Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1
Fixed In:
15.0.0, 14.1.0.2
Opened: Oct 29, 2018 Severity: 3-Major
When using BDoS feature for DNS protocol, and when there are auto-generated DNS Signatures or if Custom DNS signatures are configured manually, it is found that at times, a valid DNS request is dropped because it wrongly matches the configured/dynamically generated DNS Signature when the box is under load, and BDoS mitigation is ongoing.
When box is under load, the configured DNS signature gets into Attack Mitigation mode (which is normal), but may wrongly drop a DNS packet that does not match the signature.
Configured DNS Signature (Or) there exists a Dynamically generated DNS Signature. Such a DNS signature is found to match a DNS packet wrongly, even though the signature match criteria is different from the matched DNS packet.
Disable BDoS for protocol DNS. Also, do not use Manually configured DNS Signatures.
The parsed DNS information is cached and re-used wrongly as a performance optimization, which is corrected.