RFC 2577 (rfc2577) - Page 2 of 8

FTP Security Considerations

RFC 2577              FTP Security Considerations               May 1999


   This document does not contain a discussion of FTP when used in
   conjunction with strong security protocols, such as IP Security.
   These security concerns should be documented, however they are out of
   the scope of this document.

   This paper provides information for FTP server implementers and
   system administrators, as follows.  Section 2 describes the FTP
   "bounce attack".  Section 3 provides suggestions for minimizing the
   bounce attack.  Section 4 provides suggestions for servers which
   limit access based on network address.  Section 5 provides
   recommendations for limiting brute force "password guessing" by
   clients.  Next, section 6 provides a brief discussion of mechanisms
   to improve privacy.  Section 7 provides a mechanism to prevent user
   identity guessing.  Section 8 discusses the practice of port
   stealing.  Finally, section 9 provides an overview of other FTP
   security issues related to software bugs rather than protocol issues.

2   The Bounce Attack

   The version of FTP specified in the standard [PR85] provides a method
   for attacking well known network servers, while making the
   perpetrators difficult to track down.  The attack involves sending an
   FTP "PORT" command to an FTP server containing the network address
   and the port number of the machine and service being attacked.  At
   this point, the original client can instruct the FTP server to send a
   file to the service being attacked.  Such a file would contain
   commands relevant to the service being attacked (SMTP, NNTP, etc.).
   Instructing a third party to connect to the service, rather than
   connecting directly, makes tracking down the perpetrator difficult
   and can circumvent network-address-based access restrictions.

   As an example, a client uploads a file containing SMTP commands to an
   FTP server.  Then, using an appropriate PORT command, the client
   instructs the server to open a connection to a third machine's SMTP
   port.  Finally, the client instructs the server to transfer the
   uploaded file containing SMTP commands to the third machine.  This
   may allow the client to forge mail on the third machine without
   making a direct connection.  This makes it difficult to track
   attackers.

3   Protecting Against the Bounce Attack

   The original FTP specification [PR85] assumes that data connections
   will be made using the Transmission Control Protocol (TCP) [Pos81].
   TCP port numbers in the range 0 - 1023 are reserved for well known
   services such as mail, network news and FTP control connections
   [RP94].  The FTP specification makes no restrictions on the TCP port
   number used for the data connection.  Therefore, using proxy FTP,



Allman & Ostermann           Informational