Bug ID 702413: TCP handshake rejected if SYN cookies attack is detected

Last Modified: Oct 16, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP AFM, LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1

Fixed In:
14.0.0

Opened: Jan 17, 2018
Severity: 2-Critical

Symptoms

TCP handshake rejected if SYN cookies attack is detected on platforms with some multiple HSB devices and BIG-IP Virtual Edition (VE) environments. OR TCP handshake is accepted, but the client-side MSS is not set properly, resulting in BIG-IP sending oversized frames on-wire.

Impact

Regular traffic gets reset because of handshake failures. OR BIG-IP is sending oversized packets, exceeding MSS.

Conditions

Enable syncookie protection in LTM global setting, and start SYN flood attacks.

Workaround

Turn off syncookie protection.

Fix Information

Revised the syncookie lifetime check logic to better cope with the multi-HSB cases. Added VE syncookie handling code that is compatible with the multi-HSB per tmm platforms.

Behavior Change