[12889] in bugtraq
Re: FTP denial of service attack
daemon@ATHENA.MIT.EDU (Henrik Nordstrom)
Wed Dec 8 23:02:17 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <384DA5C2.364A27B8@hem.passagen.se>
Date: Wed, 8 Dec 1999 01:26:42 +0100
Reply-To: hno@HEM.PASSAGEN.SE
From: Henrik Nordstrom <hno@HEM.PASSAGEN.SE>
X-To: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
To: BUGTRAQ@SECURITYFOCUS.COM
Darren Reed wrote:
> ftpd's which limit connections to 1 per user@host or similar may have some
> defense against this, or if they don't support multiple data connections
> open at the same time.
FTP does NOT support multiple data channels. The standard says that the
server MUST close the previous connection if the user agent initiates a
new channel (by using PORT/PASV). All FTP servers I have tried does
this.
This attack is a TCP FIN_WAIT2 attack. I.e. it is more of an TCP DOS
than an FTP DOS. Any TCP service which accepts unlimited rate of
connections can be attacked in this way if you can affort (or spoof) to
have that number of TCP connection open. The main difference from other
FIN_WAIT2 attacks is that the FTP service usually does not log each
individual data channel connection, making it hard to locate once the
attacker has closed down the attack.
--
Henrik Nordstrom
