Protecting the F5 BIG-IP AFM system with AFM Protocol Inspection System Checks

Hi there, Arvin here from the F5 SIRT. In this article, we look at F5 BIG-IP AFM Protocol Inspection System Checks and protection it provides to the BIG-IP AFM System.

F5 BIG-IP AFM Protocol Inspection System Checks are included in signature updates and are constantly updated and trigger configured Action should a condition in the system or traffic being processed be matched. These System Checks ensure the availability of the BIG-IP AFM System by preventing traffic that potentially consumes resources.

AFM Protocol Inspection System Checks

AFM Protocol Inspection System Checks can be found under the Protocol Inspection profile configuration

Security  ››  Protocol Security : Inspection Profiles  ››  <Protocol Inspection Profile >

As of this writing, there are 5 system checks:

 

ID

Description

Documentation

300

Max signature engine per-flow memory allocation

This system check is raised when the signature engine allocates more than the specified memory (in bytes) for a single flow.

301

Max signature engine chunk allocated

This system check is raised when the signature engine requests to allocate more than the specified memory chunk size (in bytes).

302

Max signature hyperscan match count

This system check is raised when hyperscan produces more than specified per-flow matches.

303

Max inspection match count

This system check is raised when a single flow produces more than a specified number of compliance matches.

304

Max hyperscan each id match count

This system check limits each hyperscan ID match count per flow.

 

The Description and Documentation for each of these System Check ID provides an idea of what type of traffic it matches and the condition it protects against. 

Sample Inspection Logs for AFM Protocol Inspection System Checks

ID 300 - Max signature engine per-flow memory allocation

ID 302 and ID 303, Max signature hyperscan match count and Max inspection match count, respectively

What is this hyperscan?

In K00322533: Overview of BIG-IP AFM Protocol Inspection custom signatures, It is briefly described as a "regular expression library".

In "Manual Chapter: Acknowledgments and Open Source Notices" " it notes for AFM, "This product includes libhs (lib HyperScan), developed by Intel / LibHyperScan and distributed by the BSD 3-Clause."

Borrowing from https://www.intel.com/content/www/us/en/developer/articles/technical/introduction-to-hyperscan.html

Hyperscan is a high-performance regular expression matching library from Intel that runs on x86 platforms and offers support for Perl Compatible Regular Expressions (PCRE) syntax, simultaneous matching of groups of regular expressions, and streaming operations. It is released as open source software under a BSD license. Hyperscan presents a flexible C API and a number of different modes of operation to ensure its applicability in real networking scenarios. 

AFM Protocol Inspection Signature Updates

AFM Protocol Inspection Signature Updates are regularly released on MyF5 downloads for BIG-IP software versions. It also includes a PDF release note for each update.

Example - For BIG-IP 16.1:

Package Name = IM-2024-2-22

Note: IM package pi_updates_16.1.0-20230322.0546.im is mandatory to install to avoid the error (ERROR: IM package

is too big to install and the allowed max size is 20MB)

PDF release note:

As noted, a specific IM update file is mandatory to be installed before updating to a later/latest IM update file. The mandatory IM file is also available on MyF5 downloads. 

BIG-IP AFM Protocol Inspection System Check ID 304 - mitigation for K000137595: BIG-IP AFM signature matching vulnerability CVE-2024-21771

F5 recently disclosed K000137595: BIG-IP AFM signature matching vulnerability CVE-2024-21771 where a vulnerability in AFM Signature matching through the Protocol Inspection profile may cause the TMM process to crash.

https://my.f5.com/manage/s/article/K000137595

AFM Protocol Inspection System Check ID 304 was added in the Protocol Inspection IM file updates to provide mitigation for this condition.

What makes System Check ID 304 special is the Max Hyperscan Each ID Match Count (ID 304) system check provides mitigation regardless of its configured Action setting.

Other system checks Action setting can be set per your needs.

There are improvements added in the Protocol Inspection IM file updates that make the signature matching more efficient, however, should a specific signature hit the condition of System Check ID 304, it will provide mitigation by dropping the matched traffic.

Conclusion

BIG-IP AFM Protocol Inspection System Checks and included signatures are updated regularly through Protocol Inspection IM update files available on MyF5 downloads. These Protocol Inspection IM update files also include improvements for efficient processing of matched traffic and protections through the system checks and help ensure the availability of the BIG-IP AFM system. Update these regularly as part of your BIG-IP AFM Protocol Inspection implementation hardening process. For more information, refer to K17341610: Updating the BIG-IP AFM protocol inspection signatures using the Configuration utility. For BIG-IP software update recommendation, run the latest BIG-IP versions, in particular, plan to upgrade to BIG-IP version 16.1 and 17.1 latest versions to ensure longer software support and receive security and product software fixes. Do note that BIG-IP version 15.1 will reach its End of Software Development (EoSD) and End of Technical Support (EoTS) on December 31, 2024. For more information on this, refer to  K5903: BIG-IP software support policy.

Reference links:

https://my.f5.com/manage/s/article/K17341610

https://my.f5.com/manage/s/article/K5903

Thanks for reading and I hope you find this helpful and educational.

The F5 SIRT creates security-related content posted here in DevCentral, sharing the team's security mindset and knowledge. Feel free to view the articles that are tagged with the following:

Updated Mar 13, 2024
Version 3.0
No CommentsBe the first to comment