Re: FTP denial of service attack

[mouse () RODENTS MONTREAL QC CA (der Mouse)]

> The RFC is somewhat ambiguous in this area, and it is not clear how
> one would go about actually doing it, but I belive it does indicate
> that you can have multiple data connections as long as you issue a
> REIN command to reinitialize the user and IO context before you issue
> a new PORT or PASV command.

I still can't see how you can use them.  Each STOR or RETR (or LIST, or
whatever) uses the most recently specified data connection; there's no
way to use any others.  And you can't start transferring and leave it
to finish, either, because once the transfer starts all you can do with
the control connection is wait until the transfer finishes or do the
IP/Synch/ABOR thing (a few other commands are allowed, such as STAT,
but certainly not the whole suite; I suppose you could make a server
recognize them, but it's still not clear how it would work - which
reply goes with which transfer, at a minimum?).

> I think it would be nice to be able to have such a feature so clients
> that wanted to do that kind of thing wouldn't have to open multiple
> control connections each time.

Quite aside from requiring a protocol rework, there's no use for it,
except bandwidth-hogging by performing multiple transfers in parallel
rather than serially.

                                        der Mouse

                               mouse () rodents montreal qc ca
                     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B