[12888] in bugtraq
Re: FTP denial of service attack
daemon@ATHENA.MIT.EDU (der Mouse)
Wed Dec 8 22:48:56 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-Id: <199912071832.NAA29675@Twig.Rodents.Montreal.QC.CA>
Date: Tue, 7 Dec 1999 13:32:57 -0500
Reply-To: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
From: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
> [data-connection-spamming DOS attack against FTP servers]
> ftpd's which limit connections to 1 per user@host or similar may have
> some defense against this, or if they don't support multiple data
> connections open at the same time.
I have trouble imagining why any ftp daemon *would* support multiple
data connections for any given control connection. RFC 959 speaks of
"the" data connection of an FTP session, and in the absence of any way
to specify which data connection is to be used for a data transfer,
there's no use for multiple such anyway.
Presumably something of the sort could be supported as an extension,
but just doing PASV/connect/PASV/connect/PASV/connect the way the
posted exploit does is not something I would expect would do any damage
(except for, possibly, tying up the whole available range of port
numbers with TIME_WAIT tcbs, an attack that can be launched against
almost any service, if it can be done at all).
> I don't know of any ftp clients which make use of this feature
> (multiple data channels supported concurrently) as the original ftp
> clients were all line-based and only suported one transfer at a time.
As far as I can tell the ftp protocol has no way to name data channels,
so there's no way for *any* ftp client to use multiple concurrent data
channels without opening a separate control connection for each one,
and that this is therefore a simple bug in servers that accept multiple
PASV commands and maintain multiple concurrent data connections for a
single control connection. Am I missing something?
der Mouse
mouse@rodents.montreal.qc.ca
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
