Knowledge Search


TCP protocol susceptible to malicious ICMP messages (NISCC Vulnerability #532967, CERT/CC Vulnerability VU#222750)

  [JSA10347] Show Article Properties

Legacy Advisory Id:
Product Affected:
All M-series and T-series routers running JUNOS software built prior to August 28, 2004.
The TCP protocol relies on the ICMP protocol to discover abnormal conditions within an IP network. An attacker can send ICMP messages that falsely indicate network congestion or other conditions and trigger a host to react unnecessarily. The victimized host may drastically reduce the rate at which packets are sent over an established TCP session; in extreme cases the resulting packet rate might approach zero.

This issue is tracked internally as PR/50294.
The JUNOS software has been modified to more stringently validate received ICMP messages before allowing the ICMP message to affect a TCP session. While these changes do not completely eliminate the possibility of spoofed ICMP packets affecting TCP sessions, the probability of a successful attack is greatly minimized.

Two new hidden configuration options have been introduced to control processing of ICMP messages. In JUNOS releases 6.x these options are located at the [edit system] hierarchy level; in JUNOS releases 7.0 and later, they are located at the [edit system internet-options] level.
  • set [no-]source-quench
    This option enables or disables processing of ICMP Sourch Quench messages. By default, processing is disabled.
  • set [no-]path-mtu-discovery
    This option controls whether or not path MTU discovery is enabled for TCP sessions originated on the router. By default, PMTUD is enabled for TCP sessions other than those used for routing protocol sessions (such as BGP).
These configuration options are hidden, and must therefore be spelled out in their entirety when adding to the router's configuration.
All JUNOS software releases 6.2 or higher built on or after August 28, 2004 include the modified code. Customers are encouraged to upgrade their router software to a release that includes the fix, and to set the new configuration knobs appropriately.

JUNOS software releases 6.1 and lower do not contain the modified code.
Related Links:
Risk Level:
Risk Assessment:
An attacker can interfere with normal TCP sessions terminating on the router, including BGP4 and terminal-oriented management sessions. BGP4 sessions are not susceptible to a Path MTU Discovery attack because JUNOS does not enable PMTUD on routing protocol sessions. However, all TCP sessions terminating on the router are susceptible to the Source Quench attack.