An IP intelligence database is a list of IP addresses with questionable reputations. IP addresses gain a questionable reputation and are added to the database as a result of having performed exploits or attacks, or these addresses might represent proxy servers, scanners, or systems that have been infected. You can prevent system attacks by excluding traffic from malicious IP addresses. The IP Intelligence database is maintained online by a third party.
The BIG-IP system can connect to an IP intelligence database, download the contents, and automatically keep the database up to date. You use iRules to instruct the system on how to use IP address intelligence information. For example, iRules can instruct the system to verify the reputation of and log the originating IP address of all requests.
You can also use the IP address intelligence information within security policies in the Application Security Manager to log or block requests from IP addresses with questionable reputations.
Along with the IP address, the IP intelligence database stores the category that explains the reason that the IP address is considered untrustworthy.
|Windows exploits||IP addresses that have exercised various exploits against Windows resources using browsers, programs, downloaded files, scripts, or operating system vulnerabilities.|
|Web attacks||IP addresses that have launched web attacks of various forms.|
|Botnets||IP addresses of computers that are infected with malicious software and are controlled as a group, and are now part of a botnet. Hackers can exploit botnets to send spam messages, launch various attacks, or cause target systems to behave in other unpredictable ways.|
|Scanners||IP addresses that have been observed to perform port scans or network scans, typically to identify vulnerabilities for later exploits.|
|Denial of Service||IP addresses that have launched Denial of Service (DoS) attacks. These attacks are usually requests for legitimate services, but occur at such a fast rate that targeted systems cannot respond and become bogged down or unable to service legitimate clients.|
|Infected Sources||IP addresses that issue HTTP requests with a low reputation index score, or are known malware sites.|
|Phishing||IP addresses that are associated with phishing web sites that masquerade as legitimate web sites.|
|Proxy||IP addresses that are associated with web proxies that shield the originator's IP address (such as anonymous proxies).|