Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > December 2005 > Juniper Networks Security Advisory (CERT/CC VU#102014)

December 2005

Juniper Networks Security Advisory (CERT/CC VU#102014)

ID: 01097
Ref: 1029/2005
Date: 14 December 2005:16:15:04
Version: 1
Title: Juniper Networks Security Advisory (CERT/CC VU#102014)
Abstract: Optimistic TCP acknowledgements can cause denial of service
Vendors affected: Juniper
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bulletin PSN-2005-12-004

Title: Optimistic TCP acknowledgements can cause denial of service
(CERT/CC VU#102014)

Products Affected: All Juniper Networks products, including
E/M/T/J-series, IVE OS and ScreenOS.

Platforms Affected: E-series
J-series
M-series
T-series
NetScreen Firewall/VPN
NetScreen IDP
NetScreen NSM/GPRO
NetScreen SSL VPN

Revision Number: 3
Issue Date: 2005-12-08

- - ----------------------------------------------------------------------

PSN Issue:
The Transmission Control Protocol (TCP) is described in RFC 793 as a
means to provide reliable host-to-host transmission between hosts in a
packet-switched computer network. Numerous Internet protocols such as
HTTP, SMTP, and FTP rely on TCP as their underlying transport
protocol. Several different TCP congestion control mechanisms are
specified in RFC 2581.

In the course of normal operation a TCP client acknowledges (ACKs) the
receipt of packets sent to it by the server. A TCP sender varies its
transmission rate based on receiving ACKs of the packets it sends. An
optimistic ACK is an ACK sent by a client for a data segment that it
has not yet received. A vulnerability exists in the potential for a
client to craft optimistic ACKs timed in such a way that they
correspond to legitimate packets that the sender has already injected
into the network (often referred to as "in-flight" packets). As a
result, the sender believes that the transfer is progressing better
than it actually is and may increase the rate at which it sends
packets. An important side effect of this condition is the
amplification factor that it introduces. An attacker exploiting this
vulnerability can potentially cause victims to transmit much more data
than the bandwidth available to the attacker.

- - ----------------------------------------------------------------------

Solution:
The Juniper Networks Security Incident Response Team (SIRT) has
assessed this advisory as a very low risk potential vulnerability to
any Juniper routing or firewall products due to the low data volume
nature of TCP applications currently running on these platforms. Even
a BGP peering session that exchanges a lot of routing updates won't
have the kind of data volume that could cause a significant DoS
attack.

While Juniper Networks has been looking at ways to address the
problem, we are not aware of any practical means of eliminating the
behavior described in the alert within the framework of existing RFCs.
For these reasons, we do not have any current plans to develop any
corrective code for our products to mitigate or eliminate this
vulnerability.

Solution Implementation: None.

Status: FINAL RELEASE

Disclaimer:
Juniper Networks is providing this notice on an "AS IS" basis. No
warranty or guarantee of any kind is expressed in this notice and none
should be implied. Juniper Networks expressly excludes and disclaims
any warranties regarding this notice or materials referred to in this
notice, including, without limitation, any implied warranty of
merchantability, fitness for a particular purpose, absence of hidden
defects, or of noninfringement. Your use or reliance on this notice or
materials referred to in this notice is at your own risk. Juniper
Networks may change this notice at any time.

- - ----------------------------------------------------------------------

Related Links:
Vulnerability Note VU#102014: Optimistic TCP acknowledgements can
cause denial of service

Audience: For Public Distribution

Alert Type: Product Support Notification

Risk Level: Low

Risk Assessment: In Juniper products, the volume of TCP traffic is
not sufficient to cause problems, even if a user
was able to exploit this vulnerability. We are not
aware of any practical means of eliminating the
behavior described in the alert within the
definitions of existing RFCs.

Created Date: 2005-12-05 16:48:18.0

Last Modified Date: 2005-12-08 12:08:45.0

- - ----------------------------------------------------------------------

Copyright (c) 1998-2005, Juniper Networks, Inc. All Rights Reserved

- -----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.3 (Build 2932)

iQA/AwUBQ58mQgJw4nLp1sbREQJ8YQCg4G8Jf+c+mMb5W9oz9nsKc/Dls20An2XW
4u8Eqhh/8Ruds8bQNby79Kmt
=Wn59
- -----END PGP SIGNATURE-----
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |