Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

TCP protocol vulnerable to spoofed packets (NISCC/TCP/236929)



Article ID: JSA10319 SECURITY_ADVISORIES Last Updated: 09 May 2013Version: 2.0
Legacy Advisory Id:
Product Affected:
All Juniper M-series and T--series routers running software built prior to March 1, 2004; all Juniper E-series routers running software earlier than Release 5.2.1; all NetScreen firewalls running ScreenOS earlier than release 5.0R6.

Management products such as the SDX provisioning software and JUNOScope are not themselves vulnerable, however they may be susceptible due to the operating system on which these products are installed.
An attacker can blindly send packets that attempt to disturb or disrupt a TCP connection. The TCP protocol uses several mechanisms, including sequence numbers, to manage the connection between two peers and to ensure that only valid packets are processed. However, if the attacker is able to send forged packets to either TCP peer, and if the forged packets contain the correct sequence numbers, the forged packets might be indistinguishable from valid packets, and the attacker might be able to disrupt the connection by inserting arbitrary (either control or user-level) data. With a fast network connection (or with multiple lower-speed connections), an attacker can theoretically send forged packets that span the entire range of sequence numbers in a relatively short time period, essentially ensuring that an attack can succeed. TCP sessions that remain established for long periods of time are especially vulnerable; the more time the attacker has the more likely a forged packet with proper sequence numbers can be found.

The BGP4 routing protocol relies on TCP connections between peers to exchange routing information. The TCP sessions used for BGP4 have especially long lives; in some cases these sessions remain connected for several weeks or months. If BGP4 peering connections were disrupted, significant portions of the Internet could be isolated.

The TCP protocol has many other uses on routers and other network devices. TCP is frequently used as the transport for interactive management access to these devices via Telnet or SSH. These sessions are also susceptible to this vulnerability. However, since these TCP sessions are typically of relatively short duration, they are less susceptible than BGP4.

This vulnerability is documented in PR/41914, CQ 56676, and NetScreen advisory 58784. More details on this vulnerability can be found at the NISCC/UNIRAS website.
There is no way a network operator can completely defend against this vulnerability. The only defense is to reduce the likelihood of success or to increase the amount of work required, by increasing the amount of data an attacker must successfully guess or enumerate by a brute-force approach.

Juniper Networks products already incorporate numerous facilities to deter this type of attack. Line-rate reverse-path-forwarding (or Source Address validation) checks can be used to reduce the possibility of forged packets entering a network. Packets with certain control bit combinations can be rate-limited to restrict the number of packets (including forged packets) that might disrupt TCP sessions.

NetScreen firewalls can be configured with Anti-Spoof detection and restricted management interface(s); these configuration options can be used to help prevent successful attacks against management sessions and the firewall?s session table.

For BGP4 sessions in particular, MD5 cryptographic checksums can be used. Without knowing the correct key, it is nearly impossible to forge a packet with the correct checksum. In addition, BGP4 sessions can be configured to use an IPSec tunnel for the network transport layer, replacing TCP and avoiding the vulnerabilities inherent in TCP.

In cooperation with other network product vendors, Juniper Networks has incorporated several changes in the TCP protocol that place additional restrictions on which sequence numbers are considered "valid." These changes are completely backwards compatible and interoperate fully with unmodified implementations of TCP. With these changes enabled, the number of forged packets required for a successful brute-force attack increases by several orders of magnitude.
Juniper Networks strongly recommends that customers take full advantage of all the security tools available in JUNOS, JUNOSe, and ScreenOS software, including the use of MD5 checksums and/or IPSec tunnels for BGP4 sessions.

For customers who require additional protection, Juniper Networks recommends installing a version of software that includes the changes to the TCP protocol. Contact Juniper Networks' Technical Assistance Center for availability and download information.
Severity Level:
Severity Assessment:
For M-series, T-series, and E-series routers running BGP: High Risk due to susceptibility of BGP4 protocol sessions.

For routers not running BGP, and for NetScreen firewalls: Medium Risk to interactive management sessions.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search