RFC 2577 (rfc2577) - Page 2 of 8
FTP Security Considerations
Alternative Format: Original Text Document
RFC 2577 FTP Security Considerations May 1999
This document does not contain a discussion of FTP when used in
conjunction with strong security protocols, such as IP Security.
These security concerns should be documented, however they are out of
the scope of this document.
This paper provides information for FTP server implementers and
system administrators, as follows. Section 2 describes the FTP
"bounce attack". Section 3 provides suggestions for minimizing the
bounce attack. Section 4 provides suggestions for servers which
limit access based on network address. Section 5 provides
recommendations for limiting brute force "password guessing" by
clients. Next, section 6 provides a brief discussion of mechanisms
to improve privacy. Section 7 provides a mechanism to prevent user
identity guessing. Section 8 discusses the practice of port
stealing. Finally, section 9 provides an overview of other FTP
security issues related to software bugs rather than protocol issues.
2 The Bounce Attack
The version of FTP specified in the standard [PR85] provides a method
for attacking well known network servers, while making the
perpetrators difficult to track down. The attack involves sending an
FTP "PORT" command to an FTP server containing the network address
and the port number of the machine and service being attacked. At
this point, the original client can instruct the FTP server to send a
file to the service being attacked. Such a file would contain
commands relevant to the service being attacked (SMTP, NNTP, etc.).
Instructing a third party to connect to the service, rather than
connecting directly, makes tracking down the perpetrator difficult
and can circumvent network-address-based access restrictions.
As an example, a client uploads a file containing SMTP commands to an
FTP server. Then, using an appropriate PORT command, the client
instructs the server to open a connection to a third machine's SMTP
port. Finally, the client instructs the server to transfer the
uploaded file containing SMTP commands to the third machine. This
may allow the client to forge mail on the third machine without
making a direct connection. This makes it difficult to track
attackers.
3 Protecting Against the Bounce Attack
The original FTP specification [PR85] assumes that data connections
will be made using the Transmission Control Protocol (TCP) [Pos81].
TCP port numbers in the range 0 - 1023 are reserved for well known
services such as mail, network news and FTP control connections
[RP94]. The FTP specification makes no restrictions on the TCP port
number used for the data connection. Therefore, using proxy FTP,
Allman & Ostermann Informational