Bug ID 748176: BDoS Signature can wrongly match a DNS packet

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:,,,, 14.0.1,

Fixed In:

Opened: Oct 29, 2018

Severity: 3-Major


When using BDoS feature for DNS protocol, and when there are auto-generated DNS Signatures or if Custom DNS signatures are configured manually, it is found that at times, a valid DNS request is dropped because it wrongly matches the configured/dynamically generated DNS Signature when the box is under load, and BDoS mitigation is ongoing.


When box is under load, the configured DNS signature gets into Attack Mitigation mode (which is normal), but may wrongly drop a DNS packet that does not match the signature.


Configured DNS Signature (Or) there exists a Dynamically generated DNS Signature. Such a DNS signature is found to match a DNS packet wrongly, even though the signature match criteria is different from the matched DNS packet.


Disable BDoS for protocol DNS. Also, do not use Manually configured DNS Signatures.

Fix Information

The parsed DNS information is cached and re-used wrongly as a performance optimization, which is corrected.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips