Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Security Advisory - Certain packet sequences can cause router interfaces to permanently block packet processing (CERT Advisory CA-2003-15)

0

0

Article ID: JSA10314 SECURITY_ADVISORIES Last Updated: 09 May 2013Version: 3.0
Legacy Advisory Id:
PSN-2003-07-002
Product Affected:
None
Problem:
It was recently discovered that a handcrafted sequence of IPv4 packets could be used to launch a denial-of-service (DoS) attack against certain routers and other packet-forwarding devices in the Internet. This vulnerability takes advantage of a software bug that improperly manages input packet buffers and is described in more detail at the URL below.
Solution:
This vulnerability affects products of a single vendor other than Juniper Networks. The packet buffer management scheme used in Juniper Networks products is not susceptible to this vulnerability.
Implementation:
No solution is required to protect Juniper Networks routers.

The JUNOS Internet Software includes a firewall filter capability that can be deployed to protect a network from exposure to this vulnerability. Configure the following firewall filter on an M-series or T-series router, and apply it as an input filter on the router's edge-facing interfaces to block all incoming packets that can be used to take advantage of this vulnerability.
[edit]
user@router# show firewall filter protect
term block-bad-protos {
      from {
            protocol [53 55 77 103];
      }
      then discard;
}
term permit-others {
      then accept;
}

[edit]
# set interface  unit  family inet filter input protect

[edit]
#
If you already have a firewall filter assigned to the edge-facing interfaces, simply insert the first term from the above example at the beginning of the existing firewall filter.

On Juniper Networks E-series routers running JUNOSe software, configure the following filtering policy and apply it to edge-facing interfaces. In this filtering policy you use a classifier list to identify the affected protocols, define a policy referencing the classifier list, and finally apply the policy to the appropriate interfaces:
1400# config t
1400(config)#classifier-list protect-network 53 any any
1400(config)#classifier-list protect-network 55 any any
1400(config)#classifier-list protect-network 77 any any
1400(config)#classifier-list protect-network 103any any
1400(config)#policy-list protect-network
1400(config-policy-list)#filter classifier-group protect-network
1400(config-policy-list)#exit
1400(config)#interface gig 4/0
1400(config-if)#ip policy input protect-network statistics enabled
1400(config-if)#end
1400#
Note that these filters block all packets for protocols 53 (SWIPE), 55 (IP Mobility), 77 (SUN ND), and 103 (PIM). While the first three protocols are rarely found in the Internet, PIM (Protocol Independent Multicast) is commonly used in multicast-enabled networks. If your network uses PIM, you must create a more complex filter to selectively block unwanted PIM packets.
Severity Level:
None
Severity Assessment:
Juniper Networks products use a different, proprietary packet buffer management scheme and are not susceptible to this vulnerability.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search