This installation guide describes the integration of ThreatSTOP and A10 ADC / TPS devices

Add a Device

  • Go to the portal (https://www.a10networks.com/support/threat-intelligence) and add your device.
  • Click on Devices.
  • Click on + Add Device.
  • The Add Device window will display.
  • Fill out the required fields:
    • Nickname: Internal device reference
    • Manufacturer: A10 Networks.
    • Model: Thunder TPS
    • IP Address: External IP address that will query the service. This can be determined by visiting https://www.threatstop.com/cgi-bin/validip.pl
    • IP Type (Static or Dynamic) used by the device.
    • Policy: A10-TPS
    • Location: country of residence (optional)
    • Postal Code: The ZIP code, or other postal designator for your location (optional)
  • Click Next.

Prepare the Threat Intelligence Proxy

Create a Virtual Machine (VM) in your preferred Virtual Machine host. The VM will need to have the following system requirements:

  • OS: Ubuntu 14.04
  • RAM: 10 GB
  • Internet connectivity, for DNS requests
  • Log into the VM, and update the distribution to the most recent version with the following command:
    sudo su –c ‘apt-get update && apt-get –y upgrade && apt-get install libwww-perl libcrypt-ssleay-perl’
    
  • Access the ThreatSTOP FTP through the VM using the following commands, for credential information simply type anonymous:
    ftp ftp.threatstop.com
    cd /pub
    get ts-a10_2.37-03_all.deb
    
  • Download the .deb file from the ThreatSTOP FTP server (ftp://ftp.threatstop.com/pub/ts-a10_2.37-03_all.deb)
  • Install the downloaded file with the following command:
    sudo dpkg –i ts-a10_2.37-03_all.deb
    

Configure the ThreatSTOP System

  • SSH into the VM with the following credentials:
    • username: threatstop
    • password: threatstop
  • Issue the following command:
    wget –qO – https://www.threatstop.com/cgi-bin/validip.pl
    
  • Record the IP address, this is your external IP address.
  • Run the automated setup script using the following command:
/opt/threatstop/setup.sh

Provide the following information as displayed at the prompts:
DDOS zones : <accept the default>
Enable NTP (y/n) ? [y] ==> <accept the default>
Enable DNS Resolvers (y/n) ? [y] ==> <accept the default>
Enable SSDP (y/n) ? [y] ==> <accept the default>
Enable SNMP (y/n) ? [y] ==> <accept the default>
Enable Drones (y/n) ? [y] ==> <accept the default>

Please enter the block_list to use:
[] ==> A10-TPS-001-netb.ANetwork.threatstop.local
Please enter the allow_list to use:
[] ==> A10-TPS-001-neta.ANetwork.threatstop.local

Please enter the external IP address of the A10 device:
[] ==> <Enter the IP address from steps 2-3>

Please enter port to use for DNS queries :
[53] ==>

Please enter the internal IP address of the A10 device:
[] ==> <Device IP>

Please enter the directory to store the A10 class lists:
[/etc/threatstop/lists] ==>

This will download the ThreatSTOP block and allow lists to your Virtual Machine which will then upload the policies directly to your A10 device.

Configure TPS using ACOS 3.2 or greater

  • Import the class list with the following command
    import-periodic class-list a10-ddos-block use-mgmt-port scp://threatstop:threatstop@x.x.x.x/etc/threatstop/list/block-000-nsp.txt period 7200
    
  • Create the source based policy with the following command
    ddos src-based-policy A10-Threat-Intel policy-class-list a10-ddos-block
    

° Bind the policy to the zone config with the following commands.

ddos dst zone www.example.com
ip 10.10.10.10
operational-mode monitor
port 80 tcp
    src-based-policy A10-Threat-Intel
        policy-class-list a10-ddos-block
            deny