Bug ID 430649: Configuration validation required to ensure DNS or SIP DoS profiles are only associated with virtual servers using DNS or SIP profiles.

Last Modified: Feb 13, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Known Affected Versions:
11.3.0

Fixed In:
11.5.0

Opened: Sep 14, 2013
Severity: 3-Major
Related AskF5 Article:
K15499

Symptoms

It is possible to attach a DoS profile that has DNS settings to a virtual-server that doesn't have a DNS profile. The result will be that DNS security doesn't really take place but a user is unaware of this scenario any may think that he has a DoS protection on that VIP. Virtual servers are not protected against DNS and SIP DoS attacks despite the attached dos profiles having corresponding DNS and SIP embedded profiles configured.

Impact

Virtual servers aren't protected versus SIP and DNS DoS attacks due to non validated misconfiguration.

Conditions

Virtual servers are attached with dos profiles having corresponding DNS and/ or SIP embedded profiles configured but not attached with DNS and/ or SIP profiles.

Workaround

Make sure SIP and/or DNS profiles are attached to the virtual servers.

Fix Information

The system now validates a virtual server to which a DNS DoS and/or SIP DoS profile is assigned, to ensure that the virtual server includes a SIP or DNS profile.

Behavior Change