Forum Discussion

bago_7909

Nimbostratus

Sep 04, 2017

On blocking port scans.

What would be a good irule for blocking 0 byte tcp connections? Aka port scans?

MVP

Sep 05, 2017

Hi Bago,

if you want the attacker to become pissed, then respond on each single TCP-connect with an HTTP 200 OK including IIS6.0 Server-Banners. This procedure will confuse his automated tools so that the attacker will a.) require a decent time to rule out all the false positives or b.) very soon look for easier targets...

Well, the more serious answer is just drop the unwanted TCP-sessions via the [drop] command or add some tarpits via

[after 3000]

before

[drop]

'ing the connection to slow down his port scanner. But the later approach may consume some additional ressources on your device...

Note: Keep in mind, that a Virtual Server will perform the full 3-way handshake before you can

[drop]

the connection. Putting a network firewall infront of your Virtual Servers will allow you to
[drop]
even the initial 3-way handshake...

Cheers, Kai

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

On blocking port scans.

Jonathan - March 2026 Featured Member

F5 AppWorld 2026 Las Vegas - iRules Contest Winners!

2026 F5 DevCentral MVP Announcement

Recent Discussions

F5 DNS Logs in JSON Format

APM - Portal access - Issue

How to configure ssh access by key on F5OS

ASM/AWAF declarative policy

Help with an iRule to disconnect active connections to Pool Members that are "offline"

Related Content

Logging/Blocking possible prompt injection

Introducing F5 Distributed Cloud Web App Scanning

Advanced iRules: Scan

Advanced iRules: Binary Scan

ports are showing open on online scanning tool

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS