Last Modified: May 29, 2024
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1
Fixed In:
14.1.0, 14.0.0, 13.1.1.2
Opened: May 14, 2018 Severity: 2-Critical
AFM/DHD treats the IP fragmented UDP DNS packet (request or response) as DNS Malformed packet and drops these packets.
AFM/DHD incorrectly treats such packets as DNS malformed and drops them. If AFM/DHD receives any DNS request/response UDP packet that is fragmented at the IP layer, the system drops the packet, interrupting DNS service between client/servers through BIG-IP systems.
-- AFM/DHD is enabled (provisioned and licensed). -- DNS Malformed vector is enabled at Device context (by default, it's always enabled). -- AFM/DHD receives fragmented IP packet for UDP DNS request or response.
None.
This issue is now fixed, as follows: a) For IP fragmented UDP DNS request packet, AFM parses the first IP fragment to retrieve the L4 (UDP) header and DNS header and Question section. - If this information is available in the first IP fragment, AFM processes the packet for further DoS checks. - If this information is not available in first IP fragment, AFM drops the fragment as DNS Malformed. b) For IP fragmented UDP DNS response packet, AFM parses the first IP fragment to retrieve the L4 (UDP) header and DNS header and Question section. - If this information is available in the first IP fragment, AFM processes the packet for further DOS checks. - If, however, this information is not available in first IP fragment, default behavior is that AFM allows such fragmented DNS response packet through. This behavior can be changed to drop incomplete IP fragmented DNS response packet by setting db variable 'Dos.dns.respfrag.allow' to 'false'.