Forum Discussion

bago_7909

Nimbostratus

Sep 04, 2017

On blocking port scans.

What would be a good irule for blocking 0 byte tcp connections? Aka port scans?

MVP

Sep 05, 2017

Hi Bago,

if you want the attacker to become pissed, then respond on each single TCP-connect with an HTTP 200 OK including IIS6.0 Server-Banners. This procedure will confuse his automated tools so that the attacker will a.) require a decent time to rule out all the false positives or b.) very soon look for easier targets...

Well, the more serious answer is just drop the unwanted TCP-sessions via the [drop] command or add some tarpits via

[after 3000]

before

[drop]

'ing the connection to slow down his port scanner. But the later approach may consume some additional ressources on your device...

Note: Keep in mind, that a Virtual Server will perform the full 3-way handshake before you can

[drop]

the connection. Putting a network firewall infront of your Virtual Servers will allow you to
[drop]
even the initial 3-way handshake...

Cheers, Kai

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

On blocking port scans.

AppWorld 2026: Save the Date and Join Our Community In Person!

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Round-robin method not load balanced

F5 BGP Peering in Active /Standby Cluster

Expired client-certificate

F5 AI Roadmap

Disabling signature for a URL

Related Content

Introducing F5 Distributed Cloud Web App Scanning

Advanced iRules: Scan

ports are showing open on online scanning tool

Advanced iRules: Binary Scan

OWASP Automated Threats - OAT-014 Vulnerability Scanning

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS