I encountered an IDS signature stating that a user accessed an FTP site but a possible FTP Bounce Attack might occur. Why is that so?

The severity of this attack is high because it indicates potential port scanning activities as well as bypassing basic packet filtering services and export restrictions through FTP. (Fortiguard, 2006)

How does FTP Bounce Attack work? In order for an FTP connection to occur, the client tries to connect to FTP through port 21. Another data connection is made between the two so that when the client wants to download something from the server, the latter can send the data back. To do this, through the ‘PORT’ command, the client sends its IP address and an arbitrary port that is free to establish a successful connection

Now the attack commences in the ‘PORT’ command because the attacker can alter and send another IP address and port to the FTP server.

With the ‘PORT’ command the attacker can do a port scan to another host in the Internet through a third party FTP server or even bypass filtering devices. (Telindus, 2003)

What can we do to prevent this attack from happening? If the root cause is the ‘PORT’ command, then the solution is to limit the functionality of the ‘PORT’ command to its purpose of sending its legitimate IP address and port number.

A package called the wu-ftpd addresses the FTP bounce problem by ensuring that the ‘PORT’ command won’t be used to make connections to machines other than the original client.(CERT, 1997)