Bug ID 748176: BDoS Signature can wrongly match a DNS packet

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Known Affected Versions:
14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1

Fixed In:
15.0.0, 14.1.0.2

Opened: Oct 29, 2018
Severity: 3-Major

Symptoms

When using BDoS feature for DNS protocol, and when there are auto-generated DNS Signatures or if Custom DNS signatures are configured manually, it is found that at times, a valid DNS request is dropped because it wrongly matches the configured/dynamically generated DNS Signature when the box is under load, and BDoS mitigation is ongoing.

Impact

When box is under load, the configured DNS signature gets into Attack Mitigation mode (which is normal), but may wrongly drop a DNS packet that does not match the signature.

Conditions

Configured DNS Signature (Or) there exists a Dynamically generated DNS Signature. Such a DNS signature is found to match a DNS packet wrongly, even though the signature match criteria is different from the matched DNS packet.

Workaround

Disable BDoS for protocol DNS. Also, do not use Manually configured DNS Signatures.

Fix Information

The parsed DNS information is cached and re-used wrongly as a performance optimization, which is corrected.

Behavior Change