Knowledge Search


TCP protocol vulnerable to spoofed packets (NISCC/TCP/236929)

  [JSA10319] Show Article Properties

Legacy Advisory Id:
Product Affected:
All Juniper M-series and T--series routers running software built prior to March 1, 2004; all Juniper E-series routers running software earlier than Release 5.2.1; all NetScreen firewalls running ScreenOS earlier than release 5.0R6.

Management products such as the SDX provisioning software and JUNOScope are not themselves vulnerable, however they may be susceptible due to the operating system on which these products are installed.
An attacker can blindly send packets that attempt to disturb or disrupt a TCP connection. The TCP protocol uses several mechanisms, including sequence numbers, to manage the connection between two peers and to ensure that only valid packets are processed. However, if the attacker is able to send forged packets to either TCP peer, and if the forged packets contain the correct sequence numbers, the forged packets might be indistinguishable from valid packets, and the attacker might be able to disrupt the connection by inserting arbitrary (either control or user-level) data. With a fast network connection (or with multiple lower-speed connections), an attacker can theoretically send forged packets that span the entire range of sequence numbers in a relatively short time period, essentially ensuring that an attack can succeed. TCP sessions that remain established for long periods of time are especially vulnerable; the more time the attacker has the more likely a forged packet with proper sequence numbers can be found.

The BGP4 routing protocol relies on TCP connections between peers to exchange routing information. The TCP sessions used for BGP4 have especially long lives; in some cases these sessions remain connected for several weeks or months. If BGP4 peering connections were disrupted, significant portions of the Internet could be isolated.

The TCP protocol has many other uses on routers and other network devices. TCP is frequently used as the transport for interactive management access to these devices via Telnet or SSH. These sessions are also susceptible to this vulnerability. However, since these TCP sessions are typically of relatively short duration, they are less susceptible than BGP4.

This vulnerability is documented in PR/41914, CQ 56676, and NetScreen advisory 58784. More details on this vulnerability can be found at the NISCC/UNIRAS website.
There is no way a network operator can completely defend against this vulnerability. The only defense is to reduce the likelihood of success or to increase the amount of work required, by increasing the amount of data an attacker must successfully guess or enumerate by a brute-force approach.

Juniper Networks products already incorporate numerous facilities to deter this type of attack. Line-rate reverse-path-forwarding (or Source Address validation) checks can be used to reduce the possibility of forged packets entering a network. Packets with certain control bit combinations can be rate-limited to restrict the number of packets (including forged packets) that might disrupt TCP sessions.

NetScreen firewalls can be configured with Anti-Spoof detection and restricted management interface(s); these configuration options can be used to help prevent successful attacks against management sessions and the firewall?s session table.

For BGP4 sessions in particular, MD5 cryptographic checksums can be used. Without knowing the correct key, it is nearly impossible to forge a packet with the correct checksum. In addition, BGP4 sessions can be configured to use an IPSec tunnel for the network transport layer, replacing TCP and avoiding the vulnerabilities inherent in TCP.

In cooperation with other network product vendors, Juniper Networks has incorporated several changes in the TCP protocol that place additional restrictions on which sequence numbers are considered "valid." These changes are completely backwards compatible and interoperate fully with unmodified implementations of TCP. With these changes enabled, the number of forged packets required for a successful brute-force attack increases by several orders of magnitude.
Juniper Networks strongly recommends that customers take full advantage of all the security tools available in JUNOS, JUNOSe, and ScreenOS software, including the use of MD5 checksums and/or IPSec tunnels for BGP4 sessions.

For customers who require additional protection, Juniper Networks recommends installing a version of software that includes the changes to the TCP protocol. Contact Juniper Networks' Technical Assistance Center for availability and download information.
Related Links:
Severity Level:
Severity Assessment:
For M-series, T-series, and E-series routers running BGP: High Risk due to susceptibility of BGP4 protocol sessions.

For routers not running BGP, and for NetScreen firewalls: Medium Risk to interactive management sessions.