ltm rule command IP reputation
iRule(1) BIG-IP TMSH Manual iRule(1)
IP::reputation
Looks up the supplied IP address in the IP intelligence (reputation)
database and returns a TCL list containing reputation categories.
SYNOPSIS
IP::reputation (IP_ADDR)+
DESCRIPTION
Performs a lookup of the supplied IP address against the IP reputation
database. Returns a TCL list containing possible reputation categories:
Category Description Botnets
IP addresses of computers that are infected with malicious software and
are controlled as a group, and are now part of a botnet. Hackers can
exploit botnets to send spam messages, launch various attacks, or cause
target systems to behave in other unpredictable ways. Cloud Provider
Networks IP addresses of cloud providers. Denial of Service
IP addresses that have launched Denial of Service (DoS) attacks. These
attacks are usually requests for legitimate services, but occur at such
a fast rate that targeted systems cannot respond and become bogged down
or unable to service legitimate clients. Illegal Websites
IP addresses of websites hosting illegal material or activity.
Associated with Internet Watch Foundation. Infected Sources
IP addresses that issue HTTP requests with a low reputation index
score, or are known malware sites. Phishing IP
addresses that are associated with phishing web sites that masquerade
as legitimate web sites. Proxy IP addresses
that are associated with web proxies that shield the originator's IP
address (such as anonymous proxies). Scanners IP
addresses that have been observed to perform port scans or network
scans, typically to identify vulnerabilities for later exploits. Web
Attacks IP addresses that have launched web attacks of
various forms. Windows Exploits IP addresses that have
exercised various exploits against Windows resources using browsers,
programs, downloaded files, scripts, or operating system
vulnerabilities.
An IP intelligence database is a list of IP addresses with questionable
reputations. IP addresses gain a questionable reputation and are added
to the database as a result of having performed exploits or attacks, or
these addresses might represent proxy servers, scanners, or systems
that have been infected. You can prevent system attacks by excluding
traffic from malicious IP addresses. The IP Intelligence database is
maintained online by a third party.
The BIG-IP system can connect to an IP intelligence database, download
the contents, and automatically keep the database up to date. You use
iRules to instruct the system on how to use IP address intelligence
information. For example, iRules can instruct the system to verify the
reputation of and log the originating IP address of all requests.
You can also use the IP address intelligence information within
security policies in the Application Security Manager to log or block
requests from IP addresses with questionable reputations.
The requirements for using IP address intelligence are:
The system must have an IP Intelligence license. The system must have
an Internet connection either directly or through a proxy server. The
system must have DNS configured (go to System > Configuration > Device
> DNS).
RETURN VALUE
Return a TCL list containing reputation categories.
VALID DURING
ANY_EVENT
EXAMPLES
# Look up a set of IP addresses in the IP reputation database and log the output. As an example, check if the IP is a Proxy (lsearch returns a non -1 value).
when RULE_INIT {
# Only log once regardless of however many TMMs are running
if {[TMM::cmp_unit]==0}{
# Loop through some known bad IPs
foreach ip [list 8.5.1.16 1.1.17.0 1.161.40.194 2.32.20.157 2.50.32.55 2.56.0.0 254.46.202.147] {
# Log the IP, reputation list, count of reputation hits and a sample search to see if the IP is a Proxy (non -1 = true)
log local0. "$ip: \"[IP::reputation $ip]\", count: [llength [IP::reputation $ip]], lsearch for Proxy: [lsearch [IP::reputation $ip] Proxy] "
}
}
}
# Log output:
#: 8.5.1.16: "{Web Attacks} BotNets Scanners Proxy", count: 4, lsearch for Proxy: 3
#: 1.1.17.0: "{Web Attacks} Scanners", count: 2, lsearch for Proxy: -1
#: 1.161.40.194: "{Windows Exploits} Scanners", count: 2, lsearch for Proxy: -1
#: 2.32.20.157: "Proxy", count: 1, lsearch for Proxy: 0
#: 2.50.32.55: "{Spam Sources} Proxy", count: 2, lsearch for Proxy: 1
#: 2.56.0.0: "{Spam Sources} {Web Attacks}", count: 2, lsearch for Proxy: -1
#: 254.46.202.147: "Phishing", count: 1, lsearch for Proxy: -1
# Here are a few example IPs with reputations:
# 1.1.17.0 Scanners
# 2.32.20.157 Proxy
# 2.56.0.0 Spam Sources, Web Attacks
# 198.200.32.76 Spam Sources, Scanners
#Drop the packet after initial TCP handshake if the client has a bad reputation
when CLIENT_ACCEPTED {
# Check if the IP reputation list for the client IP is not 0
if {[llength [IP::reputation [IP::client_addr]]] != 0}{
# Drop the connection
drop
}
}
when DNS_RESPONSE {
# If Query type was A and response is an answer.
if { ([DNS::question type] eq "A") and ([DNS::ptype] == "ANSWER") } {
set rrs [DNS::answer]
foreach rr $rrs {
if { [DNS::type $rr] eq "A" } {
if {[llength [IP::reputation [DNS::rdata $rr]]] != 0} {
# Bad IP Reputation for destination detected
log local0. "$rr: \"[IP::reputation $ip]\", count: [llength [IP::reputation $rr]]"
}
}
}
}
}
HINTS
SEE ALSO
CHANGE LOG
@BIGIP-11.2.0 --First introduced the command.
BIG-IP 2017-01-31 iRule(1)