BIG-IP ASM Bot Detection DNS cache does not expire security exposure

2019-11-27T02:37:00
ID F5:K79240502
Type f5
Reporter f5
Modified 2020-02-04T01:18:00

Description

F5 Product Development has assigned ID 761231 to this issue. F5 has confirmed that this issue exists in the products listed in the Applies to (see versions) box, located in the upper-right corner of this article. For information about releases, point releases, or hotfixes that resolve this issue, refer to the following table.

Type of fix | Fixes introduced in | Related articles
---|---|---
Release | 13.1.3
12.1.5 | K2200: Most recent versions of F5 software
Point release/hotfix | 15.0.1.1
14.1.0.6
14.0.0.5 | K9502: BIG-IP hotfix and point release matrix

Mitigation

On fixed versions, cached DNS responses now expire and a malicious actor would need to continually inject invalid responses to maintain disruption. The default expiry time across all versions is 300 seconds. The expire time is fixed and cannot be modified prior to BIG-IP 15.1.0.

F5 recommends, as a best practice, that you use a trusted DNS server for lookups (for example, one hosted within your own secure infrastructure) and that you make queries only across a trusted, controlled network. Following this practice will effectively mitigate the risk of a bad actor being able to inject malicious DNS responses between the BIG-IP ASM system and the configured DNS server.

After 15.1.0, you can adjust the cache expiry time by modifying the system database variable botdefense.dns_cache_expiry_sec expiry value.

Impact of action: Performing the following procedure should not have a negative impact on your system.

To modify the system database variable value, perform the following procedure:

  1. Log in to the TMOS Shell (tmsh) by entering the following command:

tmsh

  1. To set the expiry value for the system database variable, use the following command syntax:

modify /sys db botdefense.dns_cache_expiry_sec value { <seconds> }

In this command, note the following:

* **&lt;seconds&gt;** is the expiry numeric timeout value in seconds