Reset Search



JSA10350 - Optimistic TCP acknowledgements can cause denial of service (CERT/CC VU#102014)

« Go Back


Product AffectedPulse Connect Secure
The Transmission Control Protocol (TCP) is described in RFC 793 as a means to provide reliable host-to-host transmission between hosts in a packet-switched computer network. Numerous Internet protocols such as HTTP, SMTP, and FTP rely on TCP as their underlying transport protocol. Several different TCP congestion control mechanisms are specified in RFC 2581.

In the course of normal operation a TCP client acknowledges (ACKs) the receipt of packets sent to it by the server. A TCP sender varies its transmission rate based on receiving ACKs of the packets it sends. An optimistic ACK is an ACK sent by a client for a data segment that it has not yet received. A vulnerability exists in the potential for a client to craft optimistic ACKs timed in such a way that they correspond to legitimate packets that the sender has already injected into the network (often referred to as "in-flight" packets). As a result, the sender believes that the transfer is progressing better than it actually is and may increase the rate at which it sends packets. An important side effect of this condition is the amplification factor that it introduces. An attacker exploiting this vulnerability can potentially cause victims to transmit much more data than the bandwidth available to the attacker.
Pulse Secure SIRT has assessed this advisory as a very low risk potential vulnerability to any PCS device due to the low data volume nature of TCP applications currently running on these platforms.

While Pulse Secure has been looking at ways to address the problem, we are not aware of any practical means of eliminating the behavior described in the alert within the framework of existing RFCs. For these reasons, we do not have any current plans to develop any corrective code for our products to mitigate or eliminate this vulnerability.
Related Links
CVSS Score
Risk AssessmentIn Pulse Secure products, the volume of TCP traffic is not sufficient to cause problems, even if a user was able to exploit this vulnerability. We are not aware of any practical means of eliminating the behavior described in the alert within the definitions of
Alert TypePSN - Product Support Notification
Risk LevelLow
Attachment 1 
Attachment 2 
Legacy IDPSN-2005-12-004, JSA10350



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255