Bug ID 755721: A UDP DNS packet may incorrectly match a BDoS signature if such a packet was queued up due to ingress shaper

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Known Affected Versions:
14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6

Fixed In:
15.0.0, 14.1.2.7

Opened: Jan 16, 2019
Severity: 3-Major

Symptoms

A UDP DNS packet may incorrectly match a BDoS signature if such a packet was queued up due to ingress shaper. In the worst case, this incorrect signature match might drop the packet.

Impact

In this case, when the queued packet is later picked up for further processing, it may incorrectly match a BDoS signature (that would not have otherwise matched if this packet was not queued). A UDP DNS packet may match an incorrect signature and thus might be incorrectly dropped by the BIG-IP system.

Conditions

AFM is enabled and it receives multiple (back-to-back-to-back) UDP DNS packets, which (due to ingress shaper) might cause queueing for some of the packets in the same data path thread.

Workaround

None.

Fix Information

UDP DNS packets never match an incorrect BDoS signature, even if such packets are queued due to ingress shaper.

Behavior Change