Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

JUNOS and JUNOSe filtering examples for CERT Advisory CA-2003-15
(Certain packet sequences can cause router interfaces to permanently block packet processing)

0

0

Article ID: JSA10315 SECURITY_ADVISORIES Last Updated: 09 May 2013Version: 1.0
Legacy Advisory Id:
PSN-2003-07-003
Product Affected:
No products affected.
Problem:
It was recently discovered that a handcrafted sequence of IPv4 packets could be used to launch a denial-of-service (DoS) attack against certain routers and other packet-forwarding devices in the Internet. Juniper Networks products are not susceptible to this vulnerability.
Solution:
No solution is required to protect Juniper Network routers.

However, the JUNOS Internet Software (on the M-series and T-series routers) and JUNOSe software (running on E-series routers) include firewall filter capabilities that can be deployed to protect a network from exposure to this vulnerability.
Implementation:
Configure the following firewall filter on an M-series or T-series router, and apply it as an input filter on the router's edge-facing interfaces to block all incoming packets that can be used to exploit this vulnerability.
[edit]
user@router# show firewall filter protect
term block-bad-protos {
      from {
            protocol [53 55 77 103];
      }
      then discard;
}
term permit-others {
      then accept;
}

[edit]
# set interface  unit  family inet filter input protect

[edit]
#
If you already have a firewall filter assigned to the edge-facing interfaces, simply insert the first term from the above example at the beginning of the existing firewall filter.

On Juniper Networks E-series routers running JUNOSe software, configure the following filtering policy and apply it to edge-facing interfaces. In this filtering policy you use a classifier list to identify the affected protocols, define a policy referencing the classifier list, and finally apply the policy to the appropriate interfaces.
1400# config t
1400(config)#classifier-list protect-network 53 any any
1400(config)#classifier-list protect-network 55 any any
1400(config)#classifier-list protect-network 77 any any
1400(config)#classifier-list protect-network 103any any
1400(config)#policy-list protect-network
1400(config-policy-list)#filter classifier-group protect-network
1400(config-policy-list)#exit
1400(config)#interface gig 4/0
1400(config-if)#ip policy input protect-network statistics enabled
1400(config-if)#end
1400#
Note that these filters block all packets for protocols 53 (SWIPE), 55 (IP Mobility), 77 (SUN ND), and 103 (PIM). While the first three protocols are rarely found in the Internet, PIM (Protocol Independent Multicast) is commonly used in multicast-enabled networks. If your network uses PIM, you must create a more complex filter to selectively block unwanted PIM packets.
Severity Level:
None
Severity Assessment:
Juniper Networks products are not susceptible to this vulnerability.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search