Bug ID 689080: Erroneous syncookie validation in HSB causes the BIG-IP system to choose the wrong MSS value

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3

Fixed In:
12.1.3.1

Opened: Oct 17, 2017
Severity: 2-Critical

Symptoms

When a software encoding algorithm is being used by tmm to generate syn cookies in a SYN/ACK packet, there is a chance that HSB might mistakenly identify the ACK response to the SYN/ACK as valid syncookie response and stamp a SYNCOOKIE_VALID flag on the packet. In that case, software processes try to extract the MSS (maximum segment size) value encoded in the syncookie, which would be a wrong value. This may cause connection to fail in subsequent transactions, or cause performance degradation.

Impact

Connections either fail, or the smaller, incorrect MSS value causes performance degradation.

Conditions

When software syncookie protection mode is activated and a software encoding algorithm is being used.

Workaround

None.

Fix Information

If a software syncookie encoding algorithm is being used, tmm now ignores the SYNCOOKIE_VALID flag stamped by HSB, so the correct MSS value is calculated.

Behavior Change