Bug ID 1003377: Disabling DoS TCP SYN-ACK does not clear suspicious event count option

Last Modified: Sep 29, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2

Opened: Mar 17, 2021
Severity: 4-Minor

Symptoms

When the 'Only Count Suspicious Events' option is turned on for the TCP SYN ACK Flood vector and the vector gets disabled, TMM continues operating as if 'Only Count Suspicious Events' is still configured.

Impact

BIG-IP system might continue altering TCP initial sequence numbers for SYN-ACK cookie validations.

Conditions

Disabling TCP SYN ACK Flood vector with 'Only Count Suspicious Events' enabled.

Workaround

Disable the 'Only Count Suspicious Events' option first, and then disable TCP SYN ACK Flood vector.

Fix Information

None

Behavior Change