Our friend FTP, again

[Matthew Patton <patton () sysnet net>]

as has been hashed roundly in the past, FTP is a lousy protocol. Active is
a mess since the client IP is in the payload - which is often a reserved
IP. Passive mode means opening up a huge hole (client port > 1023 to server
> 1023) or having an intelligent proxy in the middle that opens and closes
the specific ports as needed.

Isn't it true that I could have a machine making random (or intelligent)
ftpdata connections to a high traffic ftp server, hoping to connect to the
passive-mode data connection before the real client gets a chance? What
does the server check for? The source IP being the same? What if ligit user
and 'cracker' are sitting on the same box? Or spoofing accomplishes the
same thing?

Is there any way of seeing the following happen?

1) enhanced servers and clients that multiplex the data and command channel
so only one TCP connection is ever made

2) a cryptographic cookie value passed between server and client which
'authenticates' (or purhaps better - ligitimizes) the data connection
(whether it be traditional active or passive mode)

3) have a passive mode connection always connect to port ftp-data (20)
instead of some random high port. This would I think require some sort of
traffic on the command channel to inform the server of client ip and socket
(to figure out which connection is which) or a cookie ala #2 but this is
starting to introduce the problems of ACTIVE mode.

Do any of these make sense?

--------
OpenBSD - Because security matters... (http://www.openbsd.org/)

"Bill Clinton has acted for the past year on his deepest beliefs: that Law
 is merely politics, that the truth is merely spin, that an oath is merely
 rhetoric, that justice is merely power. These doctrins...corrupt us and
 degrade our constitutional order in a profound way."
  - William Kristol (Newsweek)