6.5.5 Ensure TCP RST is Set to Disabled


Connection attempts to a closed / non-listening port should not return a TCP RST


As with most Operating Systems, by default, when a client attempts to connect to a TCP port which is not being used by a service to listen for connections JUNOS will return a TCP RST message to inform the client that there is no service available on that port.

This behavior may aide an attacker who is performing port scanning to identify open services as part of a reconnaissance of the network or may allow Denial of Service (DoS) attack to be performed by placing unnecessary processing load on the Routing Engine.

No valid use exists for attempting to connect to non-listening ports on a router or other network device, so JUNOS should be configured to silently drop all packets (with any flags) sent to closed TCP ports without sending a TCP reset (RST). The client attempting to connect will timeout rather than getting instant feedback, reducing the load on the JUNOS device and increasing the time required for any port scanning.


Connection attempts to closed/non-listening ports on the JUNOS Device will time out rather than receiving a TCP RST.


To disable sending TCP RSTs to any connections to closed ports issue the following command from the [edit system internet-options] hierarchy.

[edit system internet-options]
user@host#set no-tcp-reset drop-all-tcp

Default Value:

By default JUNOS sends TCP RSTs to connections made to non-listening ports.

See Also


Item Details


References: 800-53|CM-6, CSCv7|11

Plugin: Juniper

Control ID: dd3023b108f02bf9babd84f3f724ab802f92e7b6ed509b8fe48cc432bed683ea