Firewall Wizards mailing list archives
Our friend FTP, again
From: Matthew Patton <patton () sysnet net>
Date: Tue, 13 Apr 1999 19:51:18 -0400
as has been hashed roundly in the past, FTP is a lousy protocol. Active is a mess since the client IP is in the payload - which is often a reserved IP. Passive mode means opening up a huge hole (client port > 1023 to server
1023) or having an intelligent proxy in the middle that opens and closes
the specific ports as needed. Isn't it true that I could have a machine making random (or intelligent) ftpdata connections to a high traffic ftp server, hoping to connect to the passive-mode data connection before the real client gets a chance? What does the server check for? The source IP being the same? What if ligit user and 'cracker' are sitting on the same box? Or spoofing accomplishes the same thing? Is there any way of seeing the following happen? 1) enhanced servers and clients that multiplex the data and command channel so only one TCP connection is ever made 2) a cryptographic cookie value passed between server and client which 'authenticates' (or purhaps better - ligitimizes) the data connection (whether it be traditional active or passive mode) 3) have a passive mode connection always connect to port ftp-data (20) instead of some random high port. This would I think require some sort of traffic on the command channel to inform the server of client ip and socket (to figure out which connection is which) or a cookie ala #2 but this is starting to introduce the problems of ACTIVE mode. Do any of these make sense? -------- OpenBSD - Because security matters... (http://www.openbsd.org/) "Bill Clinton has acted for the past year on his deepest beliefs: that Law is merely politics, that the truth is merely spin, that an oath is merely rhetoric, that justice is merely power. These doctrins...corrupt us and degrade our constitutional order in a profound way." - William Kristol (Newsweek)
Current thread:
- Our friend FTP, again Matthew Patton (Apr 14)
- Re: Our friend FTP, again Marcus J. Ranum (Apr 14)
- Re: Our friend FTP, again Woody Weaver (Apr 15)
- <Possible follow-ups>
- Re: Our friend FTP, again ark (Apr 15)
- Re: Our friend FTP, again Chad Schieken (Apr 15)
- Rant (Was Re: Our friend FTP, again) Marcus J. Ranum (Apr 15)
- Re: Rant (Was Re: Our friend FTP, again) Leonard Miyata (Apr 17)
- Re: Our friend FTP, again Chad Schieken (Apr 15)
- Re: Our friend FTP, again Marcus J. Ranum (Apr 14)
- Re: Our friend FTP, again Ryan Russell (Apr 15)
- Re: Our friend FTP, again Matthew Patton (Apr 17)
- Re: Our friend FTP, again Ryan Russell (Apr 15)