For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chris_18457's avatar
Chris_18457
Icon for Cirrus rankCirrus
Jun 10, 2016

LTM DNS root reachout on mgmt, disable?

Our security group noted that our LTMs (2000s; v12.0HF1) are sending DNS queries out their mgmt interface that are being blocked by our access controls for that network. It should be noted the envir...
BIG-IP
LTM
security
AaronJB's avatar
AaronJB
Ret. Employee
Jun 13, 2016

This sounds like you are running into bug ID567293, the recursive query to the root hints is a dead giveaway; if your firewalling responds with a Port Unreachable it triggers a tight loop that will eventually lead to resource exhaustion - see https://support.f5.com/kb/en-us/solutions/public/k/61/sol61521270.html

 

Fixed in 12.0 HF3 and onward.

 

  • Chris_18457's avatar
    Chris_18457
    Icon for Cirrus rankCirrus
    Jun 13, 2016
    Thanks for the link to the bug. I have reviewed what they observed in the bug, and I dont see the "...out of memory..." logs in /var/log/kern.log. However, I will note that we upgraded our lab 2000s and 10250V clusters to 12.1 (as part of our reoccuring upgrade cycle) and noticed that we no longer see the reachouts on the mgmt interface. So the end results looks to be the same...upgrade (maybe patch with hot fix). Thanks!