How to trigger an alert when a specific number of connections are attempted to VIP on a port that isn't provisioned.

Employee

Aug 10, 2020

> Does this log entry reflect the "client" address as well as the VIP/port that the connection was attempting?

No - tm.maxrejectrate is a global limit across all tmms. If HTSplit is enabled, tm.maxrejectrate is doubled.

K13151: Configuring the rate at which the BIG-IP system issues TCP RSTs or ICMP unreachable packets

> Note: Due to way the HTSplit feature dedicates and prioritizes resources when enabled, the value configured for the tm.maxrejectrate key is doubled on platforms with Hyper-Threading (HT) Technology. If the value of the tm.maxrejectrate key is set to 250, log messages indicate responses are limited to 500 packets/sec.

> We currently have a VIP that answers on all ports but are working to restrict to specific ports, but would like to be have evidence or alerts if a port scan or DDOS event is occurring.

You would need an irule that records requests to non-active ports and places the source IP and scanned ports into a subtable, to track whether that IP is probing multiple ports within a specified time period.

Or use AFM, which almost certainly has the requisite DoS/DDoS functionality, as well as port access lists for restricting access and logging rules if required.

Forum Discussion

How to trigger an alert when a specific number of connections are attempted to VIP on a port that isn't provisioned.

Recent Discussions

Enterprise Security best practices with F5 WAF

Disk space full - what files, folders are safe to delete?

ASM instance creation

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

Related Content

Provisioning r2600 equipment

Detect and stop exfiltration attempts with F5 Distributed Cloud App Infrastructure Protection

Find connection attempts via source IP

Enable module Provisioning Resources with HA cluster

Slowdown of login attempts on APM SSLVPN