Bug ID 702413: TCP handshake rejected if SYN cookies attack is detected

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP AFM, LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.1, 12.1.2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5,,,, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 13.1.5,

Fixed In:

Opened: Jan 17, 2018

Severity: 2-Critical


TCP handshake rejected if SYN cookies attack is detected on platforms with some multiple HSB devices and BIG-IP Virtual Edition (VE) environments. OR TCP handshake is accepted, but the client-side MSS is not set properly, resulting in BIG-IP sending oversized frames on-wire.


Regular traffic gets reset because of handshake failures. OR BIG-IP is sending oversized packets, exceeding MSS.


Enable syncookie protection in LTM global setting, and start SYN flood attacks.


Turn off syncookie protection.

Fix Information

Revised the syncookie lifetime check logic to better cope with the multi-HSB cases. Added VE syncookie handling code that is compatible with the multi-HSB per tmm platforms.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips