Hello. I Received such from from marketing guy, for working with content providers:
Solution for VPN/Anonymous Proxy detection? This functionality is a mandatory requirement for all IP distribution of content.
Can I it implement in F5, and how?
Yes. When you set up a vpn (full or split vpn) you have the availability to force all user to pass through your proxy and it's very simple to do it.
You can set transparently proxy or proxy pac to users.
Let me know if you need details .
The IP Intelligence subscription can help you to block these types of connections. (source P Intelligence Service Datasheet)
The IP Intelligence service identifies and blocks IP addresses associated with a variety of threat sources, including:
Windows exploits: Includes active IP addresses offering or distributing malware, shell code, rootkits, worms, or viruses.
Web attacks: Includes cross-site scripting, iFrame injection, SQL injection, cross domain injection, or domain password brute force.
Botnets: Includes botnet command and control channels and infected zombie machines controlled by the bot master.
Scanners: Includes all reconnaissance, such as probes, host scan, domain scan, and password brute force.
Denial of service: Includes DoS, DDoS, anomalous SYN flood, and anomalous traffic detection.
Reputation: When enabled, denies access to IP addresses currently known to be infected with malware or to contact malware distribution points.
Phishing: Includes IP addresses hosting phishing sites or other kinds of fraud activities, such as click fraud or gaming fraud.
Proxy: Includes IP addresses providing proxy and anonymization services, as well as The Onion Router (TOR) anonymizer addresses.
We had similar requirement in our application to block all VPN traffic. We had IP Intelligence (IPI) setup via our Application Security Manager.
It seems to work well for preventing automated exploit attempts but it was not effective for VPN Detection. As a workaround solution for now we have been using https://focsec.com/ VPN IP Database as a blocklist feed... so far it has been working great