Bug ID 724679: Non-attacking IP addresses could be logged along with attacking IP addresses when DoS detects an attack

Last Modified: Mar 30, 2023

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1

Fixed In:
14.1.0

Opened: Jun 19, 2018

Severity: 3-Major

Symptoms

During an attack, MySQL might log IP addresses that are not part of an attack along with the IP addresses that are part of the attack.

Impact

The system might log messages related to IP addresses that are not part of the attack. These IP addresses are not part of the attack and may be ignored.

Conditions

This occurs when the system detects a BadEndpoint attack.

Workaround

None

Fix Information

The system now tracks a special state that detects which Endpoints are bad, so it ignores the IP addresses that are not part of the attack.

Behavior Change

The system now tracks a special state that detects which Endpoints are bad, so it ignores the IP addresses that are not part of the attack. DDoS reports are impacted by being sent out at approximately a 3-second interval as opposed to 1 second intervals using the default configuration.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips