Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5
Fixed In:
17.0.0, 16.1.4, 14.1.4.6
Opened: Dec 23, 2021 Severity: 3-Major
The SYN Cookies Status of a virtual server shows 'full-hardware', but the 'Total Software' counter of software SYN Cookies continues to increment together with the 'Total Hardware' SYN Cookie counter during a SYN flood attack.
A portion of the SYN flood attack is handled in software, which might have some performance impact.
On platforms with multiple HSB modules each TMM connects to only one of the modules. This depends on platform, BIG-IP version and selected turboflex profile. The simplest way to check is to look at the epva_flowstat tmstat table. If there is only one row per TMM and there are more than one distinct mod_id numbers, then the device is affected. For example: $ tmctl -s tmm,mod_id,pdenum,slot_id epva_flowstat tmm mod_id pdenum slot_id --- ------ ------ ------- 0 1 0 0 1 1 8 0 2 2 0 0 3 2 8 0
N/A
All TMMs now correctly enter hardware SYN Cookie mode.