For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

bago_7909's avatar
bago_7909
Icon for Nimbostratus rankNimbostratus
Sep 04, 2017

On blocking port scans.

What would be a good irule for blocking 0 byte tcp connections? Aka port scans?  
BIG-IP
devops
iRules
security
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Sep 05, 2017

Hi Bago,

if you want the attacker to become pissed, then respond on each single TCP-connect with an HTTP 200 OK including IIS6.0 Server-Banners. This procedure will confuse his automated tools so that the attacker will a.) require a decent time to rule out all the false positives or b.) very soon look for easier targets...

Well, the more serious answer is just drop the unwanted TCP-sessions via the [drop] command or add some tarpits via 

[after 3000]
before 
[drop]
'ing the connection to slow down his port scanner. But the later approach may consume some additional ressources on your device...

Note: Keep in mind, that a Virtual Server will perform the full 3-way handshake before you can 

[drop]
the connection. Putting a network firewall infront of your Virtual Servers will allow you to 
[drop]
even the initial 3-way handshake...

Cheers, Kai