[nsp-sec] Juniper TCP Option issue - validated active exploit
Barry Greene
bgreene at juniper.net
Fri Jan 15 22:17:51 EST 2010
[Sent from my SENKI.ORG account.]
The TCP Option vulnerability in PSN-2010-01-623 is "active exploit." We have
one confirmed kernel code on one customer's backbone router with an exact
match. The packet was _not_ spoofing the operator's network address range
and was specifically targeting the one router.
Some quick suggestions:
1. Check the lo0 filter to only allow packets to the loopbacks. SSH and
other packets destined to any other interface on the router would get
dropped. This narrows the attack surface.
2. Check the lo0 filter to explicitly match on sources address of your
network.
3. If you can, deploy anti-spoof filters, even if it is just the control
plane, management plane, and infrastructure blocks.
Barry Raveendran Greene
Director, Juniper Security Incident Response Team (SIRT)
Tel (Office): +1 408 936-6887
Tel (Cell): +1 408 218-4669
E-mail: bgreene at juniper.net
!
Chat Locations:
AIM: Barry R Greene
MSN: BarryRGreene
Yahoo: BarryRGreene
Skype: barrygreene
Jabber: barryrgreene at jabber.tisf.net
MSN: BarryRGreene at hotmail.com
PGP: 0x16BF45F3
More information about the nsp-security
mailing list