Bug ID 666947: L2 Wire global syn cookie in HW floods SYN ACK packets to both the VLANs joined in a L2 VLAN group.

Last Modified: Nov 22, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Fixed In:

Opened: May 27, 2017
Severity: 3-Major


Ports that are in L2 mode have learning disabled. So although HSB should tell the switch about the ingress port from which the packet came, it cannot do so in this release. That means that the SYN ACK packet will be flooded to both the VLANs. But only the client that sends that actual SYN will accept the SYN ACK, as the other interface contains the incorrect MAC addresses and will be dropped by the host connected to the second side of port.


Global syn-cookie does not work without a virtual server even if another global DoS vectors work without a virtual server. The system will send a spurious SYN ACK. There may or may not be any impact, as the spurious SYN ACK packet's MAC address will not be matched and should be dropped by the host. However, there is a possibility that it might lead to flooding of SYN ACK packets when a SYN attack is ongoing.


Whenever AFM global syn cookie is triggered in hardware.



Fix Information


Behavior Change