On blocking port scans.

Question

What would be a good irule for blocking 0 byte tcp connections? Aka port scans? &nbsp;

kai_wilke · Answer

Hi Bago,
if you want the attacker to become pissed, then respond on each single TCP-connect with an HTTP 200 OK including IIS6.0 Server-Banners. This procedure will confuse his automated tools so that the attacker will a.) require a decent time to rule out all the false positives or b.) very soon look for easier targets...
Well, the more serious answer is just drop the unwanted TCP-sessions via the [drop] command or add some tarpits via [after 3000] before [drop]'ing the connection to slow down his port scanner. But the later approach may consume some additional ressources on your device...
Note: Keep in mind, that a Virtual Server will perform the full 3-way handshake before you can [drop] the connection. Putting a network firewall infront of your Virtual Servers will allow you to [drop] even the initial 3-way handshake...
Cheers, Kai

Forum Discussion

On blocking port scans.

1 Reply

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

F5 Academies Are Back – And We’re Coming to a City Near You

Recent Discussions

Sending an HTTP request from iRule without delaying client requests

Route Domains HA & Traffic Groups

Horizon View iApp - Big-IP 17.5

r4600 Tenant CPU Assignment

BGP Over 2 vlans to 2 Network switch

Related Content

ports are showing open on online scanning tool

Continued Intense Scanning From One IP in Lithuania

OWASP Automated Threats - OAT-014 Vulnerability Scanning

The sooner the better: Web App Scanning Without Internet Exposure

domain blocking

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS