Last Modified: Nov 07, 2022
Known Affected Versions:
13.1.0, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 13.1.1, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 13.1.3, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 13.1.4, 220.127.116.11, 13.1.5, 18.104.22.168
Opened: Mar 07, 2018 Severity: 4-Minor
When VLAN SYN cookies are enabled on the BIG-IP client-side VLAN and per-virtual SYN cookies are disabled, and syn flood is running, VLAN SYN cookies can be observed activated as expected, but then BIG-IP falls into a never-ending cycle of VLAN SYN cookies activating/deactivating.
BIG-IP doesn't stay in hardware syncookie mode, diminishing the protection effect
Hardware syncookie enabled on specific VLAN, and syn flood is run against that VLAN
Switch to VIP-based syncookie protection
Use an estimated total per-VLAN syncookies generation count to determine if it is time to exit per-VLAN syncookie mode globally. The PDE register only reports the syncookie counts on the local PDE, and the number becomes lower with a platform with many PDEs assigned to tmms, which can easily fall below the fixed global exit threshold. By estimating the total syncookies count, we can make different platforms have similar exit condition.