Bugtraq mailing list archives

Re: FTP denial of service attack

From: avalon () COOMBS ANU EDU AU (Darren Reed)
Date: Thu, 9 Dec 1999 15:35:59 +1100


In some mail from der Mouse, sie said:
[...]

As far as I can tell the ftp protocol has no way to name data channels,
so there's no way for *any* ftp client to use multiple concurrent data
channels without opening a separate control connection for each one,
and that this is therefore a simple bug in servers that accept multiple
PASV commands and maintain multiple concurrent data connections for a
single control connection.  Am I missing something?


Just the obvious from an implementation point of view ;) It makes sense
that (if the ftp server supports is) for a second file, for which I've
made a second connection, to come down that stream, etc.  The connections
aren't named directly because there is no need to.  The single order of
operations within the FTP protocol provides some assurance that file
request A goes with connection a, etc.

Darren

Current thread:

Re: FTP denial of service attack der Mouse (Dec 07)
- Whois.cgi - ADVISORY. Cody T. - hhp (Nov 09)
- Re: FTP denial of service attack Darren Reed (Dec 08)
- Re: FTP denial of service attack Phillip Susi (Dec 08)
- <Possible follow-ups>
- Re: FTP denial of service attack der Mouse (Dec 08)
- Re: FTP denial of service attack der Mouse (Dec 08)