Possible Hack with FTP - What are the solutions?

I was reading the FTP rfc and hence had this idea.

Suppose there are several public ftp servers that allow anonymous user login. I open a control connection on port 21 to each of these servers.

Now suppose there is a web server at example.com with ip address x.y.z.w listening on port 80. FTP allows a user to specify the host on which the data connection is to be setup. So a user specifies the host and port number of the example.com web server. Now the ftp server starts sending data to example.com for which it is not a valid HTTP request and hence it is rejected. But example.com notes that the invalid http request came from a public ftp server and not my ip address. Can this not lead to a distributed attack by utilizing all public ftp servers?

Worse still, the the data being sent by ftp server could be a valid http request which could trigger example.com to send a file back to the ftp server.

Is there a solution for this or is it no problem at all?

Rohit Banga

Posted 2010-04-04T19:13:59.690

Reputation: 1 814

Answers

It's not a problem because the target web server will reject the transfer from your ftp stooge. Even if the data of the transfer is a valid http request, the protocol handshakes would not match up and the connection would be closed. Thus your initial ftp requests would incur more overhead to your original machine than your target would receive in traffic.

There still might be a distributed vulnerability here. If you run a botnet, you could use the pcs in the botnet to run the attack. Each individual member would still incur use more bandwidth than it created, but it's not your bandwidth so it's okay. The advantage this gives you as a botherder is that it helps to protect your captured zombie pcs from discovery; it could be one way to mask where your zombies are hiding. Fortunately, I expect this extra layer of indirection is more trouble than it's worth.

This attack would also be relatively easy to defend against. There are a limited and fixed number of potential anonymous public ftp servers in the world that you can use. These servers also generally are not used for normally http traffic. So as a good network administrator, if you found yourself the target of such an attack you could simply block these machines by ip at your router, before the requests reach your web server. In a traditional distributed attack this would be bad, because you'd also cut off a lot of legitimate traffic. But in this case, very few of the IP addresses involved in the attack are every going to send you legitimate traffic, and so it's safe to block them.

Joel Coehoorn

Posted 2010-04-04T19:13:59.690

Reputation: 26 787

does the data transfer connection from ftp require any protocol handshakes. I don't think so because there is a separate control connection for that. TCP handshake would be allowed and a valid response for the http request will be sent to the ftp server which may not read the response. Could you explain the second paragraph in more detail. I didn't understand most of it. – Rohit Banga – 2010-04-05T05:03:59.577

makes sense. however if anyone has more information on the topic please don't hesitate to discuss. – Rohit Banga – 2010-04-05T15:51:19.873

I don't think the FTP server will allow your PC to pick port 80 for data. You will likely just get an error or disconnected.

Nathan Osman

Posted 2010-04-04T19:13:59.690

Reputation: 2 552

is it not my choice which port i am listening on. – Rohit Banga – 2010-04-04T19:22:47.950

may be a reverse dns lookup could help. – Rohit Banga – 2010-04-04T19:23:50.367

but what is actually done? – Rohit Banga – 2010-04-04T19:24:56.280