IP intelligence (reputation) blocking with whitelist support¶

Contributed by: Brett Smith¶

Description¶

This iRule utilises the IP intelligence (reputation) database to drop
traffic from source IP that match the threat categories from WebRoot.
It has a number of configurable parameters including:
1. Filtering Control - 0 = reputation filter off, 1 = reputation
filter on.
2. Threat Category Blocking - Create a data group with the names of
the categories you want to block. e.g:

create ltm data-group internal threat_categories_dg type string
modify ltm data-group internal threat_categories_dg records add {"BotNets"}
modify ltm data-group internal threat_categories_dg records add {"Networks"}
modify ltm data-group internal threat_categories_dg records add {"Denial of Service"}
modify ltm data-group internal threat_categories_dg records add {"Illegal"}
modify ltm data-group internal threat_categories_dg records add {"Infected Sources"}
modify ltm data-group internal threat_categories_dg records add {"Phishing"}
modify ltm data-group internal threat_categories_dg records add {"Proxy"}
modify ltm data-group internal threat_categories_dg records add {"Scanners"}
modify ltm data-group internal threat_categories_dg records add {"Spam Sources"}
modify ltm data-group internal threat_categories_dg records add {"Web Attacks"}
modify ltm data-group internal threat_categories_dg records add {"Windows Exploits"}

3. Whitelist Filter Bypass - Create a data group with the IP address that should bypass IP reputation filtering. e.g:

create ltm data-group internal ip_reputation_whitelist_dg type ip
modify ltm data-group internal ip_reputation_whitelist_dg records add {"10.0.0.0/8"}
modify ltm data-group internal ip_reputation_whitelist_dg records add {"172.16.0.0/12"}
modify ltm data-group internal ip_reputation_whitelist_dg records add {"192.168.0.0/16"}

4. Debug logging control - 0 = debug log off, 1 = debug log on.

iRule Source¶

# Author: Brett Smith @f5.com

when RULE_INIT {
    # IP intelligence (reputation) control.
    # 0 = reputation filter off, 1 = reputation filter on.
    set static::ip_reputation_control 1

    # IP intelligence categories data group. Any categories in this DG will be blocked based on the source IP.
    set static::threat_categories_dg "threat_categories_dg"

    # IP intelligence whitelist data group. Any IP address in this DG will bypass IP reputation filtering.
    set static::ip_reputation_whitelist_dg "ip_reputation_whitelist_dg"

    # Debug logging control
    # 0 = no debug logging, 1 = debug logging.
    set static::debug_ip_reputation 1
}

when CLIENT_ACCEPTED {
    # Set parameters for the request
    set client_ip [IP::client_addr]

    # Use IP intelligence (reputation) on source IP. Bypass filtering if IP is in the Whitelist.
    # If bad IP reputation is found, drop the request.
    if { (($static::ip_reputation_control) and (![class match $client_ip equals $static::ip_reputation_whitelist_dg])) } {
        set threat_categories [IP::reputation $client_ip]

        if { [class match $threat_categories contains $static::threat_categories_dg] } {
            if { $static::debug_ip_reputation } { log local0. "Dropping request. VS IP: [IP::local_addr], Client IP: $client_ip, Threat Category: $threat_categories, Country: [whereis $client_ip country]" }
            drop
        }
    }
}

The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.