2
1
I was reading the FTP rfc and hence had this idea.
Suppose there are several public ftp servers that allow anonymous user login. I open a control connection on port 21 to each of these servers.
Now suppose there is a web server at example.com with ip address x.y.z.w listening on port 80. FTP allows a user to specify the host on which the data connection is to be setup. So a user specifies the host and port number of the example.com web server. Now the ftp server starts sending data to example.com for which it is not a valid HTTP request and hence it is rejected. But example.com notes that the invalid http request came from a public ftp server and not my ip address. Can this not lead to a distributed attack by utilizing all public ftp servers?
Worse still, the the data being sent by ftp server could be a valid http request which could trigger example.com to send a file back to the ftp server.
Is there a solution for this or is it no problem at all?
does the data transfer connection from ftp require any protocol handshakes. I don't think so because there is a separate control connection for that. TCP handshake would be allowed and a valid response for the http request will be sent to the ftp server which may not read the response. Could you explain the second paragraph in more detail. I didn't understand most of it. – Rohit Banga – 2010-04-05T05:03:59.577
makes sense. however if anyone has more information on the topic please don't hesitate to discuss. – Rohit Banga – 2010-04-05T15:51:19.873