F5BigIpiCategorylist¶
Overview¶
The F5BigIpiCategorylist CR provides the default categories and allows the user to configure custom categories apart from the predefined ones. The user can specify up to 62 categories, including those that are predefined in the system. A blacklist category definition consists of only a name and a description. The predefined blacklist categories are automatically available for selection while configuring an IP Intelligence policy.
Predefined category list for IP Intelligence Policy¶
The following is a list of predefined categories that are available for use. The user can set up actions and logging options for each blacklist category that they create and for predefined categories, in an IP Intelligence policy.
| Category Name | Description |
|---|---|
| additional | IP addresses that are added from additional categories not explicitly defined. |
| appiq_badactors | IP addresses gathered from AppIQ central management. |
| application_denial_of_service | IP addresses involved in application DoS attacks, or anomalous traffic detection. |
| attacked_ips | Destination IP addresses under attack. |
| botnets | IP addresses of computers that are infected with malicious Software (Botnet Command and Control channels, and infected zombie machines) controlled as a group by a Bot master, and are now part of a botnet. Hackers can exploit botnets to send spam messages, launch various attacks, or cause target systems to behave in unpredictable ways. |
| cloud_provider_networks | IP addresses and networks that belong to cloud providers, which offer services hosted on their servers through Internet. |
| denial_of_service | IP addresses that have launched denial-of-service (DoS) attacks, distributed denial-of-service (DDoS) attacks, anomalous SYN flood attacks, or anomalous traffic detection. These attacks are usually requests for legitimate services, but occur at such a fast rate that the targeted systems cannot respond fast enough and slow down, or even be unable to service legitimate clients. |
| infected_sources | Active IP addresses that issue HTTP requests with a low reputation index score, or that are known to be malicious web sites offering or distributing malware, shell code, rootkits, worms, or viruses. |
| mobile_threats | IP addresses of malicious and unwanted mobile applications. |
| phishing | IP addresses that host phishing sites, and other forms of fraud activities, such as ad-click and gaming frauds. |
| proxy | IP addresses that are associated with web proxies that shield the originator’s IP address (such as proxy and anonymization services). This category also includes TOR anonymizer addresses in versions prior to 13.1.0. |
| scanners | IP addresses that are involved in reconnaissance, such as probes, host scans, domain scans, and password brute force, typically to identify vulnerabilities for later exploits. |
| spam_sources | IP addresses tunneling spam messages through proxy, anomalous SMTP activities, and forum spam activities. |
| tor_proxy | IP addresses acting as exit nodes for the Tor Network. Exit nodes are the last point along the proxy chain and make a direct connection to the originator’s intended destination. |
| web_attacks | IP addresses involved in cross-site scripting, iFrame injection, SQL injection, cross-domain injection, or domain password brute force. |
| windows_exploits | Active IP addresses that have exercised various exploits against Windows resources by offering or distributing malware, shell code, rootkits, worms, or viruses using browsers, programs, downloaded files, scripts, or operating system vulnerabilities. |
CR Parameters¶
metadata¶
| Parameter | Description |
|---|---|
| name | Specifies the name of the IpiFeedlist. |
spec.feeds¶
| Parameter | Description |
|---|---|
| items | Specifies the list of all denylist categories. |
| items.name | Specifies the IP intelligence category name. Note: Each category name must be unique within the list to avoid duplicate entries. Duplicate category names will be caught and rejected through schema validation. |
| items.description | Specifies descriptive text that identifies the IP intelligence category. |
| items.match | Specifies the matching criteria that defines a match for the category. A source match, a destination match, or both a source and destination match can be selected. |
CR Example¶
The following is the default F5BigIpiCategorylist CR that is preinstalled. This is a singleton resource with name ipi-category-default-list and only a single object is allowed to be configured.
apiVersion: "k8s.f5net.com/v1"
kind: F5BigIpiCategorylist
metadata:
name: ipi-category-default-list
spec:
categories:
- name: additional
description: IP addresses from additional categories.
match: source
- name: appiq_badactors
description: IP addresses gathered from AppIQ central management.
match: source
- name: application_denial_of_service
description: IP addresses involved in application DoS Attacks or anomalous traffic detection.
match: source
- name: attacked_ips
description: Destination IP addresses under attack.
match: destination
- name: botnets
description: IP addresses of Botnet Command and Control channels and infected zombie machine controlled by Bot master.
match: source
- name: cloud_provider_networks
description: IP addresses and networks that are used by cloud providers.
match: source
- name: denial_of_service
description: IP addresses involved in DoS and DDoS attacks anomalous SYN flood attacks or anomalous traffic detection.
match: source
- name: infected_sources
description: Active IP addresses offering or distributing malware shell code rootkits worms or viruses.
match: source
- name: mobile_threats
description: IP addresses of malicious and unwanted mobile applications.
match: source
- name: phishing
description: IP addresses hosting phishing sites and other kinds of fraud activities such as ad click fraud or gaming fraud.
match: source
- name: proxy
description: IP addresses providing proxy and anonymization services.
match: source
- name: scanners
description: IP addresses involved in reconnaissance such as probes host scan domain scan and password brute force.
match: source
- name: spam_sources
description: IP addresses tunneling spam messages through proxy anomalous SMTP activities and forum spam activities.
match: source
- name: tor_proxy
description: IP addresses acting as exit nodes for the Tor Network.
match: source
- name: web_attacks
description: IP addresses involved in cross site scripting iFrame injection SQL injection cross domain injection or domain password brute force
match: source
- name: whitelist
description: IP addresses that are considered safe.
match: source
- name: windows_exploits
description: Active IP addresses offering or distributing malware shell code rootkits worms or viruses.
match: source
Installation¶
To add a custom category, user can edit the default F5BigIpiCategorylist CR mentioned in the CR Example and specify a new category name and description.
Run the following command to edit the default
F5BigIpiCategorylistCR:kubectl edit f5-big-ipi-categorylists.k8s.f5net.com
Add the custom category. Following is an example CR with new category added.
apiVersion: k8s.f5net.com/v1 kind: F5BigIpiCategorylist metadata: name: ipi-category-default-list spec: categories: - name: "new_category" description: "this IP addresses known for malicious activities" match: "source"
Feedback
To provide feedback and help improve this document, please email us at cnfdocs@f5.com.