Bug ID 1012581: Evidence of hardware syncookies triggered but no stats after tcp half-open is triggered

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2

Fixed In:
17.0.0, 16.1.3, 15.1.6.1, 14.1.5

Opened: Apr 20, 2021

Severity: 3-Major

Symptoms

As soon as global syncookie enabled stats counts starts decrementing and when attack_detection_common callback function calls, the stats range is always under the configured packets per-second threshold, resulting in some tmms not being able to detect the attack but syncookies are already enabled on these tmms, and no statistics are gathered.

Impact

SYN cookies may still be sent after traffic goes below the attack detection threshold.

Conditions

A SYN flood attack or similar SYN attack where SYNs are flooded into the BIG-IP system.

Workaround

Restart tmm

Fix Information

Now, global syncookie state changing from full-hardware to non-activated when attack ends.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips