Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6
Opened: Jul 03, 2023 Severity: 3-Major
Thresholds set by auto-threshold (fully-automatic) are in the range of 10k when the attack is in short bursts and with low PPS.
Due to high threshold set by auto-threshold, mitigation will not happen during attack.
Send constant traffic at low PPS ((say 9PPS) during a whole week (no stress) mitigation_curr is infinite as expected since there is no stress. Force stress to 97%. mitigation_curr is set to 500. Hard short attacks start/stop (15s attacks - =1m no attack). Traffic is dropped according to mitigation_curr. mitigation_curr increases every 5 minutes while continuing to attack backend server every minute or so. While we had an average of 10PPS during more than a week, during periods of reduced attacks and fluctuating traffic above and below the set threshold, it consistently increases the thresholds. This is unexpected, as AFM should not be continuously raising the thresholds. Consequently, there comes a point where AFM permits an excessive amount of traffic, leading to adverse effects on backend servers.
No
None