Looks up the supplied IP address in the IP intelligence (reputation) database and returns a TCL list containing reputation categories
Note that the IP intelligence feature requires an add-on license. Contact your F5 or Partner salesperson for details on ordering the license.


IP::reputation <IP address>
Performs a lookup of the supplied IP address against the IP reputation database. Returns a TCL list containing possible reputation categories:
Category Description
Botnets IP addresses of computers that are infected with malicious software and are controlled as a group, and are now part of a botnet. Hackers can exploit botnets to send spam messages, launch various attacks, or cause target systems to behave in other unpredictable ways.
Cloud Provider Networks IP addresses of cloud providers.
Denial of Service IP addresses that have launched Denial of Service (DoS) attacks. These attacks are usually requests for legitimate services, but occur at such a fast rate that targeted systems cannot respond and become bogged down or unable to service legitimate clients.
Illegal Websites IP addresses of websites hosting illegal material or activity. Associated with Internet Watch Foundation. Category deprecated by provider and unused by BIG-IP.
Infected Sources IP addresses that issue HTTP requests with a low reputation index score, or are known malware sites.
Phishing IP addresses that are associated with phishing web sites that masquerade as legitimate web sites.
Proxy IP addresses that are associated with web proxies that shield the originator’s IP address (such as anonymous proxies).
Scanners IP addresses that have been observed to perform port scans or network scans, typically to identify vulnerabilities for later exploits.
Spam Sources IP addresses tunneling spam messages through proxy, anomalous SMTP activities and forum spam activities. AFM-only category.
Web Attacks IP addresses that have launched web attacks of various forms.
Windows Exploits IP addresses that have exercised various exploits against Windows resources using browsers, programs, downloaded files, scripts, or operating system vulnerabilities.

An IP intelligence database is a list of IP addresses with questionable reputations. IP addresses gain a questionable reputation and are added to the database as a result of having performed exploits or attacks, or these addresses might represent proxy servers, scanners, or systems that have been infected. You can prevent system attacks by excluding traffic from malicious IP addresses. The IP Intelligence database is maintained online by a third party.
The BIG-IP system can connect to an IP intelligence database, download the contents, and automatically keep the database up to date. You use iRules to instruct the system on how to use IP address intelligence information. For example, iRules can instruct the system to verify the reputation of and log the originating IP address of all requests.
You can also use the IP address intelligence information within security policies in the Application Security Manager to log or block requests from IP addresses with questionable reputations.
The requirements for using IP address intelligence are:
The system must have an IP Intelligence license. The system must have an Internet connection either directly or through a proxy server. The system must have DNS configured (go to System > Configuration > Device > DNS).


Look up a set of IP addresses in the IP reputation database and log the output. As an example, check if the IP is a Proxy (lsearch returns a non -1 value).
when RULE_INIT {
    # Only log once regardless of however many TMMs are running
    if {[TMM::cmp_unit]==0}{

        # Loop through some known bad IPs
        foreach ip [list] {

            # Log the IP, reputation list, count of reputation hits and a sample search to see if the IP is a Proxy (non -1 = true)
            log local0. "$ip: \"[IP::reputation $ip]\", count: [llength [IP::reputation $ip]], lsearch for Proxy: [lsearch [IP::reputation $ip] Proxy] "
Log output:
<RULE_INIT>: "{Web Attacks} BotNets Scanners Proxy", count: 4, lsearch for Proxy: 3
<RULE_INIT>: "{Web Attacks} Scanners", count: 2, lsearch for Proxy: -1
<RULE_INIT>: "{Windows Exploits} Scanners", count: 2, lsearch for Proxy: -1
<RULE_INIT>: "Proxy", count: 1, lsearch for Proxy: 0
<RULE_INIT>: "{Spam Sources} Proxy", count: 2, lsearch for Proxy: 1
<RULE_INIT>: "{Spam Sources} {Web Attacks}", count: 2, lsearch for Proxy: -1
<RULE_INIT>: "Phishing", count: 1, lsearch for Proxy: -1

Here are a few example IPs with reputations:    Scanners Proxy    Spam Sources, Web Attacks   Spam Sources, Scanners
Drop the packet after initial TCP handshake if the client has a bad reputation
#Drop the packet after initial TCP handshake if the client has a bad reputation

    # Check if the IP reputation list for the client IP is not 0
    if {[llength [IP::reputation [IP::client_addr]]] != 0}{

        # Drop the connection

    # If Query type was A and response is an answer.
    if { ([DNS::question type] eq "A") and ([DNS::ptype] == "ANSWER") } {
        set rrs [DNS::answer]
        foreach rr $rrs {
            if { [DNS::type $rr] eq "A" } {
                if {[llength [IP::reputation [DNS::rdata $rr]]] != 0} {
                    # Bad IP Reputation for destination detected
                    log local0. "$rr: \"[IP::reputation $ip]\", count: [llength [IP::reputation $rr]]"