Bugtraq mailing list archives

Re: FTP denial of service attack

From: hno () HEM PASSAGEN SE (Henrik Nordstrom)
Date: Wed, 8 Dec 1999 01:26:42 +0100


Darren Reed wrote:

ftpd's which limit connections to 1 per user@host or similar may have some
defense against this, or if they don't support multiple data connections
open at the same time.


FTP does NOT support multiple data channels. The standard says that the
server MUST close the previous connection if the user agent initiates a
new channel (by using PORT/PASV). All FTP servers I have tried does
this.

This attack is a TCP FIN_WAIT2 attack. I.e. it is more of an TCP DOS
than an FTP DOS. Any TCP service which accepts unlimited rate of
connections can be attacked in this way if you can affort (or spoof) to
have that number of TCP connection open. The main difference from other
FIN_WAIT2 attacks is that the FTP service usually does not log each
individual data channel connection, making it hard to locate once the
attacker has closed down the attack.

--
Henrik Nordstrom

Current thread:

Re: FTP DoS - PORT and PASV effected., (continued)
- - - Re: FTP DoS - PORT and PASV effected. Henrik Nordstrom (Dec 09)
  - Re: FTP denial of service attack antirez () INVECE ORG (Dec 07)
  - Re: FTP denial of service attack Dustin Miller (Dec 07)
    - Re: FTP denial of service attack Hugo.van.der.Kooij () CAIW NL (Dec 08)
    - Re: FTP denial of service attack Paulo Licio de Geus (Dec 09)
    - [Debian] New version of htdig released Aleph One (Dec 10)
    - Fundamental flaw in UnixWare 7 security Brock Tellier (Dec 10)
    - Solaris sadmind Buffer Overflow Vulnerability Alfred Huger (Dec 10)
  - Re: FTP denial of service attack bert hubert (Dec 07)
    - Re: FTP denial of service attack antirez () INVECE ORG (Dec 09)
  - Re: FTP denial of service attack Henrik Nordstrom (Dec 07)
    - Re: FTP denial of service attack Darren Reed (Dec 07)
    - Re: FTP denial of service attack Henrik Nordstrom (Dec 07)
    - Re: FTP denial of service attack Darren Reed (Dec 07)
  - Re: FTP denial of service attack Theo de Raadt (Dec 07)
    - Re: FTP denial of service attack Darren Reed (Dec 07)
  - Re: FTP denial of service attack Gregory A Lundberg (Dec 10)
  - RSAREF2 buffer overflow patch Gerardo Richarte (Dec 10)
- Re: new IE5 remote exploit Shane Hird (Dec 07)
- NT WinLogon VM contains plaintext password visible in admin mode Robert Horvick (Dec 07)
  - Re: NT WinLogon VM contains plaintext password visible in admin mode Chris Paget (Dec 08)

(Thread continues...)