cancel
Showing results for 
Search instead for 
Did you mean: 

BIG IP 13.X How to prevent an answer on port scanning

Egrebeld
Nimbostratus
Nimbostratus

Hi,

 

Actually, I have one 2 VS. One listening on port 80 with an LTM policy to redirect the traffic on the second VS listening on port 443. I'm looking for a solution to prevent the F5 to answer on port 80 to tcp connexion coming from a scan tool.

 

Thanks

6 REPLIES 6

SanjayP
MVP
MVP

You can attach iRule to HTTP VIP to reject the traffic coming from the scanning tool.

 

Using data-group

 

when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals scanner_ip] } { reject } else { return } }

Using IP-address within the iRule

 

when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals <scannerip> ] } { reject } else { return } }

 

In this case, how the F5 knows that this a legitimate request and not a port scan ?

well, you need to explicitly add IP addresses of scanning tool in the data group "scannerip" or define in the iRule itself.

joyride_us
Altostratus
Altostratus

You can redirect the request from port 80 to port 443.

( HTTP::redirect ...)

This way do not prevent the F5 to answer on port scanning

 

joyride_us
Altostratus
Altostratus

Sorry. Wrong question.