Last Modified: Jul 01, 2026
Affected Product(s):
BIG-IP (all modules)
Known Affected Versions:
17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1, 17.1.2.2, 17.1.3, 17.1.3.1, 17.1.3.2
Opened: Aug 06, 2025 Severity: 5-Cosmetic
When a DNS DoS attack is detected through a dynamically generated signature (family: DNS), AFM logs the event as a 'NETWORK DoS attack' instead of a 'DNS DoS attack.' This behaviour may mislead administrators and operational teams monitoring DoS activity, causing confusion in triaging and reporting. The issue occurs only when dynamic signatures are enabled in the DoS profile's DNS protocol settings, while static DNS vectors are correctly logged as 'DNS.'
The customer reported that DNS dynamic signatures being logged as 'A NETWORK <profile_name> DOS attack' is confusing and misleading. Addressing this issue will resolve the inaccurate and misleading information.
BIG-IP AFM DoS profile with the DNS protocol enabled and dynamic signature detection turned on. 1. A DNS DoS attack triggers the creation and enforcement of a dynamic DNS family signature. 2. Observed in BIG-IP version 17.1.2.2. 3. The fix is included in version 21.x and will be backported to other branches as well. 4. The issue does not occur when dynamic signatures are turned off (static signatures are logged correctly).
Logs now display accurate information, such as 'DNS <profile_name> DoS attack. eg: May 14 01:26:06 nac-bigip.openstack.internal err tmm[11353]: 01010252:3: A DNS /Common/vs2_nac DOS attack start was detected for vector /Common/dos-common/Sig_98722_1_1778690337, Attack ID 4150263771.
None