[12895] in bugtraq
Re: FTP denial of service attack
daemon@ATHENA.MIT.EDU (Theo de Raadt)
Wed Dec 8 23:50:31 1999
Message-Id: <199912080541.WAA07911@cvs.openbsd.org>
Date: Tue, 7 Dec 1999 22:41:45 -0700
Reply-To: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
From: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
X-To: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Tue, 07 Dec 1999 23:29:56 +1100."
<199912071229.XAA13996@cairo.anu.edu.au>
> I don't know of any ftp clients which make use of this feature (multiple
> data channels supported concurrently) as the original ftp clients were all
> line-based and only suported one transfer at a time. Maybe this is
> reasonable, but it would be a shame for the default defense to this attack
> to mean you can't use FTP to it's full potential (i.e. start a transfer
> from the current session but keep using the current `login' session, maybe
> to start other transfers, as requried). Triming the number of concurrent
> data sessions to a maximum of 1-5 (by default) would probably be enough,
> with the capability to set this higher/lower as required.
The OpenBSD ftpd has never permitted more than 1 connection at a time
in PASV mode, thus this particular denial of service attack does not
work.
I caused myself some difficulties by accidentally starting up 400 perl
instances, though..
One of the Linux's out there also ships with our ftpd, so they will
not have a problem with this either. It's either Debian or Suse...
