Last Modified: Feb 03, 2026
Affected Product(s):
BIG-IP AFM
Fixed In:
17.5.1.4
Opened: Sep 24, 2025 Severity: 3-Major
-- Packets containing IP options (RR, LSR, SSR) are dropped when the IP Option Frames DoS vector threshold is set to 0. -- No audit logs are generated for these dropped packets unless attack detection is triggered. -- Very low packet counts (e.g., 1–2 packets) do not increment the attack counter and therefore do not produce logs.
-- Dropped packets with prohibited IP options are not logged.
-- DoS vectors such as “IP Option Frames” or “Bad TCP Flags Malformed” are configured with a rate limit of 0. -- Packets containing: IP Record Route (RR) / Loose Source Routing (LSR) / Strict Source Routing (SSR) -- Packet rate is low (below the stats_1m aggregation threshold). -- Attack detection is not triggered.
-- No effective workaround currently available. -- Increasing the traffic rate to trigger attack detection generates logs; however, this approach does not satisfy CC requirements regarding low-rate packet drops.
Audit logging has been improved for DoS vectors configured with a zero rate limit. Packets containing prohibited IP options (RR, LSR, SSR) that are dropped due to policy enforcement are now logged regardless of whether traffic rates exceed the attack detection threshold. This enhancement provides visibility into low-rate packet drops without the need for attack detection to be triggered.