Bug ID 922597: BADOS default sensitivity of 50 creates false positive attack on some sites

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2

Fixed In:
16.1.0, 15.1.3, 14.1.4

Opened: Jul 01, 2020

Severity: 3-Major

Symptoms

False DoS attack detected. Behavioral DoS (ASM) might block legitimate traffic.

Impact

False DoS attack detected. Behavioral DoS (ASM) can block legitimate traffic.

Conditions

This can occur for some requests that have high latency and low TPS.

Workaround

Modify the default sensitivity value from 50 to 500: tmsh modify sys db adm.health.sensitivity value 500 For some sites with server latency issues, you might also have to increase the health.sensitivity value; 1000 is a reasonable number. The results is that the attack is declared later than for the default value, but it is declared and the site is protected.

Fix Information

Default sensitivity value 500 now illuminates false positive DoS attacks declaration.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips