Using the IP Reputation API in Avi Vantage

Millions of websites, email servers, and other devices connected to the internet use IP reputation services to detect bots, block spam, prevent false registrations or purchases, verify users or payments, and protect against other online threats. For example, a company’s pristine reputation could mean its email newsletters reach inboxes instead of spam folders. For this reason, it’s essential to know how to maintain a great reputation so that your customers can easily find you on the web or receive your marketing communications.

A business’s IP reputation API reputation can be harmed by a single bad incident, but it can also decline over time as a result of consistent poor behavior. To prevent these issues, a good reputation requires constant monitoring of the overall behavior of its IP addresses. To do this, businesses can sign up for feedback loops that send complaints about the sending behavior of their IP addresses to ESPs, or ask recipients to report spam. However, these methods can be unreliable, and the time and expense involved can be prohibitive for smaller organizations.

An alternative method for businesses to monitor their IP reputation is by using an online service that can check the reputation of an individual or a group of IP addresses in a given network neighborhood. These services use historical abuse reports and online behavior to identify IP addresses that should be blacklisted or whitelisted. For example, if an IP address is associated with a data center, hosting provider, residential or wireless network, or a proxy or VPN, it can be categorized as high risk. Then, if other data centers or hosts are associated with the same IPs, the entire neighborhood can be blacklisted or whitelisted.

The Avi Vantage network security features provide a way to use this information and block traffic from known malicious IPs or those that have been associated with other suspicious online objects. This can be done by using a policy configured with data sets or advanced policy expressions in the Security > Application Firewall > Policies section.

To configure these policies, the Avi Pulse service must be enabled and configured in Avi Vantage, and the IP Reputation feature must be enabled for that service. Additionally, the option to log events must be enabled for that virtual service. If logging is disabled for the virtual service, you will not be able to capture blocked requests. The log events will be reported in the Alerts section of the Operations dashboard. This is a different logging location than the logs for network security policies, which are stored in the Application firewall logs.