Bug ID 734645: AFM TCP Half Open vector might show mitigation when that is not happening

Last Modified: Oct 17, 2023

Affected Product(s):
BIG-IP None(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1

Fixed In:
14.1.0

Opened: Jul 13, 2018

Severity: 3-Major

Symptoms

In AFM, it is possible that the device-level TCP Half Open vector will show int_drops when actually LTM per-vlan syncookie is mitigating the attack.

Impact

Stats could be misleading.

Conditions

When AFM is enabled and LTM per-vlan syncookie is doing HW syncookies.

Workaround

You can turn off the AFM TCP half Open vector.

Fix Information

Now, we will only show the TCP half Open stats when we are actually mitigating through TCP half Open vector.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips