Forum Discussion
malformed tcp and udp with 0 port
hi , how to stop malformed tcp and udp with 0 port attack in AFM.
does this Irule work
when CLIENT_DATA {
if {[UDP::local_port] == 0 || [UDP::remote_port] == 0} {
log local0. "Dropped UDP packet with port 0"
drop
}
}
when CLIENT_ACCEPTED {
if {[TCP::local_port] == 0 || [TCP::remote_port] == 0} {
drop
}
}
- ukhan20
Altocumulus
This IRule working fine on Virtual server
when CLIENT_ACCEPTED {
# Drop packets with port 0 for both TCP and UDP
if {[TCP::remote_port] == 0 || [TCP::local_port] == 0 || [UDP::remote_port] == 0 || [UDP::local_port] == 0} {
drop
return
}
}IRule are resource hungry, how can i apply this rule or policy at Global level or device at applies to all Virtual servers
How are your virtual servers configured? If you are only listening on specific ports, ie tcp/80, upd/514, etc. then port 0 would not match on the local_port clientside. However, things would be potentially different if you are using wildcard virtual servers that can match multiple ports.
Check out also the following on narrowing the match on any F5 Virtual Server: Three Ways to Specify Multiple Ports on a Virtual Server | DevCentral. You could use things like a port list.
Finally, if the F5 BIG-IP is behind a firewall, wouldnt that take care of a malformed connection?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com