Bug ID 720585: Signatures generated by Behavioral DOS algorithm can create false-positive signatures

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP AFM, ASM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4

Fixed In:
14.1.0, 14.0.0.5, 13.1.1.2

Opened: May 17, 2018
Severity: 3-Major

Symptoms

There is probability that the generated signatures will block unknown traffic (the traffic that was not presenting before the attack) even if it's not necessary from service health perspective

Impact

The signatures may block unknown traffic even if it's not necessary from S/H perspective

Conditions

Run attack traffic. In parallel run unknown traffic. It should exceed the learned baseline together with the good traffic.

Workaround

There is no workaround at this time.

Fix Information

Implement adaptive ratio threshold for covering current bad traffic samples. The ratio increases as long as the health is not good. If the health returns to good levels (below one) the ratio is restarted to the initial value.

Behavior Change