Last Modified: Mar 25, 2025
Affected Product(s):
BIG-IP Install/Upgrade, TMOS
Known Affected Versions:
17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1, 17.5.0
Opened: Jun 14, 2024 Severity: 3-Major
After an upgrade from v15 or v16 to v17.1, you may encounter service outages caused by low thresholds for the TCP ACK (TS) DoS vector.
These low thresholds trigger frequent DoS attack detections, leading to disruptions in service.
The upgrade process retains old threshold values (Detection EPS Threshold: 200, Mitigation EPS Threshold: 100), which are too low compared to the new defaults.
Change the threshold to the new defaults or or any reasonable values accordingly. For example: #tmsh modify security dos device-config dos-device-config dos-device-vector { tcp-ack-ts {default-internal-rate-limit 300000 detection-threshold-pps 200000}}
None