Bug ID 504384: ICMP attack thresholds

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
11.6.2 HF1, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
12.0.0, 11.5.2 HF1

Opened: Feb 03, 2015

Severity: 3-Major

Symptoms

ICMP flood protection triggers at an earlier than expected threshold if all of the ICMP attack traffic contains the same ID. This is because all traffic is sent to the same tmm when it contains the same ID but the threshold takes into account the number of tmms.

Impact

The forwarded ICMP traffic has higher priority that regular traffic causing normal traffic to potentially get dropped sooner as compared to forwarded traffic.

Conditions

When ICMP traffic is sent with the same ICMP id, and the DoS threshold was configured assuming the ICMP traffic would be spread across all tmms.

Workaround

None

Fix Information

ICMP attack traffic with same ID being forwarded to a single TMM for processing is now tagged with the correct priority.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips