Last Modified: Jul 12, 2023
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
11.4.0
Opened: Sep 10, 2013 Severity: 3-Major Related Article:
K15023
The BIG-IP AFM system provides protection from many types of denial-of-service (DoS) attacks, and each configurable item has its own detection threshold and limit. However, the BIG-IP AFM system determines the configurable item's detection threshold and limit for each TMM; it does not determine the thresholds and limits system-wide. For example, the default settings for the SYN and FIN Set attack type are as follows: Detection Threshold PPS: 10000 Detection Threshold Percent: 500 Default Internal Rate Limit: 100000 The assumed behavior is that if the BIG-IP AFM system detects more than 10,000 packets per second, it flags that as an ongoing attack. However, since this number is for each TMM, a device with four TMMs could theoretically handle 40,000 packets per second before the system detected an attack. However, as soon as a single TMM crosses the 10,000 pps threshold, it is flagged as an attack. This equation assumes an equal four-way split among the four TMMs in traffic processing. There are several factors that affect how many packets each TMM is currently handling, such as session length, session resumption, persistence, hashing used, etc.
Confusion when the BIG-IP passes DoS traffic at a rate of (# tmms)*(configured value) rather than (configured value).
Multiple tmms.
Switch to a single tmm or set a configured value reflecting the overall total desired value divided by the number of tmms. When configuring DoS Device Protection detection thresholds and rate limits, you should consider the number of TMMs available on your platform. Set the value that reflects the overall system-wide level that you want, and divide that by the number of TMMs that you have. Alternatively, if the deployment is suitable to use a single TMM, then the configured thresholds and limit will be the numbers as configured. You can determine the number of TMMs available on your platform by using either the command-line ps command or the Traffic Management Shell (tmsh) command. Note: For BIG-IP hyper-threaded platforms running 11.5.0 and later, refer to K15003: TMM data plane tasks and non-TMM control plane tasks use separate logical cores on systems with HT Technology CPUs For more information, see K15023: The BIG-IP AFM system enforces configured thresholds and limits for each TMMhttps://support.f5.com/csp/article/K15023.
None