Security Stuffs

F5 BIGIP – DNS and IP Intelligence

F5 has a nice threat feed called IP Intelligence.  It’s really great for keeping “bad” folks from initiating communications TO your F5.  I wanted to use it to keep me from doing something stupid. You know, like handing over my etrade credentials to a known Phishing site or something.  Given that there isn’t a “Stop me from being stupid” button anywhere in the management interface, I had to create my own.

In this instance, I wanted a caching DNS resolver that my home network would use exclusively.  As DNS responses would come back, I wanted to check if they were good/bad and categorize them as such.  To keep track of this stuff, I send the logs to Splunk.  Unsolicited plug:  The more I use Splunk, the more I like it.  Great reporting tool.

Setting up the caching resolver is very straight forward.  Decent instructions on how to do this can be found on DevCentral.  Once built, I wrote and assigned this iRule to the virtual server handling DNS requests.  At a high level, it just waits to see DNS responses that correlate to previously seen DNS requests.  It skims through each response looking for addresses.  Those addresses are checked against the IP Intelligence database.  If there’s a hit, I log it.  Eventually, I’ll modify the response to send me somewhere safe.  For now, it’s “Alert Only”.

Without further ado, the iRule.

when CLIENT_ACCEPTED {
  set hsl [HSL::open -proto UDP -pool Logging_Pool ]
}

when DNS_RESPONSE {
    ## save the response records from the DNS answer..
    set rrs [DNS::answer]

    ## Loop through each record..
    foreach rr $rrs {
        ##  If it's an address, do an IP Rep check on it
        if {[DNS::type $rr] eq "A" } {

           ##  save the fqdn of the request
           set orgname [DNS::name $rr]

           ##  save the IP address of the response
           ##  no, I'm not sure why I chose fart as the variable name
           set fart [DNS::rdata $rr]

           ##  If the IP Rep check has anything in it, it's bad..
           if {[llength [IP::reputation $fart]] != 0}{
              HSL::send $hsl "Hostname=\"mybigip\",Entity=\"DNS_Category\",HitCount=\"1\",VSName=\"/Common/PrivateResolver\",DNS_Response=\"$orgname = $fart\",IPREP=\"[IP::reputation $fart]\",category=\"/Common/IPReputation\"\n"
           }  
        } 
        
    }
}

Does It Blend?

More importantly, are we finding anything interesting?  Of course!  Doing some quick spot checks, it would appear that it’s mostly finding questionable advertisements embedded from the 100’s of ad networks out there.  I suppose that isn’t too surprising.  ObGraph:

 

On a daily basis, not too many hits in the Imhoff household..

The astute viewers will have noticed the “Suspicious_Content” line in the graph..  Full disclosure: I’m using the URL Filtering engine to evaluate the DNS Requests simultaneously, but that’s a different post for a different day.  The log format included in this particular iRule is purposefully similar to the URL Filtering log format to simplify reporting.

Leave a Reply

Your email address will not be published. Required fields are marked *