Forum Discussion

ukhan20's avatar
ukhan20
Icon for Altocumulus rankAltocumulus
Jan 20, 2025

malformed tcp and udp with 0 port

hi , how to stop malformed tcp and udp with 0 port attack in AFM.

 

does this Irule work

 

when CLIENT_DATA {
if {[UDP::local_port] == 0 || [UDP::remote_port] == 0} {
log local0. "Dropped UDP packet with port 0"
drop
}
}

when CLIENT_ACCEPTED {
    if {[TCP::local_port] == 0 || [TCP::remote_port] == 0} {
        drop
    }
}

  • How are your virtual servers configured? If you are only listening on specific ports, ie tcp/80, upd/514, etc. then port 0 would not match on the local_port clientside. However, things would be potentially different if you are using wildcard virtual servers that can match multiple ports.

    Check out also the following on narrowing the match on any F5 Virtual Server: Three Ways to Specify Multiple Ports on a Virtual Server | DevCentral. You could use things like a port list.

    Finally, if the F5 BIG-IP is behind a firewall, wouldnt that take care of a malformed connection?

  • This IRule working fine on Virtual server 

    when CLIENT_ACCEPTED {
       

        # Drop packets with port 0 for both TCP and UDP
        if {[TCP::remote_port] == 0 || [TCP::local_port] == 0 || [UDP::remote_port] == 0 || [UDP::local_port] == 0} {
            drop
            return
        }
    }

    IRule are resource hungry, how can i apply this rule or policy at Global level or device at applies to all Virtual servers