Last Modified: Nov 11, 2024
Affected Product(s):
BIG-IP AFM
Fixed In:
17.1.0, 16.1.5, 15.1.6.1
Opened: Jan 24, 2022 Severity: 3-Major
When TCP_HALF_OPEN vector is configured and when both good and bad traffic are received, HW Syncookie status will remain full-hardware even after attack stops.
AFM does not exit attack_detected and syncookie is generated for good traffic also after attack subsides.
1. AFM is enabled 2. TCP_HALF_OPEN vector is configured on Device and virtual server. 3. Traffic received has both good packets(client traffic) and bad packets(attack traffic). 4. Issue is seen on HW platforms. 5. More than 1 TMM is configured.
None
This behavior is observed while good traffic is actively running, HW per-vip syncookies is triggered by a SYN attack, and some arbitrary time later, the SYN attack stops. The expectation is HW should no longer be doing syncookies after the attack has stopped, however, since the good traffic is still running, the SYN cookie entry will remain in the flow cache until it is evicted by an eviction snoop. This eviction process never gets initiated until the TCP_HALF_OPEN attack is no longer detected by AFM. The root cause is due to the stats->int_drops not being appropriately decremented by the right value upon receiving a syncookie valid ACK. stats->int_drops should be decremented by the total number of active TMMs, not by 1. Allowing for a better badsyn rate calculation so AFM can appropriately exit the "attack_detected" state for the TCP_HALF_OPEN vector