Re: FTP denial of service attack

[avalon () COOMBS ANU EDU AU (Darren Reed)]

In some mail from Henrik Nordstrom, sie said:
> Darren Reed wrote:
>
> > ftpd's which limit connections to 1 per user@host or similar may have some
> > defense against this, or if they don't support multiple data connections
> > open at the same time.
>
>
> FTP does NOT support multiple data channels. The standard says that the
> server MUST close the previous connection if the user agent initiates a
> new channel (by using PORT/PASV).

No, the standard doesn't, or at least the original, rfc959, doesn't specify
this.  In section 3.2, it reads:
[...]
  The server
      MUST close the data connection under the following conditions:

         1. The server has completed sending data in a transfer mode
            that requires a close to indicate EOF.

         2. The server receives an ABORT command from the user.

         3. The port specification is changed by a command from the
            user.

         4. The control connection is closed legally or otherwise.

         5. An irrecoverable error condition occurs.
[...]

This attack satisfies none of the above conditions.  The server doesn't
complete sending or receiving data (no EOF), no ABORT is sent, the port
specification is not changed, the control connection isn't closed and
it attmepts to not otherwise cause an error.  That's the only reference
I can find amongst the _many_ FTP RFC's which says "MUST close".  I have
not searched them all in case of correction, so I'm counting on you to
be able to back up your words with a suitable reference if you maintain
what you said to be true.

> All FTP servers I have tried does this.

And those are which ones ?  Having read the RFC, I would counter your
claim and say they're not compliant with rfc959.  I hope this isn't
one you've written yourself O:-)

> This attack is a TCP FIN_WAIT2 attack.

Ah, no it isn't.

Darren