* FTP Bounce Attack
@ 2005-01-28 15:38 Vinod Chandran
0 siblings, 0 replies; 3+ messages in thread
From: Vinod Chandran @ 2005-01-28 15:38 UTC (permalink / raw)
To: netfilter
Hi,
I am currently using iptables 1.2.11 with the patch-o-matic patch applied.
Its documented that netfilter is patched to protect against FTP bounce
attacks, when an invalid IP is given in the FTP PORT command.
I can detect the PORT command reaching the FTP server through the
router( containing netfilter), even when I give an ivalid IP.
I would like to know whether the patch is not working or whether the
patch is meant to not allow the resulting bounce attack, even with
allowing the PORT command to pass through.
Thanks and Regards,
Vinod C
^ permalink raw reply [flat|nested] 3+ messages in thread
* FTP Bounce Attack.
@ 2005-01-28 15:24 Vinod Chandran
2005-02-01 0:28 ` dwhite
0 siblings, 1 reply; 3+ messages in thread
From: Vinod Chandran @ 2005-01-28 15:24 UTC (permalink / raw)
To: netfilter
Hi,
I am currently using iptables 1.2.11 with the patch-o-matic patch applied.
Its documented that netfilter is patched to protect against FTP bounce
attacks, when an invalid IP is given in the FTP PORT command.
I can detect the PORT command reaching the FTP server through the
router( containing netfilter), even when I give an ivalid IP.
I would like to know whether the patch is not working or whether the
patch is meant to not allow the resulting bounce attack, even with
allowing the PORT command to pass through.
Thanks and Regards,
Vinod C
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: FTP Bounce Attack.
2005-01-28 15:24 Vinod Chandran
@ 2005-02-01 0:28 ` dwhite
0 siblings, 0 replies; 3+ messages in thread
From: dwhite @ 2005-02-01 0:28 UTC (permalink / raw)
To: Vinod Chandran; +Cc: netfilter
Vinod,
I was able to confirm this (iptables 1.2.11, kernel 2.6.9). The PORT
command is indeed forwarded and unmangled, even if NAT is being used for
the control session.
However, it appears that, while the PORT command is allowed and passed on
to the server, the resulting "EXPECTING" connection (data channel) is not
made available. So in that way the bounce attack is stopped. It appears,
by glancing through the code, that this is the intended design.
But, this amounts to only disabling a bounce attack *through* the
firewall. It does *not* restrict me from connecting to another device
*behind* the firewall (or more specifically, to any host on the same side
of the firewall as the server).
I think this has some significant security implications. I think you're
right to raise the issue.
-dave
On Fri, 28 Jan 2005, Vinod Chandran wrote:
> Hi,
>
> I am currently using iptables 1.2.11 with the patch-o-matic patch applied.
> Its documented that netfilter is patched to protect against FTP bounce
> attacks, when an invalid IP is given in the FTP PORT command.
> I can detect the PORT command reaching the FTP server through the router(
> containing netfilter), even when I give an ivalid IP.
> I would like to know whether the patch is not working or whether the patch is
> meant to not allow the resulting bounce attack, even with allowing the PORT
> command to pass through.
>
> Thanks and Regards,
> Vinod C
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-02-01 0:28 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-01-28 15:38 FTP Bounce Attack Vinod Chandran
-- strict thread matches above, loose matches on Subject: below --
2005-01-28 15:24 Vinod Chandran
2005-02-01 0:28 ` dwhite
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox