IP::reputation¶
Description¶
Looks up the supplied IP address in the IP intelligence (reputation)
database and returns a TCL list containing reputation categories
Note that the IP intelligence feature requires an add-on license.
Contact your F5 or Partner salesperson
for details on ordering the license.
Syntax¶
IP::reputation <IP address>
Performs a lookup of the supplied IP address against the IP reputation
database. Returns a TCL list containing possible reputation
categories:
| Category | Description |
|---|---|
| Botnets | IP addresses of computers that are infected with malicious software and are controlled as a group, and are now part of a botnet. Hackers can exploit botnets to send spam messages, launch various attacks, or cause target systems to behave in other unpredictable ways. |
| Cloud Provider Networks | IP addresses of cloud providers. |
| Denial of Service | IP addresses that have launched Denial of Service (DoS) attacks. These attacks are usually requests for legitimate services, but occur at such a fast rate that targeted systems cannot respond and become bogged down or unable to service legitimate clients. |
| Illegal Websites | IP addresses of websites hosting illegal material or activity. Associated with Internet Watch Foundation. Category deprecated by provider and unused by BIG-IP. |
| Infected Sources | IP addresses that issue HTTP requests with a low reputation index score, or are known malware sites. |
| Phishing | IP addresses that are associated with phishing web sites that masquerade as legitimate web sites. |
| Proxy | IP addresses that are associated with web proxies that shield the originator’s IP address (such as anonymous proxies). |
| Scanners | IP addresses that have been observed to perform port scans or network scans, typically to identify vulnerabilities for later exploits. |
| Spam Sources | IP addresses tunneling spam messages through proxy, anomalous SMTP activities and forum spam activities. AFM-only category. |
| Web Attacks | IP addresses that have launched web attacks of various forms. |
| Windows Exploits | IP addresses that have exercised various exploits against Windows resources using browsers, programs, downloaded files, scripts, or operating system vulnerabilities. |
An IP intelligence database is a list of IP addresses with
questionable reputations. IP addresses gain a questionable reputation
and are added to the database as a result of having performed exploits
or attacks, or these addresses might represent proxy servers,
scanners, or systems that have been infected. You can prevent system
attacks by excluding traffic from malicious IP addresses. The IP
Intelligence database is maintained online by a third party.
The BIG-IP system can connect to an IP intelligence database, download
the contents, and automatically keep the database up to date. You use
iRules to instruct the system on how to use IP address intelligence
information. For example, iRules can instruct the system to verify the
reputation of and log the originating IP address of all requests.
You can also use the IP address intelligence information within
security policies in the Application Security Manager to log or block
requests from IP addresses with questionable reputations.
The requirements for using IP address intelligence are:
The system must have an IP Intelligence license. The system must have
an Internet connection either directly or through a proxy server. The
system must have DNS configured (go to System > Configuration > Device
> DNS).
Examples¶
Look up a set of IP addresses in the IP reputation database and log
the output. As an example, check if the IP is a Proxy (lsearch returns
a non -1 value).
when RULE_INIT {
# Only log once regardless of however many TMMs are running
if {[TMM::cmp_unit]==0}{
# Loop through some known bad IPs
foreach ip [list 8.5.1.16 1.1.17.0 1.161.40.194 2.32.20.157 2.50.32.55 2.56.0.0 254.46.202.147] {
# Log the IP, reputation list, count of reputation hits and a sample search to see if the IP is a Proxy (non -1 = true)
log local0. "$ip: \"[IP::reputation $ip]\", count: [llength [IP::reputation $ip]], lsearch for Proxy: [lsearch [IP::reputation $ip] Proxy] "
}
}
}
Log output:
<RULE_INIT>: 8.5.1.16: "{Web Attacks} BotNets Scanners Proxy", count: 4, lsearch for Proxy: 3
<RULE_INIT>: 1.1.17.0: "{Web Attacks} Scanners", count: 2, lsearch for Proxy: -1
<RULE_INIT>: 1.161.40.194: "{Windows Exploits} Scanners", count: 2, lsearch for Proxy: -1
<RULE_INIT>: 2.32.20.157: "Proxy", count: 1, lsearch for Proxy: 0
<RULE_INIT>: 2.50.32.55: "{Spam Sources} Proxy", count: 2, lsearch for Proxy: 1
<RULE_INIT>: 2.56.0.0: "{Spam Sources} {Web Attacks}", count: 2, lsearch for Proxy: -1
<RULE_INIT>: 254.46.202.147: "Phishing", count: 1, lsearch for Proxy: -1
Here are a few example IPs with reputations:
1.1.17.0 Scanners
2.32.20.157 Proxy
2.56.0.0 Spam Sources, Web Attacks
198.200.32.76 Spam Sources, Scanners
Drop the packet after initial TCP handshake if the client has a bad
reputation
#Drop the packet after initial TCP handshake if the client has a bad reputation
when CLIENT_ACCEPTED {
# Check if the IP reputation list for the client IP is not 0
if {[llength [IP::reputation [IP::client_addr]]] != 0}{
# Drop the connection
drop
}
}
when DNS_RESPONSE {
# If Query type was A and response is an answer.
if { ([DNS::question type] eq "A") and ([DNS::ptype] == "ANSWER") } {
set rrs [DNS::answer]
foreach rr $rrs {
if { [DNS::type $rr] eq "A" } {
if {[llength [IP::reputation [DNS::rdata $rr]]] != 0} {
# Bad IP Reputation for destination detected
log local0. "$rr: \"[IP::reputation $ip]\", count: [llength [IP::reputation $rr]]"
}
}
}
}
}