mailing list archives
Re: FTP denial of service attack
From: avalon () COOMBS ANU EDU AU (Darren Reed)
Date: Wed, 8 Dec 1999 12:46:04 +1100
In some mail from Henrik Nordstrom, sie said:
Darren Reed wrote:
ftpd's which limit connections to 1 per user () host or similar may have some
defense against this, or if they don't support multiple data connections
open at the same time.
FTP does NOT support multiple data channels. The standard says that the
server MUST close the previous connection if the user agent initiates a
new channel (by using PORT/PASV).
No, the standard doesn't, or at least the original, rfc959, doesn't specify
this. In section 3.2, it reads:
MUST close the data connection under the following conditions:
1. The server has completed sending data in a transfer mode
that requires a close to indicate EOF.
2. The server receives an ABORT command from the user.
3. The port specification is changed by a command from the
4. The control connection is closed legally or otherwise.
5. An irrecoverable error condition occurs.
This attack satisfies none of the above conditions. The server doesn't
complete sending or receiving data (no EOF), no ABORT is sent, the port
specification is not changed, the control connection isn't closed and
it attmepts to not otherwise cause an error. That's the only reference
I can find amongst the _many_ FTP RFC's which says "MUST close". I have
not searched them all in case of correction, so I'm counting on you to
be able to back up your words with a suitable reference if you maintain
what you said to be true.
All FTP servers I have tried does this.
And those are which ones ? Having read the RFC, I would counter your
claim and say they're not compliant with rfc959. I hope this isn't
one you've written yourself O:-)
This attack is a TCP FIN_WAIT2 attack.
Ah, no it isn't.
Re: FTP denial of service attack Theo de Raadt (Dec 08)
Re: FTP denial of service attack Gregory A Lundberg (Dec 10)
RSAREF2 buffer overflow patch Gerardo Richarte (Dec 11)
Re: new IE5 remote exploit Shane Hird (Dec 07)
NT WinLogon VM contains plaintext password visible in admin mode Robert Horvick (Dec 07)
[Debian] New version of sendmail released Aleph One (Dec 07)
- Re: FTP denial of service attack, (continued)