Last Modified: Jul 12, 2025
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1, 17.1.2.2, 17.5.0, 17.5.1
Opened: Mar 07, 2025 Severity: 3-Major
On a VCMP guest, if a virtual server enters hardware syncookie mode due to a syn flood, and the virtual server is passing a significant amount of valid traffic, it may not exit syncooke mode.
Syncookies may continue to be issued even though the attack has stopped.
-- VCMP guest -- Hardware syncookie mode
Remove traffic from the virtual server until syncookies deactivates. This can be accomplished by using cli transaction to alter the first virtual server and create an identical new virtual server. Example: Assume my_vs1 is the existing virtual server listening on port 80 tmsh create /cli transaction modify ltm virtual my_vs1 destination 10.10.10.16:8888 disabled (notice the change of port and disabling) create ltm virtual my_vs2 destination 10.10.10.16:80 pool pool1 profiles add { fastL4 http } source-address-translation { type automap } submit /cli transaction This will, in one operation, modify the first virtual server which is disabled and listen to a different port and create a new one. Changing the port is necessary to allow for the creation of the second virtual server to be able to listen to this port.
None