Forum Discussion

bman_12685's avatar
bman_12685
Icon for Nimbostratus rankNimbostratus
Jun 11, 2012

custom plugin for dnsbl

I'd like to implement somethig like a plugin for a dns blacklist that checks the ip of a node against upstream dnsbl, I have seen some references to shell scripts such as external monitors is there a way to incorporate something such as this via an irule?

 

 

And if so is this considered an acceptable practice?

 

4 Replies

  • Richard__Harlan's avatar
    Richard__Harlan
    Historic F5 Account
    Sounds like you are thinking of doing this to check the IP address of the client from a LTM is that correct? if so you should look at sideband connections. It lets the LTM pause the connection and open a new connection in your case the BL server and get a answer and then use the result in the iRule.

     

     

    Doing so you could test the client IP and based on the result allow the connection through or now. the Below is the link to the wiki page for Sideband connections.

     

     

    https://devcentral.f5.com/wiki/iRules.SIDEBAND.ashx
  • We also have an IP reputation database service in 11.2 that you could use. I'm trying to find out more info on the iRule hooks for this, but there is native support for using the database:

     

     

     

    Release Note: BIG-IP LTM and TMOS version 11.2.0

     

    http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-ltm-11-2-0.htmlrn_new

     

     

    IP intelligence

     

     

    In this release, you can use iRules to determine the reputation of an IP address and operate based on that reputation. The IP reputation database is regularly updated, and contains the following categories:

     

     

    Windows Exploits: IP addresses that have exercised various exploits against Windows resources using browsers, programs, downloaded files, scripts, or operating system vulnerabilities.

     

    Web Attacks: IP addresses that have launched web attacks of various forms.

     

    Botnets: IP addresses representing compromised computers on the Internet that are now part of a botnet (machines that send spam messages, launch various attacks, or behave in other unpredictable ways).

     

    Scanners: IP addresses that have been observed to scan ports or networks, typically to identify vulnerabilities for subsequent exploits.

     

    Denial of Service: IP addresses that have launched denial of service attacks, often requests for legitimate services, but which occur at such a fast rate that targeted systems cannot respond and become overloaded or unable to service legitimate clients.

     

    Reputation: IP addresses that issue HTTP requests with a low average reputation, or that request only known malware sites.

     

    Phishing: IP addresses associated with phishing websites (sources that attempt to acquire information such as user names, passwords, and credit card details by masquerading as a trustworthy entity).

     

    Proxy: IP addresses associated with web proxies, which can be used to conceal an attacker's identity.

     

    Network: Networks (/24) in which the majority of IP addresses have exhibited suspicious behavior.

     

     

    You can configure the system to reject a request from IP addresses in a specific reputation category. To enable this feature, run the command tmsh modify sys db iprep.autoupdate value enable. To disable this feature, run the command tmsh modify sys db iprep.autoupdate value disable. To look up the reputation of a specific IP address, run the command iprep_lookup . For this release, only IPv4-formatted IP addresses are supported. A free 30 day evaluation of the IP intelligence service is available.

     

     

     

    Aaron
  • Interesting thanks looks like its based on 11.x so will have to wait but thanks we plan on updating soon.