Bug ID 720585: Signatures generated by Behavioral DOS algorithm can create false-positive signatures

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP AFM, ASM(all modules)

Known Affected Versions:

Fixed In:

Opened: May 17, 2018

Severity: 3-Major


There is probability that the generated signatures will block unknown traffic (the traffic that was not presenting before the attack) even if it's not necessary from service health perspective


The signatures may block unknown traffic even if it's not necessary from S/H perspective


Run attack traffic. In parallel run unknown traffic. It should exceed the learned baseline together with the good traffic.


There is no workaround at this time.

Fix Information

Implement adaptive ratio threshold for covering current bad traffic samples. The ratio increases as long as the health is not good. If the health returns to good levels (below one) the ratio is restarted to the initial value.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips