On blocking port scans.

Question

What would be a good irule for blocking 0 byte tcp connections? Aka port scans? &nbsp;

kai_wilke · Answer

Hi Bago,
if you want the attacker to become pissed, then respond on each single TCP-connect with an HTTP 200 OK including IIS6.0 Server-Banners. This procedure will confuse his automated tools so that the attacker will a.) require a decent time to rule out all the false positives or b.) very soon look for easier targets...
Well, the more serious answer is just drop the unwanted TCP-sessions via the [drop] command or add some tarpits via [after 3000] before [drop]'ing the connection to slow down his port scanner. But the later approach may consume some additional ressources on your device...
Note: Keep in mind, that a Virtual Server will perform the full 3-way handshake before you can [drop] the connection. Putting a network firewall infront of your Virtual Servers will allow you to [drop] even the initial 3-way handshake...
Cheers, Kai

Forum Discussion

On blocking port scans.

1 Reply

Recent Discussions

preserve client IP on layer 4 VIP

Failed to convert character dclid=%EDclid!

ASM - Parent policy vs OWASPcompliance

Rewrite uri translation not working

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

Related Content

OWASP Automated Threats - OAT-014 Vulnerability Scanning

Advanced iRules: Scan

Block traffic

domain blocking

Block IP after a number of ASM Blocks