Bug ID 463760: AFM DDoS BAD_ICMP_FRAME might be triggerred in some valid cases

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3

Fixed In:
12.0.0

Opened: May 22, 2014
Severity: 4-Minor

Symptoms

The count for the DOS vector BAD_ICMP_FRAME might be incremented even for packets that are allowed.

Impact

The count for BAD_ICMP_FRAME might go up even for packets that we allow.

Conditions

AFM DoS provisioned and licensed. There are certain ICMP types which are reserved according to the RFC - but LTM allows those ICMP types to be load-balanced. However, with AFM DoS, we only allow ICMP types which are explicitly specified in the RFC and not the reserved types.

Workaround

Set the rate limit and detection limit to higher values for BAD_ICMP_FRAME.

Fix Information

Set the rate-limit/detection-limit to higher values for BAD_ICMP_FRAME.

Behavior Change