RFC 2577 (rfc2577) - Page 1 of 8
FTP Security Considerations
Alternative Format: Original Text Document
Network Working Group M. Allman
Request for Comments: 2577 NASA Glenn/Sterling Software
Category: Informational S. Ostermann
Ohio University
May 1999
FTP Security Considerations
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1999). All Rights Reserved.
Abstract
The specification for the File Transfer Protocol (FTP) contains a
number of mechanisms that can be used to compromise network security.
The FTP specification allows a client to instruct a server to
transfer files to a third machine. This third-party mechanism, known
as proxy FTP, causes a well known security problem. The FTP
specification also allows an unlimited number of attempts at entering
a user's password. This allows brute force "password guessing"
attacks. This document provides suggestions for system
administrators and those implementing FTP servers that will decrease
the security problems associated with FTP.
1 Introduction
The File Transfer Protocol specification (FTP) [PR85] provides a
mechanism that allows a client to establish an FTP control connection
and transfer a file between two FTP servers. This "proxy FTP"
mechanism can be used to decrease the amount of traffic on the
network; the client instructs one server to transfer a file to
another server, rather than transferring the file from the first
server to the client and then from the client to the second server.
This is particularly useful when the client connects to the network
using a slow link (e.g., a modem). While useful, proxy FTP provides
a security problem known as a "bounce attack" [CERT97:27]. In
addition to the bounce attack, FTP servers can be used by attackers
to guess passwords using brute force.
Allman & Ostermann Informational