Unused ports respond to port scan

I'm pretty sure TCP RFCs dictate that LTM or any host send an ACK of the previous packet and a RST if the port isn't in a listening state. I'm not sure if this is configurable within the internal database. I didn't see any keys which looked related in a quick search of the database (b db list|less -i).

 

 

You could potentially define packet filters (Click here) to drop packets to undefined ports. That would probably get fairly tedious to configure though. Or you could do this on an upstream firewall.

 

 

Aaron

I'd suggest configuring this in an upstream fiirewall.

 

 

I haven't delved into the RFC's on this, but WinXP and Linux 2.6 both answer with a RST ACK when a client makes a request to a configured IP on a port which isn't in a listening state:

 

 

$ tshark -nr winxp_rst_ack.dmp

 

1 0.000000 1.1.1.1 -> 2.2.2.2 TCP 1262 > 10000 [SYN] Seq=0 Win=64240 Len=0 MSS=1237

 

2 0.000045 2.2.2.2 -> 1.1.1.1 TCP 10000 > 1262 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

 

3 0.569805 1.1.1.1 -> 2.2.2.2 TCP 1262 > 10000 [SYN] Seq=0 Win=64240 Len=0 MSS=1237

 

4 0.569852 2.2.2.2 -> 1.1.1.1 TCP 10000 > 1262 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

 

5 1.174020 1.1.1.1 -> 2.2.2.2 TCP 1262 > 10000 [SYN] Seq=0 Win=64240 Len=0 MSS=1237

 

6 1.174071 2.2.2.2 -> 1.1.1.1 TCP 10000 > 1262 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

 

 

tcpdump -ni eth0 tcp port 10000

 

17:33:48.237046 IP 2.2.2.2.4776 > 3.3.3.3.10000: S 844152135:844152135(0) win 64512

 

17:33:48.237052 IP 3.3.3.3.10000 > 2.2.2.2.4776: R 0:0(0) ack 844152136 win 0

 

17:33:48.597120 IP 2.2.2.2.4776 > 3.3.3.3.10000: S 844152135:844152135(0) win 64512

 

17:33:48.597125 IP 3.3.3.3.10000 > 2.2.2.2.4776: R 0:0(0) ack 1 win 0

 

17:33:49.143940 IP 2.2.2.2.4776 > 3.3.3.3.10000: S 844152135:844152135(0) win 64512

 

17:33:49.143947 IP 3.3.3.3.10000 > 2.2.2.2.4776: R 0:0(0) ack 1 win 0

 

uname -a

 

Linux devserver 2.6.22-14-server 1 SMP Tue Feb 12 08:27:05 UTC 2008 i686 GNU/Linux

 

 

Aaron