Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Scanning of TCP port 646 can cause the routing process to consume excessive amounts of CPU time



Article ID: JSA10318 SECURITY_ADVISORIES Last Updated: 09 May 2013Version: 5.0
Legacy Advisory Id:
Product Affected:
All releases of Juniper Internet Software built prior to November 19, 2003.
Port scanning utilities often connect to a target network device and send specially crafted messages to determine the software version running on the target. Such scans are often used as a prelude to version-specific attacks on the target device.

When Juniper Networks M-series and T-series routers are subjected to this type of port scan directed to TCP port 646 (utilized by the Label Distribution Protocol, LDP), the routing process might consume excessive amounts of CPU time and become unresponsive. Thus, if an attacker can establish a TCP connection to port 646, the port scan itself can be used as a denial-of-service (DoS) attack against the router.
The JUNOS software has been modified to ignore improperly formed LDP packets, such as those that might be generated by a port scan.
All JUNOS software built on or after November 19, 2003 include the correction. Customers are strongly encouraged to upgrade to a version of software that includes the correction.

Additionally, customers using LDP are encouraged to use firewall filters to prevent connections to TCP port 646 from untrusted sources. Customers can contact Juniper Networks Technical Assistance Center for help in creating appropriate filters. If LDP is not enabled on the router, the router will not be vulnerable.

If a router has already been attacked, use the restart routing immediate command to recover. NOTE: This command will cause all routing protocols to restart.
Severity Level:
Severity Assessment:
A remote attacker can use readily-available tools to create a Denial of Service attack against the router if LDP is enabled. If LDP is not configured, the router is not susceptible to this vulnerability.

Since this vulnerability requires the attacker to successfully establish a TCP session with the router, the attacker's source address cannot be spoofed. Therefore, a firewall filter that discards LDP packets from unexpected sources can be effective in eliminating this vulnerability.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search