Bugtraq mailing list archives
Re: FTP denial of service attack
From: deraadt () CVS OPENBSD ORG (Theo de Raadt)
Date: Tue, 7 Dec 1999 22:41:45 -0700
I don't know of any ftp clients which make use of this feature (multiple data channels supported concurrently) as the original ftp clients were all line-based and only suported one transfer at a time. Maybe this is reasonable, but it would be a shame for the default defense to this attack to mean you can't use FTP to it's full potential (i.e. start a transfer from the current session but keep using the current `login' session, maybe to start other transfers, as requried). Triming the number of concurrent data sessions to a maximum of 1-5 (by default) would probably be enough, with the capability to set this higher/lower as required.
The OpenBSD ftpd has never permitted more than 1 connection at a time in PASV mode, thus this particular denial of service attack does not work. I caused myself some difficulties by accidentally starting up 400 perl instances, though.. One of the Linux's out there also ships with our ftpd, so they will not have a problem with this either. It's either Debian or Suse...
Current thread:
- Re: FTP denial of service attack, (continued)
- Re: FTP denial of service attack Paulo Licio de Geus (Dec 09)
- [Debian] New version of htdig released Aleph One (Dec 10)
- Fundamental flaw in UnixWare 7 security Brock Tellier (Dec 10)
- Solaris sadmind Buffer Overflow Vulnerability Alfred Huger (Dec 10)
- Re: FTP denial of service attack bert hubert (Dec 07)
- Re: FTP denial of service attack antirez () INVECE ORG (Dec 09)
- Re: FTP denial of service attack Henrik Nordstrom (Dec 07)
- Re: FTP denial of service attack Darren Reed (Dec 07)
- Re: FTP denial of service attack Henrik Nordstrom (Dec 07)
- Re: FTP denial of service attack Darren Reed (Dec 07)
- Re: FTP denial of service attack Theo de Raadt (Dec 07)
- Re: FTP denial of service attack Darren Reed (Dec 07)
- Re: FTP denial of service attack Gregory A Lundberg (Dec 10)
- RSAREF2 buffer overflow patch Gerardo Richarte (Dec 10)
- Re: NT WinLogon VM contains plaintext password visible in admin mode Chris Paget (Dec 08)
- Re: The money: protocol in Internet Explorer David Litchfield (Dec 21)