Bugtraq mailing list archives
Re: FTP denial of service attack
From: avalon () COOMBS ANU EDU AU (Darren Reed)
Date: Wed, 8 Dec 1999 12:46:04 +1100
In some mail from Henrik Nordstrom, sie said:
Darren Reed wrote:ftpd's which limit connections to 1 per user@host or similar may have some defense against this, or if they don't support multiple data connections open at the same time.FTP does NOT support multiple data channels. The standard says that the server MUST close the previous connection if the user agent initiates a new channel (by using PORT/PASV).
No, the standard doesn't, or at least the original, rfc959, doesn't specify this. In section 3.2, it reads: [...] The server MUST close the data connection under the following conditions: 1. The server has completed sending data in a transfer mode that requires a close to indicate EOF. 2. The server receives an ABORT command from the user. 3. The port specification is changed by a command from the user. 4. The control connection is closed legally or otherwise. 5. An irrecoverable error condition occurs. [...] This attack satisfies none of the above conditions. The server doesn't complete sending or receiving data (no EOF), no ABORT is sent, the port specification is not changed, the control connection isn't closed and it attmepts to not otherwise cause an error. That's the only reference I can find amongst the _many_ FTP RFC's which says "MUST close". I have not searched them all in case of correction, so I'm counting on you to be able to back up your words with a suitable reference if you maintain what you said to be true.
All FTP servers I have tried does this.
And those are which ones ? Having read the RFC, I would counter your claim and say they're not compliant with rfc959. I hope this isn't one you've written yourself O:-)
This attack is a TCP FIN_WAIT2 attack.
Ah, no it isn't. Darren
Current thread:
- Re: FTP denial of service attack, (continued)
- Re: FTP denial of service attack antirez () INVECE ORG (Dec 07)
- Re: FTP denial of service attack Dustin Miller (Dec 07)
- Re: FTP denial of service attack Hugo.van.der.Kooij () CAIW NL (Dec 08)
- Re: FTP denial of service attack Paulo Licio de Geus (Dec 09)
- [Debian] New version of htdig released Aleph One (Dec 10)
- Fundamental flaw in UnixWare 7 security Brock Tellier (Dec 10)
- Solaris sadmind Buffer Overflow Vulnerability Alfred Huger (Dec 10)
- Re: FTP denial of service attack bert hubert (Dec 07)
- Re: FTP denial of service attack antirez () INVECE ORG (Dec 09)
- Re: FTP denial of service attack Henrik Nordstrom (Dec 07)
- Re: FTP denial of service attack Darren Reed (Dec 07)
- Re: FTP denial of service attack Henrik Nordstrom (Dec 07)
- Re: FTP denial of service attack Darren Reed (Dec 07)
- Re: FTP denial of service attack Theo de Raadt (Dec 07)
- Re: FTP denial of service attack Darren Reed (Dec 07)
- Re: FTP denial of service attack Gregory A Lundberg (Dec 10)
- RSAREF2 buffer overflow patch Gerardo Richarte (Dec 10)
- Re: NT WinLogon VM contains plaintext password visible in admin mode Chris Paget (Dec 08)