Vulnerability Development mailing list archives
Re: PORT or PASV mode of IIS 4.0's FTP
From: Todd Garrison <tgarris () FRAMELOSS ORG>
Date: Thu, 3 Aug 2000 09:23:34 -0600
This sounds alot like SynDefender responding to what it believed was a syn flood. I have seen many an admin configure SYN flood protection on their firewall not realizing the consequences. It is a dangerous feature that I personally don't see the benefit of using, it is more likely to make your server unavailable than to protect it. A packet dump would probably be the most helpful - are your connections normally torn down or do you just get cut off with an RST? If it is configured for, say 100 SYNs per minute, and you have a reasonbly quick connection - the 101st SYN packet through the firewall would cause any connections from your IP to be dropped by the firewall.
The ftp client is trying to "get" 15,000 1-K files from the IIS's FTP server, the connection is killed by FW-1 after it got 100 files. The fw-log shows that when the client's "source port" hit a "pre-defined service (port) in the rulebase, the connection is dropped. CP explained that FW-1 thought that it was a security violation.
Current thread:
- PORT or PASV mode of IIS 4.0's FTP C. K. Lung (Aug 02)
- Re: PORT or PASV mode of IIS 4.0's FTP Adam Prato (Aug 02)
- Re: PORT or PASV mode of IIS 4.0's FTP Adam Prato (Aug 03)
- Re: PORT or PASV mode of IIS 4.0's FTP Dug Song (Aug 03)
- Re: PORT or PASV mode of IIS 4.0's FTP Todd Garrison (Aug 03)
- Re: PORT or PASV mode of IIS 4.0's FTP Makoto Shiotsuki (Aug 08)
- Re: PORT or PASV mode of IIS 4.0's FTP Adam Prato (Aug 02)