BIG IP 13.X How to prevent an answer on port scanning

Question

Hi,&nbsp;Actually, I have one 2 VS. One listening on port 80 with an LTM policy to redirect the traffic on the second VS listening on port 443. I'm looking for a solution to prevent the F5 to answer on port 80 to tcp connexion coming from a scan tool.&nbsp;Thanks

spalande · Answer

You can attach iRule to HTTP VIP to reject the traffic coming from the scanning tool. Using data-groupwhen CLIENT_ACCEPTED {
 if { [class match [IP::client_addr] equals scanner_ip] } {
     reject
       } else {
	 return  
	   }
    }Using IP-address within the iRulewhen CLIENT_ACCEPTED {
  if { [IP::addr [IP::client_addr] equals &lt;scannerip&gt; ] } {
     reject
       } else {
	 return  
	   }
    }

joyride_us · Answer

You can redirect the request from port 80 to port 443.( HTTP::redirect ...)

egrebeld · Answer

This way do not prevent the F5 to answer on port scanning&nbsp;

egrebeld · Answer

In this case, how the F5 knows that this a legitimate request and not a port scan ?

spalande · Answer

well, you need to explicitly add IP addresses of scanning tool in the data group "scannerip" or define in the iRule itself.

Forum Discussion

BIG IP 13.X How to prevent an answer on port scanning

Recent Discussions

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Need Urgent BIGIP Trial License and VM Image

APM for banner and cert

How to Renew F5 Device Certificate

UCS backup not loading Big IP DNS pool

Related Content

Continued Intense Scanning From One IP in Lithuania

Advanced iRules: Scan

Advanced iRules: Binary Scan

OWASP Automated Threats - OAT-014 Vulnerability Scanning

The sooner the better: Web App Scanning Without Internet Exposure

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS