Firewall Wizards mailing list archives

Re: New ftp behavior

From: Vern Paxson <vern () ee lbl gov>
Date: Thu, 23 Oct 1997 16:40:30 PDT

I checked the logs and discovered that, although the original ftp 
connection was made to xxx.xxx.xxx.yyy, the response was coming from 
xxx.xxx.xxx.zzz.  The firewall very properly considered this an attempt to 
hijack an open port and closed the ftp transaction.

What causes the remote site to behave this way?


This is not all that uncommon - the monitoring system I'm working on
(drop me a line for a draft paper) has had this check for quite a while,
and it trips every few days, sometimes more often.  I think it usually
is due to a multi-homed site - or a site with multiple IP addresses
on the same interface (evidently popular for Web farms) - which isn't
consistently using the same address.

It has also occasionally tripped due to a a genuine attack, but these
are much more rare.

                Vern

Current thread:

New ftp behavior dharris (Oct 23)
- Re: New ftp behavior Jyri Kaljundi (Oct 24)
- <Possible follow-ups>
- Re: New ftp behavior arager (Oct 23)
  - Re: New ftp behavior Wyllys Ingersoll (Oct 24)
- Re: New ftp behavior Vern Paxson (Oct 23)
- New ftp behavior Petri Virkkula (Oct 27)
- Re: New ftp behavior David Aylesworth (Oct 27)
- RE: New ftp behavior Safier, Adam (GEIS) (Oct 27)
  - Re: New ftp behavior Bernd Eckenfels (Oct 30)