Bug ID 1003397: DoS TCP SYN-ACK vector with 'suspicious' set to true impacts MD5 AUTH (BGP) functionality

Last Modified: Sep 29, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1

Fixed In:
17.0.0, 16.1.2.2, 15.1.5.1

Opened: Mar 17, 2021
Severity: 3-Major

Symptoms

Using device DoS with TCP SYN ACK Flood vector enabled and 'Only Count Suspicious Events' option enabled breaks connections using TCP MD5 AUTH, including BGP.

Impact

BGP peering is not established/connections failing.

Conditions

Device DoS with TCP SYN ACK Flood vector enabled and 'Only Count Suspicious Events' option enabled

Workaround

Disable 'suspicious' event on the AFM TCP SYN ACK Flood vector. To do so 1. From the GUI go to Security :: DoS Protection :: Device Protection :: Network :: TCP SYN ACK Flood. 2. Ensure that 'Only Count Suspicious Events' is disabled. 3. Save changes by clicking 'Commit Changes to System'.

Fix Information

None

Behavior Change