Re: PORT or PASV mode of IIS 4.0's FTP

[Todd Garrison <tgarris () FRAMELOSS ORG>]

This sounds alot like SynDefender responding to what it believed was a
syn flood.  I have seen many an admin configure SYN flood protection on
their firewall not realizing the consequences.  It is a dangerous
feature that I personally don't see the benefit of using, it is more
likely to make your server unavailable than to protect it.

A packet dump would probably be the most helpful - are your connections
normally torn down or do you just get cut off with an RST?

If it is configured for, say 100 SYNs per minute, and you have a
reasonbly quick connection - the 101st SYN packet through the firewall
would cause any connections from your IP to be dropped by the firewall.

> The ftp client is trying to "get" 15,000 1-K files from the IIS's FTP
> server, the connection is killed by FW-1 after it got 100 files.  The
> fw-log shows that when the client's "source port" hit a "pre-defined
> service (port) in the rulebase, the connection is dropped.  CP
> explained that FW-1 thought that it was a security violation.