Internet Protocol Intelligence (IPI)

Inbound and outbound botnet traffic such as distributed denial of service (DDoS) and malware activity can penetrate security layers and consume valuable processing power. The IP Intelligence (IPI) service incorporates external, intelligent services to enhance automated application delivery with better IP intelligence, stronger context-based security, reduced risk, and increases data center efficiency, by eliminating the effort to process bad traffic.

IP Intelligence service can let you allow or deny IP address lists using the service provided by a third party database such as BrightCloud or Webroot. This database of curated allow, or deny addresses is known as the IP Reputation (IPRep) database. In addition to a third-party database, users can provide a feedlist file of IP addresses. The dwbld pod loads the feedlist file to encode the addresses in a Trie Prefix lookup structure as a blob and is applied at the TMM. The IPRep database is available from a third-party website along with updates that need poll-based checks to retrieve the updated database file. The TMM is integrated with the IPRep library, which can load the binary data file and calls functions to check if the IP address is in a denied category.

Key Features

• Ensures IP threat protection - Delivers contextual awareness and analysis to block threats from a dynamic set of high-risk IP addresses.
• Enhanced Visibility into Threats Across Multiple Sources - Detect malicious activity and IP addresses with help from a global threat-sensor network and IP intelligence database.
• Granular Threat Reporting and Automated Blocking - Reveal communication with malicious IP addresses to create effective security policies.
• Optimize protection with real-time updates - Update the threat database automatically as often as every five minutes to keep the organization safe.

Following diagram illustrates the precedence of Policy Checks performed by the IP Intelligence service:

Use Cases

IP Intelligence policy can be configured in Global context and can be applied at per virtual server context as well. Each policy contains a list of categories and actions that can be customized, with the IPRep database being common. Feedlist-based policies can also customize the IP addresses configured.

Currently, BIG-IP Next supports IP Intelligence for the following use cases. Click on each use case for more details.

• IP Intelligence policy with Feedlist
• Intelligence policy with third-party IP Reputation database

Logging

Enabling logging is an optional step. For more information on how to configure and enable logging for IP Intelligence, see IP Intelligence Logging page.

IP Intelligence Stats

To view the stats, ip_intelligence_stat can be used. This applies to both IP Reputation Db and feedlist.

root@tmm_1:/config# tmctl -dblade ip_intelligence_stat -w120

context_type context_name                           category       src_ip_blacklist   dst_ip_blacklist  src_geo_blacklist    dst_geo_blacklist.  src_fqdn_blacklist   dst_fqdn_blacklist

------------ --------------------------------------------------------------------------------------------------------------------------------------------------------------------------

virtual      f5local-dns-vs-udp-virtual_server      whitelist              0                  0                 0                   0                   0                   0

virtual      f5local-dns-vs-udp-virtual_server      spam_sources           10                 0                 0                   0                   0                   0

 virtual      f5local-dns-vs-udp-virtual_server     botnets                 0                 0                 0                   0                   0                   0

virtual      f5local-dns-vs-udp-virtual_server      scanners                0                 0                 0                   0                   0                   0

virtual      f5local-dns-vs-udp-virtual_server      mobile_threats          0                 0                 0                   0                   0                   0

virtual      f5local-dns-vs-udp-virtual_server      tor_proxy               0                 0                 0                   0                   0                   0

The following table lists some of the stats and their descriptions related to IP Intelligence.

Stats	Description
category	The type of category that the IP belongs to. It can be a threat category or whitelist/allowlist.
context_name	name of the application or global context.
context_type	Global or virtual
dst_ip_blacklist	Counter of number of packets targeting at the destination IP belonging to any configured category in the IPI Policy that hits the context.
src_ip_blacklist	counter of number of packets originating from the source IP belonging to any configured category in the IPI Policy that hits the context.

The number of rows are equal to the number of categories added in the IPI Policy per context.

Note: Currently, src_geo_blacklist, dst_geo_blacklist, src_fqdn_blacklist, dst_fqdn_blacklist stats are not being used.

Feedback

To provide feedback and help improve this document, please email us at cnfdocs@f5.com.