BIG IP 13.X How to prevent an answer on port scanning

Egrebeld · ‎20-Apr-2021

Hi,

Actually, I have one 2 VS. One listening on port 80 with an LTM policy to redirect the traffic on the second VS listening on port 443. I'm looking for a solution to prevent the F5 to answer on port 80 to tcp connexion coming from a scan tool.

Thanks

SanjayP · ‎20-Apr-2021

You can attach iRule to HTTP VIP to reject the traffic coming from the scanning tool.

Using data-group

when CLIENT_ACCEPTED {
 if { [class match [IP::client_addr] equals scanner_ip] } {
     reject
       } else {
	 return  
	   }
    }

Using IP-address within the iRule

when CLIENT_ACCEPTED {
  if { [IP::addr [IP::client_addr] equals <scannerip> ] } {
     reject
       } else {
	 return  
	   }
    }

Egrebeld · ‎22-Apr-2021

In this case, how the F5 knows that this a legitimate request and not a port scan ?

SanjayP · ‎22-Apr-2021

well, you need to explicitly add IP addresses of scanning tool in the data group "scannerip" or define in the iRule itself.

joyride_us · ‎20-Apr-2021

You can redirect the request from port 80 to port 443.

( HTTP::redirect ...)

Egrebeld · ‎22-Apr-2021

This way do not prevent the F5 to answer on port scanning

joyride_us · ‎22-Apr-2021

Sorry. Wrong question.

DevCentral

BIG IP 13.X How to prevent an answer on port scanning

Register For AppWorld 2024

DevCentral Podcasts