Bug ID 781069: Bot Defense challenge blocks requests with long Referer headers

Last Modified: Sep 11, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4, 14.1.0.5, 14.1.0.6, 14.1.2, 15.0.0, 15.0.1

Fixed In:
13.1.3

Opened: May 09, 2019
Severity: 3-Major

Symptoms

The Bot Defense challenge may block the client if the Referer header is between about 1400 characters and 3072 characters long. This client may get blocked by TCP RST, or suffer from a challenge loop.

Impact

Legitimate browsers may get blocked or suffer from a challenge loop

Conditions

-- Bot Defense with Verify before Access, or Proactive Bot Defense are configured -- Request has a Referer header that is between ~1400 and 3072 characters long

Workaround

Use an iRule to override the Referer header from the HTTP_REQUEST event, to make it shorter.

Fix Information

Challenges with long Referer headers no longer block legitimate clients.

Behavior Change