Last Modified: Mar 10, 2026
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
17.1.2.2, 17.1.3, 17.1.3.1
Opened: Aug 05, 2025 Severity: 4-Minor
The Bad Actor (BA) statistics rate (ba_stats_rate) does not accurately reflect the actual traffic rate for NXDOMAIN and other DoS vectors
Stats are shown incorrectly but AFM does detect when the threshold has been exceeded. In v17.5.x, the following vectors are associated with the BA behavior. No L4 TTL <= <tunable> IP Option Frames Unknown Option Type Too Many Extension Headers IPv6 Extension Header Too Large No L4 (Extension Headers Go To Or Past The End of Frame) IPv6 Hop Count <= <tunable> IPv6 Extended Header Frames Option Present With Illegal Length Unknown TCP Option Type TCP Option Overruns TCP Header TCP Flags - Bad URG IP Fragment Flood IGMP Flood Routing Header Type 0 IPv6 Fragment Flood IGMP Fragment Flood TCP SYN Flood TCP SYN ACK Flood TCP RST Flood TCP Window Size ICMPv4 Flood ICMPv6 Flood UDP Flood TCP SYN Oversize TCP ACK (TS) TCP Flags Uncommon TCP ACK Flood IPv6 Atomic Fragment ICMP Fragment IP Fragment Error IP Fragment Overlap Host Unreachable IP Uncommon Proto TIDCMP Non TCP connection No Listener Match DNS Oversize DNS Response Flood DNS Any Query DNS A Query DNS PTR Query DNS NS Query DNS SOA Query DNS CNAME Query DNS MX Query DNS AAAA Query DNS TXT Query DNS SRV Query DNS AXFR Query DNS IXFR Query DNS OTHER Query DNS NXDOMAIN Query SIP URI Limit SIP INVITE Method SIP ACK Method SIP OPTIONS Method SIP BYE Method SIP CANCEL Method SIP REGISTER Method SIP PUBLISH Method SIP NOTIFY Method SIP SUBSCRIBE Method SIP MESSAGE Method SIP PRACK Method SIP OTHER Method
The issue occurs during DoS attack simulation NXDOMAIN on AFM with Bad Actor detection enabled
None
None