Bug ID 900797: Brute Force Protection (BFP) hash table entry cleanup

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 16.0.0, 16.0.0.1

Fixed In:
16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5

Opened: Apr 17, 2020

Severity: 3-Major

Symptoms

Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IPs and usernames. There is a separate hash table for each virtual server. When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed. This scenario may cause mitigated entries to keep getting removed from the hash table by new entries.

Impact

Mitigated entries that keep getting removed from the hash table by new entries, may result in attacks not getting mitigated.

Conditions

There is a separate hash table for each virtual server, and its size is controlled by the external_entity_hash_size internal parameter. When it is set to 0, the size is determined automatically based on system memory. Otherwise, it is the maximum size of the hash tables together, then divided into the number of virtual servers which have traffic and BFP enabled. In case of the latter, there might be a chance that with too many virual servers the hash table may reach it's maximum capacity.

Workaround

N/A

Fix Information

Mitigated entries are kept in the hash table.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips