Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP ASM, AVR
Known Affected Versions:
15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6
Opened: Dec 13, 2021 Severity: 4-Minor
Missing attack information on AVR's DoS Visibility reports. DoSl7 and AVRD logs generate the following messages: ===================================== var/log/dosl7/dosl7d.log ===================================== DOSL7D_ARB|NOTICE|Jul 29 19:39:30.270|16896|dosl7d_anomaly_engine.cpp:5574|>>>>>>>>> ARBITRATOR: DOS TPS ATTACK START on vs /Common/www.myapp.org.app/www.myapp.org_vs profile /Common/dos attack id 3099595165 <<<<<<<<< DOSL7D_ARB|NOTICE|Jul 29 19:43:23.443|16896|dosl7d_anomaly_engine.cpp:5627|>>>>>>>>> ARBITRATOR: END ATTACK on vs /Common/www.myapp.org.app/www.myapp.org_vs profile /Common/dos reason: no more relevant suspicious entities attack id 3099595165 <<<<<<<<< ===================================== /var/log/avr/avrd.log ===================================== DOS_VISIBILITY|NOTICE|Jul 29 19:39:40.000|27479|lib/avrpublisher/infrastructure/dos_visibility_manager.cpp:0464| Read new event from queue: module=1(HTTP), status=1(Attack Started), attack_id=3099595165, attack_vector=120(Application Layer), attack_trigger=3(Source IP Volumetric TPS), mitigation=4(Client Side), dos_profile_name=/Common/dos, avr_internal_vip_id=6, time_stamp=1722307170, bados_attack_vector=<NULL> DOS_VISIBILITY|NOTICE|Jul 29 19:39:40.000|27479|lib/avrpublisher/infrastructure/dos_visibility_manager.cpp:0546| Received event about attack 3099595165 while VIP /Common/www.myapp.org.app/www.myapp.org_vs no longer exist (probably deleted). Will mark/already marked this attack as ended DOS_VISIBILITY|WARNING|Jul 29 19:39:40.108|27477|lib/avrpublisher/infrastructure/dos_visibility_manager.cpp:1208| (skipped 14 msgs) Trying to update statistics on attack ID 3099595165 but such attack is not present in our map.Throwing away this update DOS_VISIBILITY|WARNING|Jul 29 19:39:50.056|27477|lib/avrpublisher/infrastructure/dos_visibility_manager.cpp:1208| Trying to update statistics on attack ID 3099595165 but such attack is not present in our map.Throwing away this update DOS_VISIBILITY|WARNING|Jul 29 19:40:00.108|27477|lib/avrpublisher/infrastructure/dos_visibility_manager.cpp:1208| Trying to update statistics on attack ID 3099595165 but such attack is not present in our map.Throwing away this update DOS_VISIBILITY|WARNING|Jul 29 19:40:10.108|27477|lib/avrpublisher/infrastructure/dos_visibility_manager.cpp:1208| Trying to update statistics on attack ID 3099595165 but such attack is not present in our map.Throwing away this update DOS_VISIBILITY|WARNING|Jul 29 19:40:20.115|27477|lib/avrpublisher/infrastructure/dos_visibility_manager.cpp:1208| Trying to update statistics on attack ID 3099595165 but such attack is not present in our map.Throwing away this update D
No DoS events appear on DoS Dashboard.
Not yet known.
1. Make spurious change in the VIP appears under dosl7 or avrd logs, such as adding arbitary text to the "Description" fields of the VIP (Local Traffic > Virtual Server > Affected VIP > Description) 2. Restart AVRD service - bigstart restart avrd 3. Wait for 300 seconds for the change to take effect. 4. Now, when a new DoS event appears under Security > Event log > DoS, click on the attack-id 5. It should now populate data on DoS Dashboard.
None