Applies To:

Show Versions Show Versions

Manual Chapter: Setting Up IP Address Intelligence Blocking
Manual Chapter
Table of Contents   |   Next Chapter >>

Overview: Setting up IP address intelligence blocking

In Application Security Manager, you can use IP address intelligence blocking in a security policy to block requests from IP addresses that have questionable reputations. IP addresses from which attacks or spam have originated are included in an IP intelligence database, along with the category describing the problem. The BIG-IP system must connect to the IP intelligence database before you can use IP address intelligence blocking.

You can configure a security policy to log (alarm) or block requests from IP addresses of questionable reputation, and to perform different actions depending on the categories of problems. For example, you can block requests from IP addresses associated with Windows exploits and log requests from scanners.

You can create a whitelist of IP addresses that might be in the database, and allow them to access the web application regardless of their IP reputation. This is a way to ensure that traffic from known sources is not blocked because of IP address intelligence data.

You can also use iRules® to instruct the system how to use IP address intelligence information.

Task Summary

These are tasks for setting up IP address intelligence blocking in a security policy.

Enabling IP address intelligence

The requirements for using IP address intelligence are:
  • The system must have an IP Intelligence license.
  • The system must have an Internet connection either directly or through a proxy server.
  • The system must have DNS configured (go to System > Configuration > Device > DNS).
Important: IP address intelligence is enabled by default. You only need to enable it if it was previously disabled.
To enable IP address intelligence on the BIG-IP system, you enable auto-update to connect the system to the IP intelligence database.
  1. Log in to the command line for the BIG-IP system.
  2. To determine whether IP intelligence is enabled, type the following command: tmsh list sys db iprep.autoupdate If the value of the iprep.autoupdate variable is disable, IP intelligence is not enabled. If it is enable, your task is complete.
  3. At the prompt, type tmsh modify sys db iprep.autoupdate value enable The system downloads the IP intelligence database and stores it in the binary file, /var/IpRep/F5IpRep.dat. It is updated every 5 minutes.
  4. If the BIG-IP system is behind a firewall, make sure that the BIG-IP system has external access to vector.brightcloud.com using port 443. That is the IP Intelligence server from which the system gets IP Intelligence information.
  5. Optional: If the BIG-IP system connects to the Internet using a forward proxy server, set these system database variables.
    1. Type tmsh modify sys db proxy.host value hostname to specify the hostname of the proxy server.
    2. Type tmsh modify sys db proxy.port value port_number to specify the port number of the proxy server.
    3. Type tmsh modify sys db proxy.username value hostname to specify the user name to log in to the proxy server.
    4. Type tmsh modify sys db proxy.password value password to specify the password to log in to the proxy server.
The IP address intelligence feature remains enabled unless you disable it with the command tmsh modify sys db iprep.autoupdate value disable.
You can create iRules to instruct the system how to handle traffic from IP addresses with questionable reputations, or use Application Security Manager to configure IP address intelligence blocking.

Setting up IP address intelligence blocking

Before you can set up IP address intelligence blocking, your system must have IP address intelligence enabled.
You can configure a security policy to log and block requests from source IP addresses that, according to an IP intelligence database, have a bad reputation and could cause a potential attack.
  1. On the Main tab, click Application Security > IP Addresses > IP Address Intelligence . The IP Address Intelligence screen opens.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. For the IP Address Intelligence setting, select the Enabled check box.
  4. For the IP Address Whitelist setting, specify any IP addresses you want to allow, even if they are found in the IP intelligence database.
    1. Type the IP Address and Subnet Mask of the address to consider safe.
    2. Click Add.
    The addresses that you typed are added to the list.
  5. In the IP Address Intelligence Categories area, select Alarm or Block, or both, for the categories of IP addresses you are interested in.
    • Select Alarm to cause the system to log the IP address intelligence data (IP address intelligence category and status) on the Requests screen whenever a request is from a source IP address in that category.
    • Select Block to stop requests sent from a source IP address that matches that category
    Note: If these settings are not available, click Policy > Blocking and for the violation Access from malicious IP address, select the Alarm and Block settings.
  6. Click Save.
The system matches source IP addresses to those in the IP address intelligence database. When a match is found, the violation Access from malicious IP address occurs. The system determines what category of reputation the IP address has, then logs or blocks the IP address according to how the IP Address Intelligence categories are set.

Reviewing IP address intelligence statistics

Before you can view IP address intelligence statistics, your system must have IP address intelligence enabled.
After you set up IP intelligence blocking on the Application Security Manager, you can review statistics concerning how many requests were received from IP addresses with questionable reputations. You can also view the requests from those IP addresses.
  1. On the Main tab, click Application Security > Reporting > Charts. The Charts screen opens, where you can view graphical reports.
  2. In the Charts area, next to View by, click IP Address Intelligence. The chart shows details about IP addresses that were used to send the illegal requests, grouped according to their reputation in the IP intelligence database.
  3. Hover over the pie chart or look at the Details table below it to see the categories of IP addresses with questionable reputations.
  4. Under Chart Path on the left, click View Requests to see the requests from IP addresses in the IP intelligence database. The Requests list opens.
  5. Click any request to view details about the request. The screen expands to show more information about the request. IP address intelligence information is shown in the Source IP Address field in the request details. The details include the category of the malicious IP address and information about when the IP intelligence database was last updated.
  6. If you have set up remote logging, you can also review IP intelligence data on the remote logger.
By reviewing the IP address intelligence data, you can examine requests from potentially malicious IP addresses.
Based on the statistics and IP address intelligence categories that the IP addresses fall into, you can adjust what happens (alarm or block) when the system receives requests from IP addresses in different categories.

Creating an iRule to log IP address intelligence information

Before you can create an iRule to log IP address intelligence information, your system must have IP address intelligence enabled.
You use iRules to log IP address intelligence categories to the file /var/log/ltm. This is an example of the type of iRule you can write.
  1. On the Main tab, click Local Traffic > iRules . The iRule List screen opens, displaying any existing iRules.
  2. Click Create. The New iRule screen opens.
  3. In the Name field, type a name between 1 and 31 characters, such as my_iRule.
  4. In the Definition field, type the iRule using Tool Command Language (Tcl) syntax. For example, to log all IP addresses and any associated IP address intelligence categories, type the following iRule: when CLIENT_ACCEPTED { log local0. "IP Address Intelligence for IP address [IP::client_addr]: [IP::reputation [IP::client_addr]]" }
  5. Click Finished. The new iRule appears in the list.
When traffic is received from an IP address with a questionable reputation and that is included in the IP intelligence database, the system prints the IP address intelligence information in the /var/log/ltm log.
For complete and detailed information about iRules syntax, see the F5 Networks DevCentral web site, http://devcentral.f5.com.

Creating an iRule to reject requests with questionable IP addresses

Before you can create an iRule to reject requests based on an IP address reputation, your system must have IP address intelligence enabled.
You can use iRules to reject requests from IP addresses that have questionable reputations and are listed in the IP intelligence database. This is an example of the type of iRule you can write.
  1. On the Main tab, click Local Traffic > iRules . The iRule List screen opens, displaying any existing iRules.
  2. Click Create. The New iRule screen opens.
  3. In the Name field, type a name between 1 and 31 characters, such as my_iRule.
  4. In the Definition field, type the iRule using Tool Command Language (Tcl) syntax. For example, to reject requests from IP addresses listed in the IP intelligence database because they could be Windows Exploits or Web Attacks, type the following iRule: when HTTP_REQUEST { set ip_reputation_categories [IP::reputation [IP::client_addr]] set is_reject 0 if {($ip_reputation_categories contains "Windows Exploits")} { set is_reject 1 } if {($ip_reputation_categories contains "Web Attacks")} { set is_reject 1 } if {($is_reject)} { log local0. "Attempted access from malicious IP address [IP::client_addr] ($ip_reputation_categories), request was rejected" HTTP::respond 200 content "<HTML><HEAD><TITLE>Rejected Request</TITLE> </HEAD><BODY>The request was rejected. <BR> Attempted access from malicious IP address</BODY></HTML>" } }
  5. Click Finished. The new iRule appears in the list.
When traffic is received from an IP address with a questionable reputation that is included in the IP intelligence database, the system prints the IP address intelligence information in the /var/log/ltm log.
For complete and detailed information about iRules syntax, see the F5 Networks DevCentral web site, http://devcentral.f5.com.

IP address intelligence categories

Along with the IP address, the IP intelligence database stores the category that explains the reason that the IP address is considered untrustworthy.

Category Description
Windows exploits IP addresses that have exercised various exploits against Windows resources using browsers, programs, downloaded files, scripts, or operating system vulnerabilities.
Web attacks IP addresses that have launched web attacks of various forms.
Botnets IP addresses of computers that are infected with malicious software and are controlled as a group, and are now part of a botnet. Hackers can exploit botnets to send spam messages, launch various attacks, or cause target systems to behave in other unpredictable ways.
Scanners IP addresses that have been observed to perform port scans or network scans, typically to identify vulnerabilities for later exploits.
Denial of Service IP addresses that have launched Denial of Service (DoS) attacks. These attacks are usually requests for legitimate services, but occur at such a fast rate that targeted systems cannot respond and become bogged down or unable to service legitimate clients.
Infected Sources IP addresses that issue HTTP requests with a low reputation index score, or are known malware sites.
Phishing IP addresses that are associated with phishing web sites that masquerade as legitimate web sites.
Proxy IP addresses that are associated with web proxies that shield the originator's IP address (such as anonymous proxies).
Table of Contents   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)