Bug ID 434468: htsplit mode may lead to false-alarm of AFM DOS detection/mitigation.

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP AFM, Install/Upgrade(all modules)

Known Affected Versions:
11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9

Opened: Oct 18, 2013
Severity: 2-Critical

Symptoms

For 11.5 htsplit mode is enabled by default. htsplit is actuals only for platform/blades which have CPU with hyper-threading. htsplit mode decrease number of tmms in twice. So after upgrade from 11.4 to 11.5, you may see that DOS attacks happens on normal traffic rates. Example: You have BIG-IP 10000/12000 with 11.4 with 12 tmms, and you configure DOS accordingly. Then when you make upgrade to 11.5 and you end up with 6 tmms because of htsplit mode.

Impact

You may see false-alarm DOS attack on normal traffic rates.

Conditions

Platform/blade CPU have hyper-threading and sys db scheduler.splitplanes.ltm = "true"

Workaround

Double the thresholds for AFM DOS vectors.

Fix Information

None

Behavior Change