Bug ID 430264: Receive Hardware Checksumming may cause BIGIP to Ignore IP Checksum Attacks

Last Modified: Mar 12, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Known Affected Versions:
11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4

Fixed In:
12.0.0

Opened: Sep 10, 2013
Severity: 2-Critical

Symptoms

The VE versions of BIG-IP running on certain versions of the VMWare Broadcom drivers incorrectly report no error for IP packets that do have an IP checksum error. As a result, some IP checksum errors are not reported in those scenarios. The workaround is to enable software-based checking, with the db-variable tm.tcpudpiprxchecksum, though this will have some performance impact.

Impact

BIG-IP will not detect Bad IP checksum DOS attacks is the underlying hypervisor has

Conditions

BIG-IP Virtual Edition, running on any VMware hypervisor that has Broadcom BCM5709 and BCM5716 physical interfaces. There may be other hypervisors or physical interfaces that may cause this behavior.

Workaround

"modify sys db tm.tcpudpiprxchecksum value software-reverify"

Fix Information

None

Behavior Change