BugZero | F5 BugID 430667 - dos_attack_tps and detection

F5 - Defect ID: 430667

dos_attack_tps and detection_average field value change

F5 - Defect ID: 430667

dos_attack_tps and detection_average field value change

Last updated on 5/29/2024

Overall: 7.57.5

Severity: 7.37.3

Community: 4.14.1

Lifecycle: 7.97.9

What is the BugZero Risk Score?

Vendor details

Priority: 3-Major
Status: Verified
Impact Category: Application Security Manager

Overall: 7.57.5

Severity: 7.37.3

Community: 4.14.1

Lifecycle: 7.97.9

What is the BugZero Risk Score?

Vendor details

Priority: 3-Major
Status: Verified
Impact Category: Application Security Manager

Symptoms

In versions prior to 11.5.0, the dos_attack_tps / detection_average log output indicates the average TPS at the time the attack was detected, not the average TPS of the DOS attack.

Impact

The field doesn't fully describe what is happening during the DoS attack

Conditions

Using Splunk or Arcsight for DoS attack visibility

Workaround

None

Fix Information

Remote Logging of DoS events: We changed the meaning of the "dos_attack_tps" field (in Splunk), and the "detection_average" field (in ArcSight) from being the average TPS when an attack was detected to the average incoming TPS during a DoS attack (the 60-second average TPS of each IP or URL).

Original Vendor Announcement

No bugs this month

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

F5 - Defect ID: 430667

dos_attack_tps and detection_average field value change

F5 - Defect ID: 430667

dos_attack_tps and detection_average field value change

Last updated on 5/29/2024

Vendor details

Vendor details

Description

Symptoms

Impact

Conditions

Workaround

Fix Information

Links

Top F5 defects by risk score

Ready to prevent the next vendor outage?