "Mobile Threats")}{set is_reject 1 }

if {($ip_reputation_categories contains "Cloud-based Services")}{set is_reject 1 }

if {($ip_reputation_categories contains "Tor Proxies")}{set is_reject 1 }

if {($is_reject)}   {

            log local0. "Attempted access from malicious IP address [IP::client_addr] and XFF IP ($XFFIP) which falls in category ($ip_reputation_categories) was rejected"

            drop }

        }

    }

    }

}

 

Note: In case you do not want to block any request from IP detected as malicious by IPI and just want to monitor, please remove ’drop’ from above irule or add ‘#’ in front of ‘drop’ to comment it out.

Incase logging is not required you may remove the log command or add # in front of log command.

 

  • Apply the iRule to Virtual server.
    Go to Local Traffic > Virtual Sever, select the virtual server then from resource tab, click on mange under iRule section to apply the iRule.
  • Now we have implemented iRule, so let’s check how you can see the logs.
  • Check Logs
    There are two options to check logs, GUI and Command line.
    To check logs via GUI, Login to gui and go to to system > logs > local traffic
    To check logs via Command Line- Login to command line and run any of the command
    Available on Bash
    #tail –f /var/log/ltm
    Available on tmos
    # show sys log ltm

 

Important links and information.

Published Sep 22, 2022
Version 1.0
  • Akash2's avatar
    Akash2
    Icon for Nimbostratus rankNimbostratus

    can we use this for both IN and Out traffic in AFM. Any KB related to implementation on AFM.

    • When you search f5 ip intelligence policy there are enough articles about this 😀. It handles source and destination https://techdocs.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-12-1-0/7.html