Bug ID 734645: AFM TCP Half Open vector might show mitigation when that is not happening

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP None(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1

Fixed In:
14.1.0

Opened: Jul 13, 2018
Severity: 3-Major

Symptoms

In AFM, it is possible that the device-level TCP Half Open vector will show int_drops when actually LTM per-vlan syncookie is mitigating the attack.

Impact

Stats could be misleading.

Conditions

When AFM is enabled and LTM per-vlan syncookie is doing HW syncookies.

Workaround

You can turn off the AFM TCP half Open vector.

Fix Information

Now, we will only show the TCP half Open stats when we are actually mitigating through TCP half Open vector.

Behavior Change

Have a question?

About F5

Education

F5 sites

Support Tasks

© F5, Inc. All rights reserved. Policies | Privacy | Trademarks