Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.6.2 HF1, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.0.0, 11.6.0 HF6, 11.5.1 HF6
Opened: Sep 29, 2014 Severity: 3-Major
When a AFM DoS Sweep/Flood attack is ongoing there is a chance that we could log a non-attacking src IP (which is sending packets which are below the detect threshold) as an attacker in the "attack_sampled" AFM DoS log message.
The log message could list an innocent src IP as an attacker. In AVR also you could see this IP as an attacker.
When the AFM DoS Sweep or Flood attack is ongoing, and we have multiple src IPs (attackers and non-attackers) sending packets which match the AFM DoS Sweep or Flood vector, we could see the "attack sampled" log from a IP which is not actually sending packets above the configured attack rate.
None, since the log message is cosmetic.
Improved security logging to reduce incorrect messages.