Bug ID 504384: ICMP attack thresholds

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4

Fixed In:
12.0.0, 11.5.2 HF1

Opened: Feb 03, 2015
Severity: 3-Major

Symptoms

ICMP flood protection triggers at an earlier than expected threshold if all of the ICMP attack traffic contains the same ID. This is because all traffic is sent to the same tmm when it contains the same ID but the threshold takes into account the number of tmms.

Impact

The forwarded ICMP traffic has higher priority that regular traffic causing normal traffic to potentially get dropped sooner as compared to forwarded traffic.

Conditions

When ICMP traffic is sent with the same ICMP id, and the DoS threshold was configured assuming the ICMP traffic would be spread across all tmms.

Workaround

None

Fix Information

ICMP attack traffic with same ID being forwarded to a single TMM for processing is now tagged with the correct priority.

Behavior Change