In Application Security Manager, you can use IP address intelligence blocking in a security policy to block requests from IP addresses that have questionable reputations. IP addresses from which attacks or spam have originated are included in an IP intelligence database, along with the category describing the problem. The BIG-IP system must connect to the IP intelligence database before you can use IP address intelligence blocking.
You can configure a security policy to log (alarm) or block requests from IP addresses of questionable reputation, and to perform different actions depending on the categories of problems. For example, you can block requests from IP addresses associated with Windows exploits and log requests from scanners.
You can create a whitelist of IP addresses that might be in the database, and allow them to access the web application regardless of their IP reputation. This is a way to ensure that traffic from known sources is not blocked because of IP address intelligence data.
You can also use iRules to instruct the system how to use IP address intelligence information.
Along with the IP address, the IP intelligence database stores the category that explains the reason that the IP address is considered untrustworthy.
|Botnets||IP addresses of computers that are infected with malicious software (Botnet Command and Control channels, and infected zombie machines) and are controlled as a group by a Bot master, and are now part of a botnet. Hackers can exploit botnets to send spam messages, launch various attacks, or cause target systems to behave in other unpredictable ways.|
|Cloud Provider Networks||IP addresses and networks that are used by cloud providers.|
|Denial-of-Service||IP addresses that have launched denial-of-service (DoS) attacks, distributed denial-of-service (DDoS) attacks, anomalous SYN flood attacks, or anomalous traffic detection. These attacks are usually requests for legitimate services, but occur at such a fast rate that targeted systems cannot respond quickly enough and become bogged down or unable to service legitimate clients.|
|Illegal Web sites||IP addresses that contain criminally obscene or potentially criminal internet copyright and intellectual property violations.|
|Infected Sources||Active IP addresses that issue HTTP requests with a low reputation index score, or that are known malicious web sites offering or distributing malware, shell code, rootkits, worms, or viruses.|
|Phishing||IP addresses that host phishing sites, and other kinds of fraud activities, such as ad click fraud or gaming fraud.|
|Proxy/Anonymous Proxies||IP addresses that are associated with web proxies that shield the originator's IP address (such as proxy and anonymization services). This category also includes TOR anonymizer addresses.|
|Scanners||IP addresses that are involved in reconnaissance, such as probes, host scan, domain scan, and password brute force, typically to identify vulnerabilities for later exploits.|
|Spam Sources||IP addresses that are known to distribute large amounts of spam email by tunneling spam messages through proxy, anomalous SMTP activities, and forum spam activities.|
|Web Attacks||IP addresses involved in cross site scripting, iFrame injection, SQL injection, cross domain injection, or domain password brute force.|
|Windows Exploits||Active IP addresses that have exercised various exploits against Windows resources by offering or distributing malware, shell code, rootkits, worms, or viruses using browsers, programs, downloaded files, scripts, or operating system vulnerabilities.|