Bug ID 743464: DoSL7 attack is not detected when using multiple profiles with Behavioral Detection

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Opened: Sep 10, 2018
Severity: 3-Major

Symptoms

Setting up multiple DoS Application Profiles on the same Virtual Server via either iRules or LTM Policies causes DoSL7 attacks to not be detected or mitigated, if one of the profiles has Behavioral Detection enabled.

Impact

DoSL7 attacks are not detected and not mitigated, with no indication that they are not.

Conditions

-- Multiple DoS profiles are configured on a single Virtual Server, either using the iRule DOSL7::enable command, or LTM Policies controlling the DoS profile. -- One of the DoS profiles on the Virtual Server has Behavioral Detection enabled, even if the Stress-Based Operation Mode is set to Off.

Workaround

Disable Behavioral Detection on all of the DoS profiles that are directly or indirectly associated with the Virtual Server. If Stress-Based Operation Mode is set to Off, then you might need to temporarily set Stress-Based to Transparent, disable the Behavioral checkboxes, and then set Stress-Based Operation mode back to Off.

Fix Information

None

Behavior Change