Knowledge Search


×
 

Optimistic TCP acknowledgements can cause denial of service (CERT/CC VU#102014)

  [JSA10350] Show Article Properties


Legacy Advisory Id:
PSN-2005-12-004
Product Affected:
All Juniper Networks products, including E/M/T/J-series, IVE OS and ScreenOS.
Problem:

The Transmission Control Protocol (TCP) is described in RFC 793 as a means to provide reliable host-to-host transmission between hosts in a packet-switched computer network. Numerous Internet protocols such as HTTP, SMTP, and FTP rely on TCP as their underlying transport protocol. Several different TCP congestion control mechanisms are specified in RFC 2581.

In the course of normal operation a TCP client acknowledges (ACKs) the receipt of packets sent to it by the server. A TCP sender varies its transmission rate based on receiving ACKs of the packets it sends. An optimistic ACK is an ACK sent by a client for a data segment that it has not yet received. A vulnerability exists in the potential for a client to craft optimistic ACKs timed in such a way that they correspond to legitimate packets that the sender has already injected into the network (often referred to as "in-flight" packets). As a result, the sender believes that the transfer is progressing better than it actually is and may increase the rate at which it sends packets. An important side effect of this condition is the amplification factor that it introduces. An attacker exploiting this vulnerability can potentially cause victims to transmit much more data than the bandwidth available to the attacker.
Solution:

The Juniper Networks Security Incident Response Team (SIRT) has assessed this advisory as a very low risk potential vulnerability to any Juniper routing or firewall products due to the low data volume nature of TCP applications currently running on these platforms. Even a BGP peering session that exchanges a lot of routing updates won't have the kind of data volume that could cause a significant DoS attack.

While Juniper Networks has been looking at ways to address the problem, we are not aware of any practical means of eliminating the behavior described in the alert within the framework of existing RFCs. For these reasons, we do not have any current plans to develop any corrective code for our products to mitigate or eliminate this vulnerability.
Implementation:
None.

 Status: FINAL RELEASE

Juniper Networks is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. Juniper Networks expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of noninfringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. Juniper Networks may change this notice at any time.
Related Links:
Risk Level:
Low
Risk Assessment:
In Juniper products, the volume of TCP traffic is not sufficient to cause problems, even if a user was able to exploit this vulnerability. We are not aware of any practical means of eliminating the behavior described in the alert within the definitions of existing RFCs.