Flaw in Juniper's JunOS router software could cause DDoS flood

Juniper has disclosed that that a problem with the Junos router could enable DDoS attacks

There is no patch at present, only a workaround
There is no patch at present, only a workaround

Juniper has admitted that a vulnerability in IPv6 processing on its Junos router OS could allow malicious packets to be sent to networks resulting in a DDoS attack on infrastructure.

In an advisory, the firm said the flaw could enable a specially crafted “IPv6 Neighbor Discovery” (ND) packet to be accepted by the router rather than discarded.

“The crafted packet, destined to the router, will then be processed by the routing engine (RE).  A malicious network-based packet flood, sourced from beyond the local broadcast domain, can cause the RE CPU to spike, or cause the DDoS protection ARP protocol group policer to engage. When this happens, the DDoS policer may start dropping legitimate IPv6 neighbors as legitimate ND times out,” the firm said.

The firm added that this is similar to the router's response to any purposeful malicious IPv6 ND flood destined to the router.

“The difference is that the crafted packet identified in the vulnerability is such that the forwarding controllers/ASICs should disallow this traffic from reaching the RE for further processing,” according to the advisory.

It said that following investigations, only its MX, PTX, and QFX products have been confirmed to experience this behaviour.

Juniper added that no fix was presently available at the time of writing and neither was a complete workaround.

“Security best current practices (BCPs) of filtering all ND traffic at the edge, destined to network infrastructure equipment, should be employed to limit the malicious attack surface of the vulnerability,” the firm advised.

Rich Barger, chief intelligence officer at ThreatConnect, told SCMagazineUK.com that organisations should look to either filter the protocol or packet (if possible). “It looks as if Juniper has included edge firewall rules that can block the neighbour discovery packets as a means to buffer any vulnerable devices,” he said.

Richard Cassidy, technical director EMEA at Alert Logic, said that this flaw represents a serious issue for organisations that “Dual Stack” networking with IPv6 and IPv4.

He told SC that the issue was “essentially a DDoS attack, through a specially crafted IPv6 ND packet, that can be targeted at JunOS routers from remote attackers. It is fairly simple to identify router OS versions through scanning techniques, which of course leaves most organisations at risk at some level, given the prevalence of Juniper in networking infrastructures globally.”

Alex Cruz Farmer, VP of cloud at Nsfocus, told SC that almost every network around the world is considering or planning IPv6 if they have not already. “With this in mind, it's crucial that the protection is implemented now, to avoid this security hole being exploited in future.”