Knowledge Search


TCP Out-of-Sequence Denial of Service Vulnerability (FreeBSD Security Advisory SA-04:04.tcp)

  [JSA10321] Show Article Properties

Legacy Advisory Id:
Product Affected:
All Juniper products running software built prior to March 5, 2004.
When TCP packets are received out of order, they are buffered for later delivery to the application program rather than being discarded. Currently there are no limits imposed on the number of such packets being buffered. Therefore, an attacker could take advantage of this feature of the TCP protocol to launch a low-bandwidth denial-of-service (DoS) attack.

All Juniper M-series and T-series routers running JUNOS software built prior to March 5, 2004, are susceptible to this vulnerability. A successful attack results in a kernel crash.

While JUNOSe software on E-series routers is not derived from FreeBSD, it also lacks a mechanism to limit the amount of buffer space occupied by buffered, out-of-sequence packets. However, JUNOSe handles most out-of-buffer conditions gracefully and an attack is unlikely to succeed.

G-series Cable Modem Termination Systems are not susceptible to this vulnerability.

Refer to the FreeBSD Advisory SA-04:04.tcp for more information.

This bulletin will be updated as more information becomes available.
The JUNOS software has been modified to impose a limit on the number of out-of-order packets that can be buffered for later delivery to the application layer, avoiding the possibility of exhausting available buffers.

JUNOSe software modifications are being investigated to impose a limit on the number of out-of-order packets that can be buffered.
Customers are encouraged to implement appropriate packet filtering to prevent untrusted traffic from reaching the router.

Additionally, for M-series and T-series routers, customers can install a version of JUNOS software built on or after March 5, 2004. Contact Juniper Networks Technical Assistance Center for availability and download instructions.
Related Links:
Severity Level:
Severity Assessment:
Best practices dictate that one should use existing filter techniques to prevent untrusted TCP traffic (or any other untrusted traffic) from reaching one's routers. With such filters in place, a blind attack has a very low chance of success because of the large number of bits that need to be guessed correctly.