Last Modified: May 29, 2024
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6
Fixed In:
15.0.0, 14.1.2.7
Opened: Jan 16, 2019 Severity: 3-Major
A UDP DNS packet may incorrectly match a BDoS signature if such a packet was queued up due to ingress shaper. In the worst case, this incorrect signature match might drop the packet.
In this case, when the queued packet is later picked up for further processing, it may incorrectly match a BDoS signature (that would not have otherwise matched if this packet was not queued). A UDP DNS packet may match an incorrect signature and thus might be incorrectly dropped by the BIG-IP system.
AFM is enabled and it receives multiple (back-to-back-to-back) UDP DNS packets, which (due to ingress shaper) might cause queueing for some of the packets in the same data path thread.
None.
UDP DNS packets never match an incorrect BDoS signature, even if such packets are queued due to ingress shaper.