Forum Discussion

g1_253413's avatar
g1_253413
Icon for Nimbostratus rankNimbostratus
Apr 09, 2018

Vulnerability scan lists all ip's and port as open

Vulnerability scan on subnets behind F5 lists all ip's and ports as open. We use the Big ip as LTM currently running 13.1.0.2. Security team started seeing these results right around when we upgraded...
application delivery
LTM
Jacqueline_Tadr's avatar
Jacqueline_Tadr
Icon for Altocumulus rankAltocumulus

I have the same issue when we scan for open ports from the internet destined to one of the virtual servers IP on the front end of the load-balancer. we upgraded to 14.1.4 when this started happening again after the fix. pcap doesn't show any SYN or SYN/ACK packets but only ACK then followed by RST. It doesn't even go through for the 443 allow. I'm trying to understand from the answers above but can't grasp the whole picture. Also some say scanning is to the internal servers on the backend. Can anyone share the whole document/explanation? This False Positive creates concerns to security,

 

jba3126's avatar
jba3126
Icon for Cirrus rankCirrus
Jun 07, 2021

 for us, it was an internal scan, not an external scan. What happened was we had SYN Cookie protection enabled on the profile for our Forwarding VS. This caused the F5 to challenge the SYNs from Discovery scans even though these IPs in some cases didn't even exist behind the F5 making the scanner tee these IP and Ports up for actual vulnerability checks. To top this off the F5 was trying to deal as it was a DoS attack and began consuming memory until it finally fell over. We disabled SYN Challenge Handling in the Fastl4 profile and this fixed our issue. Make sure that you don't have this enabled on your VIP and VLAN as it could do the same.

 

/jba