Bug ID 480583: Support SIP/DNS DOS only for UDP packets and SIP DOS does not drop packets but count drops

Last Modified: Dec 10, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3

Fixed In:
12.0.0, 11.6.0 HF4

Opened: Sep 23, 2014
Severity: 2-Critical

Symptoms

SIP DOS does not drop the packets after attack is detected but counts the stats for drop packets.

Impact

SIP DOS Attack packets will not be dropped.

Conditions

SIP DOS attack is detected.

Workaround

None

Fix Information

This fix causes the system to drop SIP DoS attack packets. This change also restricts SIP/DNS DoS detection only to UDP packets. SIP/DNS DoS attacks over TCP and SCTP are not detected.

Behavior Change

Prior to this release, SIP/DNS DOS detection and mitigation was supported on TCP,UDP and SCTP protocol packets. With this release SIP/DNS DOS detection and mitigation is only for UDP protocol packets. SIP/DNS DOS attacks will not be detected for TCP and SCTP protocol packets.