Bug ID 463760: AFM DDoS BAD_ICMP_FRAME might be triggerred in some valid cases

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
12.0.0

Opened: May 22, 2014

Severity: 4-Minor

Symptoms

The count for the DOS vector BAD_ICMP_FRAME might be incremented even for packets that are allowed.

Impact

The count for BAD_ICMP_FRAME might go up even for packets that we allow.

Conditions

AFM DoS provisioned and licensed. There are certain ICMP types which are reserved according to the RFC - but LTM allows those ICMP types to be load-balanced. However, with AFM DoS, we only allow ICMP types which are explicitly specified in the RFC and not the reserved types.

Workaround

Set the rate limit and detection limit to higher values for BAD_ICMP_FRAME.

Fix Information

Set the rate-limit/detection-limit to higher values for BAD_ICMP_FRAME.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips