Bug ID 926425: Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts

Last Modified: Apr 26, 2024

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,, 15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 15.1.4,, 15.1.5,, 15.1.6,, 15.1.7, 15.1.8,,, 15.1.9,, 15.1.10,,,, 16.1.0, 16.1.1, 16.1.2,,, 16.1.3,,,,,, 16.1.4,,,, 17.0.0,,, 17.1.0,,,, 17.1.1,,,

Fixed In:

Opened: Jul 13, 2020

Severity: 4-Minor


Hardware SYN Cookies activated on a virtual server under a SYN attack may not deactivate after the SYN attack ends and valid TCP traffic starts. The non-supported TCP options under SYN Cookie protection continue to be unsupported until hardware SYN cookies are disabled.


This can successfully cause hardware SYN cookies to be activated on the BIG-IP virtual server under attack. However, once the attack subsides and falls below the SYN check threshold, SYN cookies may not immediately deactivate. Because SYN cookie protection is still active, and because under SYN cookie protection some TCP options are not supported, the options are not taken into account when processing traffic. For example, under SYN cookie protection, MSS is fixed to a few sizes. For traffic that arrives with a different MSS size, the system uses a supported size instead.


SYN Cookie activated on Neuron-capable platforms: + VIPRION B4450N blade + BIG-IP iSeries devices (ix800) except the i850, ix2800, and ix4800: -- BIG-IP i5800 Series -- BIG-IP i7800 Series -- BIG-IP i11800 Series -- BIG-IP i15800 Series


You can use any of the following to clear the HSB issue: -- Restart neurond. -- Restart TMM, -- Reboot the device.

Fix Information

Now, BIG-IP systems differentiate virtual servers regardless of whether they are using the same destination in the same or a different route domain.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips