DoS on SRX devices when SIP ALG is enabled
Repeated crashes of the flowd process constitutes an extended denial of service condition for the SRX Series device.
New builds of Junos OS software are available from Juniper. As a workaround disable SIP ALG or enable flow-based processing for IPv6 traffic.
On SRX Series devices, when SIP ALG is enabled, a certain crafted SIP packet may cause the flowd process to crash. SIP ALG is enabled by default on SRX Series devices except for SRX-HE devices. SRX-HE devices have SIP ALG disabled by default. The status of ALGs can beobtained by executing the 'show security alg status' CLI command.
Junos OS 12.1X46 and 12.1X47
Check the OS build.
Updated on 2015-03-25