Knowledge Search


Scanning of TCP port 646 can cause the routing process to consume excessive amounts of CPU time

  [JSA10318] Show Article Properties

Legacy Advisory Id:
Product Affected:
All releases of Juniper Internet Software built prior to November 19, 2003.
Port scanning utilities often connect to a target network device and send specially crafted messages to determine the software version running on the target. Such scans are often used as a prelude to version-specific attacks on the target device.

When Juniper Networks M-series and T-series routers are subjected to this type of port scan directed to TCP port 646 (utilized by the Label Distribution Protocol, LDP), the routing process might consume excessive amounts of CPU time and become unresponsive. Thus, if an attacker can establish a TCP connection to port 646, the port scan itself can be used as a denial-of-service (DoS) attack against the router.
The JUNOS software has been modified to ignore improperly formed LDP packets, such as those that might be generated by a port scan.
All JUNOS software built on or after November 19, 2003 include the correction. Customers are strongly encouraged to upgrade to a version of software that includes the correction.

Additionally, customers using LDP are encouraged to use firewall filters to prevent connections to TCP port 646 from untrusted sources. Customers can contact Juniper Networks Technical Assistance Center for help in creating appropriate filters. If LDP is not enabled on the router, the router will not be vulnerable.

If a router has already been attacked, use the restart routing immediate command to recover. NOTE: This command will cause all routing protocols to restart.
Related Links:
Risk Level:
Risk Assessment:
A remote attacker can use readily-available tools to create a Denial of Service attack against the router if LDP is enabled. If LDP is not configured, the router is not susceptible to this vulnerability.

Since this vulnerability requires the attacker to successfully establish a TCP session with the router, the attacker's source address cannot be spoofed. Therefore, a firewall filter that discards LDP packets from unexpected sources can be effective in eliminating this vulnerability.