Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Optimistic TCP acknowledgements can cause denial of service (CERT/CC VU#102014)



Article ID: JSA10350 SECURITY_ADVISORIES Last Updated: 09 May 2013Version: 4.0
Legacy Advisory Id:
Product Affected:
All Juniper Networks products, including E/M/T/J-series, IVE OS and ScreenOS.

The Transmission Control Protocol (TCP) is described in RFC 793 as a means to provide reliable host-to-host transmission between hosts in a packet-switched computer network. Numerous Internet protocols such as HTTP, SMTP, and FTP rely on TCP as their underlying transport protocol. Several different TCP congestion control mechanisms are specified in RFC 2581.

In the course of normal operation a TCP client acknowledges (ACKs) the receipt of packets sent to it by the server. A TCP sender varies its transmission rate based on receiving ACKs of the packets it sends. An optimistic ACK is an ACK sent by a client for a data segment that it has not yet received. A vulnerability exists in the potential for a client to craft optimistic ACKs timed in such a way that they correspond to legitimate packets that the sender has already injected into the network (often referred to as "in-flight" packets). As a result, the sender believes that the transfer is progressing better than it actually is and may increase the rate at which it sends packets. An important side effect of this condition is the amplification factor that it introduces. An attacker exploiting this vulnerability can potentially cause victims to transmit much more data than the bandwidth available to the attacker.

The Juniper Networks Security Incident Response Team (SIRT) has assessed this advisory as a very low risk potential vulnerability to any Juniper routing or firewall products due to the low data volume nature of TCP applications currently running on these platforms. Even a BGP peering session that exchanges a lot of routing updates won't have the kind of data volume that could cause a significant DoS attack.

While Juniper Networks has been looking at ways to address the problem, we are not aware of any practical means of eliminating the behavior described in the alert within the framework of existing RFCs. For these reasons, we do not have any current plans to develop any corrective code for our products to mitigate or eliminate this vulnerability.


Juniper Networks is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. Juniper Networks expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of noninfringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. Juniper Networks may change this notice at any time.
Severity Level:
Severity Assessment:
In Juniper products, the volume of TCP traffic is not sufficient to cause problems, even if a user was able to exploit this vulnerability. We are not aware of any practical means of eliminating the behavior described in the alert within the definitions of existing RFCs.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search