Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

TCP protocol susceptible to malicious ICMP messages (NISCC Vulnerability #532967, CERT/CC Vulnerability VU#222750)



Article ID: JSA10347 SECURITY_ADVISORIES Last Updated: 09 May 2013Version: 4.0
Legacy Advisory Id:
Product Affected:
All M-series and T-series routers running JUNOS software built prior to August 28, 2004.
The TCP protocol relies on the ICMP protocol to discover abnormal conditions within an IP network. An attacker can send ICMP messages that falsely indicate network congestion or other conditions and trigger a host to react unnecessarily. The victimized host may drastically reduce the rate at which packets are sent over an established TCP session; in extreme cases the resulting packet rate might approach zero.

This issue is tracked internally as PR/50294.
The JUNOS software has been modified to more stringently validate received ICMP messages before allowing the ICMP message to affect a TCP session. While these changes do not completely eliminate the possibility of spoofed ICMP packets affecting TCP sessions, the probability of a successful attack is greatly minimized.

Two new hidden configuration options have been introduced to control processing of ICMP messages. In JUNOS releases 6.x these options are located at the [edit system] hierarchy level; in JUNOS releases 7.0 and later, they are located at the [edit system internet-options] level.
  • set [no-]source-quench
    This option enables or disables processing of ICMP Sourch Quench messages. By default, processing is disabled.
  • set [no-]path-mtu-discovery
    This option controls whether or not path MTU discovery is enabled for TCP sessions originated on the router. By default, PMTUD is enabled for TCP sessions other than those used for routing protocol sessions (such as BGP).
These configuration options are hidden, and must therefore be spelled out in their entirety when adding to the router's configuration.
All JUNOS software releases 6.2 or higher built on or after August 28, 2004 include the modified code. Customers are encouraged to upgrade their router software to a release that includes the fix, and to set the new configuration knobs appropriately.

JUNOS software releases 6.1 and lower do not contain the modified code.
Severity Level:
Severity Assessment:
An attacker can interfere with normal TCP sessions terminating on the router, including BGP4 and terminal-oriented management sessions. BGP4 sessions are not susceptible to a Path MTU Discovery attack because JUNOS does not enable PMTUD on routing protocol sessions. However, all TCP sessions terminating on the router are susceptible to the Source Quench attack.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search