Forum Discussion

jomedusa's avatar
jomedusa
Icon for Altostratus rankAltostratus
Aug 10, 2020

How to trigger an alert when a specific number of connections are attempted to VIP on a port that isn't provisioned.

I have read the following KB support.f5.com/csp/article/K14813, and didn't know if there was way to trigger an alert when something is generating traffic on a non configured port to a VIP. We currently have a VIP that answers on all ports but are working to restrict to specific ports, but would like to be have evidence or alerts if a port scan or DDOS event is occurring. Is there a way to monitor the tm.maxrejectrate value for a specific VIP and trigger some type of alert when it drops to a specific value?

 

When the number of packets that match a virtual IP address or a self IP address exceeds the tm.maxrejectrate threshold, but the packets specify an invalid port, the system stops sending RST packets in response to the unmatched packets and logs an error message to the /var/log/ltm file that appears similar to the following example:011e0001:4: Limiting closed port RST response from 299 to 250 packets/sec

 

Does this log entry reflect the "client" address as well as the VIP/port that the connection was attempting?

 

Thanks,

 

Joe

1 Reply

  • > Does this log entry reflect the "client" address as well as the VIP/port that the connection was attempting?

     

    No - tm.maxrejectrate is a global limit across all tmms. If HTSplit is enabled, tm.maxrejectrate is doubled.

     

    K13151: Configuring the rate at which the BIG-IP system issues TCP RSTs or ICMP unreachable packets

     

    > Note: Due to way the HTSplit feature dedicates and prioritizes resources when enabled, the value configured for the tm.maxrejectrate key is doubled on platforms with Hyper-Threading (HT) Technology. If the value of the tm.maxrejectrate key is set to 250, log messages indicate responses are limited to 500 packets/sec.

     

    > We currently have a VIP that answers on all ports but are working to restrict to specific ports, but would like to be have evidence or alerts if a port scan or DDOS event is occurring.

     

    You would need an irule that records requests to non-active ports and places the source IP and scanned ports into a subtable, to track whether that IP is probing multiple ports within a specified time period.

     

    Or use AFM, which almost certainly has the requisite DoS/DDoS functionality, as well as port access lists for restricting access and logging rules if required.