Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

BIG IP 13.X How to prevent an answer on port scanning

Egrebeld
Nimbostratus
Nimbostratus

Hi,

 

Actually, I have one 2 VS. One listening on port 80 with an LTM policy to redirect the traffic on the second VS listening on port 443. I'm looking for a solution to prevent the F5 to answer on port 80 to tcp connexion coming from a scan tool.

 

Thanks

6 REPLIES 6

SanjayP
MVP
MVP

You can attach iRule to HTTP VIP to reject the traffic coming from the scanning tool.

Using data-group

when CLIENT_ACCEPTED {
 if { [class match [IP::client_addr] equals scanner_ip] } {
     reject
       } else {
	 return  
	   }
    }

Using IP-address within the iRule

when CLIENT_ACCEPTED {
  if { [IP::addr [IP::client_addr] equals <scannerip> ] } {
     reject
       } else {
	 return  
	   }
    }

In this case, how the F5 knows that this a legitimate request and not a port scan ?

well, you need to explicitly add IP addresses of scanning tool in the data group "scannerip" or define in the iRule itself.

joyride_us
Altostratus
Altostratus

You can redirect the request from port 80 to port 443.

( HTTP::redirect ...)

This way do not prevent the F5 to answer on port scanning

 

joyride_us
Altostratus
Altostratus

Sorry. Wrong question.