ltm rule command IP reputation
iRule(1) BIG-IP TMSH Manual iRule(1)
IP::reputation
Looks up the supplied IP address in the IP intelligence (reputation) database and returns a TCL list
containing reputation categories.
SYNOPSIS
IP::reputation (IP_ADDR)+
DESCRIPTION
Performs a lookup of the supplied IP address against the IP reputation database. Returns a TCL list containing
possible reputation categories:
Category Description Botnets IP addresses of computers that are
infected with malicious software and are controlled as a group, and are now part of a botnet. Hackers can
exploit botnets to send spam messages, launch various attacks, or cause target systems to behave in other
unpredictable ways. Cloud Provider Networks IP addresses of cloud providers. Denial of Service
IP addresses that have launched Denial of Service (DoS) attacks. These attacks are usually requests for
legitimate services, but occur at such a fast rate that targeted systems cannot respond and become bogged down
or unable to service legitimate clients. Infected Sources IP addresses that issue HTTP requests
with a low reputation index score, or are known malware sites. Mobile Threats IP addresses of
malicious and unwanted mobile applications. Phishing IP addresses that are associated
with phishing web sites that masquerade as legitimate web sites. Proxy IP addresses
that are associated with web proxies that shield the originator's IP address (such as anonymous proxies).
Scanners IP addresses that have been observed to perform port scans or network scans,
typically to identify vulnerabilities for later exploits. Tor Proxy IP addresses that act
as exit nodes for the Tor Network. Web Attacks IP addresses that have launched web attacks
of various forms. Windows Exploits IP addresses that have exercised various exploits against
Windows resources using browsers, programs, downloaded files, scripts, or operating system vulnerabilities.
An IP intelligence database is a list of IP addresses with questionable reputations. IP addresses gain a
questionable reputation and are added to the database as a result of having performed exploits or attacks, or
these addresses might represent proxy servers, scanners, or systems that have been infected. You can prevent
system attacks by excluding traffic from malicious IP addresses. The IP Intelligence database is maintained
online by a third party.
The BIG-IP system can connect to an IP intelligence database, download the contents, and automatically keep
the database up to date. You use iRules to instruct the system on how to use IP address intelligence
information. For example, iRules can instruct the system to verify the reputation of and log the originating
IP address of all requests.
You can also use the IP address intelligence information within security policies in the Application Security
Manager to log or block requests from IP addresses with questionable reputations.
The requirements for using IP address intelligence are:
The system must have an IP Intelligence license. The system must have an Internet connection either directly
or through a proxy server. The system must have DNS configured (go to System > Configuration > Device > DNS).
RETURN VALUE
Return a TCL list containing reputation categories.
VALID DURING
ANY_EVENT
EXAMPLES
# Look up a set of IP addresses in the IP reputation database and log the output. As an example, check if the IP is a Proxy (lsearch returns a non -1 value).
when RULE_INIT {
# Only log once regardless of however many TMMs are running
if {[TMM::cmp_unit]==0}{
# Loop through some known bad IPs
foreach ip [list 8.5.1.16 1.1.17.0 1.161.40.194 2.32.20.157 2.50.32.55 2.56.0.0 254.46.202.147] {
# Log the IP, reputation list, count of reputation hits and a sample search to see if the IP is a Proxy (non -1 = true)
log local0. "$ip: \"[IP::reputation $ip]\", count: [llength [IP::reputation $ip]], lsearch for Proxy: [lsearch [IP::reputation $ip] Proxy] "
}
}
}
# Log output:
#: 8.5.1.16: "{Web Attacks} BotNets Scanners Proxy", count: 4, lsearch for Proxy: 3
#: 1.1.17.0: "{Web Attacks} Scanners", count: 2, lsearch for Proxy: -1
#: 1.161.40.194: "{Windows Exploits} Scanners", count: 2, lsearch for Proxy: -1
#: 2.32.20.157: "Proxy", count: 1, lsearch for Proxy: 0
#: 2.50.32.55: "{Spam Sources} Proxy", count: 2, lsearch for Proxy: 1
#: 2.56.0.0: "{Spam Sources} {Web Attacks}", count: 2, lsearch for Proxy: -1
#: 254.46.202.147: "Phishing", count: 1, lsearch for Proxy: -1
# Here are a few example IPs with reputations:
# 1.1.17.0 Scanners
# 2.32.20.157 Proxy
# 2.56.0.0 Spam Sources, Web Attacks
# 198.200.32.76 Spam Sources, Scanners
#Drop the packet after initial TCP handshake if the client has a bad reputation
when CLIENT_ACCEPTED {
# Check if the IP reputation list for the client IP is not 0
if {[llength [IP::reputation [IP::client_addr]]] != 0}{
# Drop the connection
drop
}
}
when DNS_RESPONSE {
# If Query type was A and response is an answer.
if { ([DNS::question type] eq "A") and ([DNS::ptype] == "ANSWER") } {
set rrs [DNS::answer]
foreach rr $rrs {
if { [DNS::type $rr] eq "A" } {
if {[llength [IP::reputation [DNS::rdata $rr]]] != 0} {
# Bad IP Reputation for destination detected
log local0. "$rr: \"[IP::reputation $ip]\", count: [llength [IP::reputation $rr]]"
}
}
}
}
}
HINTS
SEE ALSO
CHANGE LOG
@BIGIP-11.2.0 --First introduced the command.
BIG-IP 2020-06-23 iRule(1)