|
Vulnerability Development
mailing list archives
Re: PORT or PASV mode of IIS 4.0's FTP
From: Todd Garrison <tgarris () FRAMELOSS ORG>
Date: Thu, 3 Aug 2000 09:23:34 -0600
This sounds alot like SynDefender responding to what it believed was a
syn flood. I have seen many an admin configure SYN flood protection on
their firewall not realizing the consequences. It is a dangerous
feature that I personally don't see the benefit of using, it is more
likely to make your server unavailable than to protect it.
A packet dump would probably be the most helpful - are your connections
normally torn down or do you just get cut off with an RST?
If it is configured for, say 100 SYNs per minute, and you have a
reasonbly quick connection - the 101st SYN packet through the firewall
would cause any connections from your IP to be dropped by the firewall.
The ftp client is trying to "get" 15,000 1-K files from the IIS's FTP
server, the connection is killed by FW-1 after it got 100 files. The
fw-log shows that when the client's "source port" hit a "pre-defined
service (port) in the rulebase, the connection is dropped. CP
explained that FW-1 thought that it was a security violation.
 By Date 
By Thread
Current thread:
| 
Intro
