Bug ID 504384: ICMP attack thresholds

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
11.6.2 HF1, 11.6.0, 11.6.1, 11.6.2, 11.6.3,,,,, 11.6.4, 11.6.5,,,, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
12.0.0, 11.5.2 HF1

Opened: Feb 03, 2015

Severity: 3-Major


ICMP flood protection triggers at an earlier than expected threshold if all of the ICMP attack traffic contains the same ID. This is because all traffic is sent to the same tmm when it contains the same ID but the threshold takes into account the number of tmms.


The forwarded ICMP traffic has higher priority that regular traffic causing normal traffic to potentially get dropped sooner as compared to forwarded traffic.


When ICMP traffic is sent with the same ICMP id, and the DoS threshold was configured assuming the ICMP traffic would be spread across all tmms.



Fix Information

ICMP attack traffic with same ID being forwarded to a single TMM for processing is now tagged with the correct priority.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips