Forum Discussion

g1_253413's avatar
g1_253413
Icon for Nimbostratus rankNimbostratus
Apr 09, 2018

Vulnerability scan lists all ip's and port as open

Vulnerability scan on subnets behind F5 lists all ip's and ports as open. We use the Big ip as LTM currently running 13.1.0.2. Security team started seeing these results right around when we upgraded...
application delivery
LTM
Simon_Blakely's avatar
Simon_Blakely
Icon for Employee rankEmployee
Oct 21, 2018

Jeff,

 

What sort of virtual is the Wildcard virtual (standard or Performance Layer 4/IP Forwarding)?

 

Does the tcp profile enable SynCookie protection?

 

When SynCookies protection kicks in, even a fastl4 will respond to the [SYN] with a [SYN,ACK].

 

K14779: Overview of BIG-IP SYN cookie protection (11.3.x - 12.x)

 

If you are running a network range port scan, the virtual will see (and cache) a large number of [SYN] packets, with no corresponding [SYN,ACK]. Once the SYN cookie cache value is exceeded, the LTM will start responding to [SYN] packates with a [SYN,ACK] containing a syncookie.

 

This behavioural change may trigger false positive results in the network scanner.

 

The observed change probably relates to functional differences in the hardware platforms and default trigger values.