Firewall Wizards mailing list archives
Re: FTP Security
From: Bill_Royds () pch gc ca
Date: Mon, 3 May 1999 15:33:48 -0400
Default FTP is an unusual protocol in that it uses 2 separate ports. One initiates a FTP session using port 21 from a client to a server. Thatis the client uses a random high number port and makes a socket with the server listening on port 21. This control session is not used for data but an entirely new TCP connection is created initiated by the server and listened to by the client. When data is about to be transmitted, the client tells the server (with the PORT command). " I will be listening on port 34567" and opens a socket listening on that port. The server then completes the connection forming a socket going from server to client (SYN sent from server, ACK SYN from client etc.). If someone in the middle captures this PORT connection he/she knows what the next connection will be and can replace the valid data session by a spoofed one. by sending a different IP,PORT command with same sequence number. The FTP command PASV (passive FTP) ask the server to listen and the client to initiate for data. This is safer for the client but not neccessarily better for server. "Marcelo Barbosa Lima" <marcelo.lima () dcc unicamp br> on 99-05-04 12:55:04 PM Please respond to "Marcelo Barbosa Lima" <marcelo.lima () dcc unicamp br> To: firewall-wizards () nfr net cc: (bcc: Bill Royds/HullOttawa/PCH/CA) Subject: FTP Security Hi folks, I were reading one paper about security problems in FTP and did not undestand this: "When the data transfers are done in active mode, the attacker guesses the number of the TCP port where the target client will be doing a listen. He or she then repeatedly sends the ftp server to which the client is connected the commands PORT ip,of,client,machine,port,port RETR filename or STOR filename. Using RETR if he wishes to replace data transmitted to the client, and STOR if he is trying to intercept data the client would send to the server. " Do you agree with this? Well, i saw that the client sends his port number across the control connection using the PORT command. How can the atacker send (repeatdly) commands PORT to FTP server if he or she doesn't know TCP sequence numbers of the control connection between client and server? Another question is: how can the atacker know about the control connections in a particular FTP server? Netstat? I like your solutions for these problems! Sorry for my poor english :-). Thanks and Regards! Marcelo B. Lima marcelo.lima () dcc unicamp br
Current thread:
- FTP Security Marcelo Barbosa Lima (May 03)
- <Possible follow-ups>
- Re: FTP Security Bill_Royds (May 04)