Bug ID 609878: Bad ACK Flood is not detected by AFM when loose-init is enabled on the virtual server

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 13.1.5,, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,,,,,, 15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 15.1.4,, 15.1.5,, 15.1.6,, 15.1.7, 15.1.8,,, 15.1.9,, 15.1.10,,,, 16.1.0, 16.1.1, 16.1.2,,, 16.1.3,,,,,, 16.1.4,,,, 17.0.0,,, 17.1.0,,,, 17.1.1,,,

Opened: Aug 09, 2016

Severity: 2-Critical


When loose-init is set, which has the implicit semantics of "every ACK packet can create a connection". Hence, there is never a "Bad ACK" to drop. This behavior is expected as per design, so while enabling this option one should aware of the side effects it will cause.


Enabling loose initiation may make it more vulnerable to denial of service attacks.


This issue will be seen when loose-init is enabled on the fastL4 profile and when the box is flooded with asymmetric ACK packets (or) Bad-Acks.


When loose-init is set in the fastL4 profile, we need to turn on connection-limits on the virtual and also Eviction Policy to prevent flow-table exhaustion.

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips