Forum Discussion

Jacqueline_Tadr's avatar
Jacqueline_Tadr
Icon for Altocumulus rankAltocumulus
Jun 07, 2021

nmap port scanner shows open ports when destination is to a VS on the front end

Our security team run scans for vlunerability and he doesn't them from the public internet.

It was noticed that based on the image the Big-IP does respond differently but for all images the nmap scan returns all ports scanned as open.

 

I've see responses about similar scans but from the inside but I noticed that on our most recent image, the packets from Scans doesn't reach the front end interface of the Big-IP for this specific VS. Instead it receives only an ACK then on the next packet it receives a RST.

 

Trying to figure out why did the responses change from earlier image and why the latest image upgrade recommended by F5 shows the same issue when open ports are scanned from the public Internet.

 

Kindly advise.

BIG-IP
devops
LTM
security

1 Reply

Sort By
  • Nikoolayy1's avatar
    Nikoolayy1
    Icon for MVP rankMVP
    Jun 09, 2021

    1.Check the distination ports of your virtual servers as they can be listening to all ports:

     

    https://support.f5.com/csp/article/K6018

     

     

    2.Also if the F5 vip is with "Loose Initiation and Loose Close " this means that any client packets is accepted without 3 way handshake

     

    https://support.f5.com/csp/article/K13558

     

     

     

    3.you mention RST to see if the F5 is returning the RST enable special logging https://support.f5.com/csp/article/K13223 and you may do nnnp tcpdump https://support.f5.com/csp/article/K13637. Also check if nmap is not triggering syn cookie protection https://support.f5.com/csp/article/K74451051#syn-cookie-status