Bug ID 1003377: Disabling DoS TCP SYN-ACK does not clear suspicious event count option

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5

Fixed In:
16.1.4, 15.1.9

Opened: Mar 17, 2021

Severity: 4-Minor

Symptoms

When the 'Only Count Suspicious Events' option is turned on for the TCP SYN ACK Flood vector and the vector gets disabled, TMM continues operating as if 'Only Count Suspicious Events' is still configured.

Impact

BIG-IP system might continue altering TCP initial sequence numbers for SYN-ACK cookie validations.

Conditions

Disabling TCP SYN ACK Flood vector with 'Only Count Suspicious Events' enabled.

Workaround

Disable the 'Only Count Suspicious Events' option first, and then disable TCP SYN ACK Flood vector.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips