Bug ID 481706: AFM DoS Sweep Vector could log attack detected msgs from a non-attacking src IP

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5

Fixed In:
12.0.0, 11.6.0 HF6, 11.5.1 HF6

Opened: Sep 29, 2014
Severity: 3-Major

Symptoms

When a AFM DoS Sweep/Flood attack is ongoing there is a chance that we could log a non-attacking src IP (which is sending packets which are below the detect threshold) as an attacker in the "attack_sampled" AFM DoS log message.

Impact

The log message could list an innocent src IP as an attacker. In AVR also you could see this IP as an attacker.

Conditions

When the AFM DoS Sweep or Flood attack is ongoing, and we have multiple src IPs (attackers and non-attackers) sending packets which match the AFM DoS Sweep or Flood vector, we could see the "attack sampled" log from a IP which is not actually sending packets above the configured attack rate.

Workaround

None, since the log message is cosmetic.

Fix Information

Improved security logging to reduce incorrect messages.

Behavior Change