Forum Discussion

ChrisMaKi_15830's avatar
ChrisMaKi_15830
Icon for Nimbostratus rankNimbostratus
Mar 06, 2013

hundreds of modified asm cookie violations after software upgrade

We've upgraded our BigIP from 9.4.3 to 11.1.0 Build 2268.0 Hotfix HF5. This is the latest software version which is supported by our appliance.

 

 

Since that time the number of modified asm cookie violations raised extremely. Every week we have hundreds of new violations. Before the upgrade, we had less than 10 asm cookie violations in a week.

 

 

Most of these requests are from the googlebot. e. g.

 

 

From: googlebot(at)googlebot.com

 

User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

 

X-Forwarded-For: 66.249.78.89

 

 

But there are a lot of other requests which look like valid requests being sent from a web browser.

 

 

I don't think that this is an attack against our website, because those violations occured right after our BigIP software upgrade. So I assume this is a problem with the new software version. However I don't want to disable the modified asm cookie violation. Is this a known problem and can it be solved?

 

 

I'd be glad about help. Thanks in advance.

 

APM
app sec
security

5 Replies

Sort By
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Mar 06, 2013
    Chris,

     

     

    Could this be the cause? See http://support.f5.com/kb/en-us/products/big-ip_asm/releasenotes/product/relnote-asm-11-1-0.html

     

     

    "Important: The system creates its internal TS cookie in versions 10.2.4 and later (including all versions of 11.x) differently than in versions prior to 10.2.4. As a result, while upgrading your system from a version prior to 10.2.4 to version 10.2.4 or later, the system will produce the Modified ASM Cookie violation for existing browser sessions. If the security policy has the Modified ASM Cookie violation enabled and set to block traffic when this violation occurs, after upgrading to version 10.2.4 or later, the system will block traffic to the web application. However, since the TS cookie is a session cookie, the system will block traffic only until the browser session ends (the end-user restarts the browser). To prevent the security policy from blocking traffic until the end-user’s browser is restarted, before upgrading to version 10.2.4 or later, we recommend you disable the security policy from blocking the Modified ASM Cookie violation, upgrade, and wait long enough to allow all users to restart their browsers (two weeks are expected to be enough). After enabling the violation, we recommend you monitor the logs. If the Modified ASM Cookie violation appears, consider disabling the violation again for a longer period of time, or communicate to the users to restart their browsers."

     

     

    Rgds

     

    N
  • ChrisMaKi_15830's avatar
    ChrisMaKi_15830
    Icon for Nimbostratus rankNimbostratus
    Mar 12, 2013
    Nathan, thanks for pointing this out.

     

     

    Even 6 weeks after the BigIP upgrade we still have these violations in the logs. I will disable the violation temporarily. I hope that helps.
  • Mike_Maher's avatar
    Mike_Maher
    Icon for Nimbostratus rankNimbostratus
    Mar 12, 2013
    Are all your devices upgrades to 11.1 or do you still have some running 9.x code?
  • Mike_Maher's avatar
    Mike_Maher
    Icon for Nimbostratus rankNimbostratus
    Mar 12, 2013
    If so how do you have your ASM configured, are they standalone or setup in an active standby configuration?
  • Anthony's avatar
    Anthony
    Icon for Nimbostratus rankNimbostratus
    Mar 13, 2013

    Just to confirm that you're not alone with this issue. I also have this problem since upgrading from 10.2.4 to v11 some time ago, so there is no session based cookies remaining, certainly not in the quantity that I'm seeing this violation occur in.

     

    My LTM/ASM is configured in a Active/Standby HA pair.

     

     

    Hopefully we will be able to resolve this issue soon.