Attack of the Day: The FTP Bounce Attack

I encountered an IDS signature stating that a user accessed an FTP site but a possible FTP Bounce Attack might occur. Why is that so?

The severity of this attack is high because it indicates potential port scanning activities as well as bypassing basic packet filtering services and export restrictions through FTP. (Fortiguard, 2006)

How does FTP Bounce Attack work? In order for an FTP connection to occur, the client tries to connect to FTP through port 21. Another data connection is made between the two so that when the client wants to download something from the server, the latter can send the data back. To do this, through the ‘PORT’ command, the client sends its IP address and an arbitrary port that is free to establish a successful connection

Now the attack commences in the ‘PORT’ command because the attacker can alter and send another IP address and port to the FTP server.

With the ‘PORT’ command the attacker can do a port scan to another host in the Internet through a third party FTP server or even bypass filtering devices. (Telindus, 2003)

What can we do to prevent this attack from happening? If the root cause is the ‘PORT’ command, then the solution is to limit the functionality of the ‘PORT’ command to its purpose of sending its legitimate IP address and port number.

A package called the wu-ftpd addresses the FTP bounce problem by ensuring that the ‘PORT’ command won’t be used to make connections to machines other than the original client.(CERT, 1997)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s