Operational Defect Database
BugZero found this defect 493 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
F5 | 609878
Bad ACK Flood is not detected by AFM when loose-init is enabled on the virtual server
Last update date:
4/26/2024
Affected products:
BIG-IP
BIG-IP AFM
Affected releases:
13.1.0
13.1.0.1
13.1.0.2
13.1.0.3
13.1.0.4
13.1.0.5
13.1.0.6
13.1.0.7
13.1.0.8
13.1.1
13.1.1.2
13.1.1.3
Fixed releases:
No fixed releases provided.
Description:
Bug ID 609878: Bad ACK Flood is not detected by AFM when loose-init is enabled on the virtual server ... When loose-init is set, which has the implicit semantics of "every ACK packet can create a connection". ... Hence, there is never a "Bad ACK" to drop. ... This behavior is expected as per design, so while enabling this option one should aware of the side effects it will cause. ... Impact ... Enabling loose initiation may make it more vulnerable to denial of service attacks. ... Conditions ... This issue will be seen when loose-init is enabled on the fastL4 profile and when the box is flooded with asymmetric ACK packets (or) Bad-Acks. ... Workaround ... When loose-init is set in the fastL4 profile, we need to turn on connection-limits on the virtual and also Eviction Policy to prevent flow-table exhaustion. ... Fix Information
