Bug ID 632839: UDP Flood does not get detected if the vector limits are infinite

Last Modified: Jun 30, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1

Opened: Dec 09, 2016
Severity: 2-Critical

Symptoms

If the UDP_flood AFM DoS vector is configured as 'infinite' for both detection-threshold-pps and default-internal-rate-limit then it will not get detected. Even per-virtual server and Sweep/Flood will not detect UDP_Flood. If they are not infinite, they should work as expected, and the default value for detection-threshold-pps is 400000.

Impact

You might expect UDP_flood vector to be detected at the per-virtual server and Sweep/Flood level, but if it is configured at infinite at the global device level, then it will not be detected at any level at all.

Conditions

-- Settings of 'infinite' for UDP_flood device-dos vector. -- Running v12.1.1, 12.1.2, or 12.1.3.

Workaround

To enable the system to detect UDP_Flood at the various levels, set the global device-dos level for UDP_flood to be 4294967294 (1 less than MAX_UINT32). Note: With this workaround, the system still cannot detect UDP_flood vector still at the global device-level because the number is too high.

Fix Information

None

Behavior Change