FTP Security Considerations
RFC 2577

Document Type RFC - Informational (May 1999; No errata)
Authors Mark Allman  , Shawn Ostermann 
Last updated 2013-03-02
Stream IETF
Formats plain text html pdf htmlized bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 2577 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                          M. Allman
Request for Comments: 2577                  NASA Glenn/Sterling Software
Category: Informational                                     S. Ostermann
                                                         Ohio University
                                                                May 1999

                      FTP Security Considerations

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1999).  All Rights Reserved.


   The specification for the File Transfer Protocol (FTP) contains a
   number of mechanisms that can be used to compromise network security.
   The FTP specification allows a client to instruct a server to
   transfer files to a third machine.  This third-party mechanism, known
   as proxy FTP, causes a well known security problem.  The FTP
   specification also allows an unlimited number of attempts at entering
   a user's password.  This allows brute force "password guessing"
   attacks.  This document provides suggestions for system
   administrators and those implementing FTP servers that will decrease
   the security problems associated with FTP.

1   Introduction

   The File Transfer Protocol specification (FTP) [PR85] provides a
   mechanism that allows a client to establish an FTP control connection
   and transfer a file between two FTP servers.  This "proxy FTP"
   mechanism can be used to decrease the amount of traffic on the
   network; the client instructs one server to transfer a file to
   another server, rather than transferring the file from the first
   server to the client and then from the client to the second server.
   This is particularly useful when the client connects to the network
   using a slow link (e.g., a modem).  While useful, proxy FTP provides
   a security problem known as a "bounce attack" [CERT97:27].  In
   addition to the bounce attack, FTP servers can be used by attackers
   to guess passwords using brute force.

Allman & Ostermann           Informational                      [Page 1]
RFC 2577              FTP Security Considerations               May 1999

   This document does not contain a discussion of FTP when used in
   conjunction with strong security protocols, such as IP Security.
   These security concerns should be documented, however they are out of
   the scope of this document.

   This paper provides information for FTP server implementers and
   system administrators, as follows.  Section 2 describes the FTP
   "bounce attack".  Section 3 provides suggestions for minimizing the
   bounce attack.  Section 4 provides suggestions for servers which
   limit access based on network address.  Section 5 provides
   recommendations for limiting brute force "password guessing" by
   clients.  Next, section 6 provides a brief discussion of mechanisms
   to improve privacy.  Section 7 provides a mechanism to prevent user
   identity guessing.  Section 8 discusses the practice of port
   stealing.  Finally, section 9 provides an overview of other FTP
   security issues related to software bugs rather than protocol issues.

2   The Bounce Attack

   The version of FTP specified in the standard [PR85] provides a method
   for attacking well known network servers, while making the
   perpetrators difficult to track down.  The attack involves sending an
   FTP "PORT" command to an FTP server containing the network address
   and the port number of the machine and service being attacked.  At
   this point, the original client can instruct the FTP server to send a
   file to the service being attacked.  Such a file would contain
   commands relevant to the service being attacked (SMTP, NNTP, etc.).
   Instructing a third party to connect to the service, rather than
   connecting directly, makes tracking down the perpetrator difficult
   and can circumvent network-address-based access restrictions.

   As an example, a client uploads a file containing SMTP commands to an
   FTP server.  Then, using an appropriate PORT command, the client
   instructs the server to open a connection to a third machine's SMTP
   port.  Finally, the client instructs the server to transfer the
   uploaded file containing SMTP commands to the third machine.  This
   may allow the client to forge mail on the third machine without
   making a direct connection.  This makes it difficult to track

3   Protecting Against the Bounce Attack

   The original FTP specification [PR85] assumes that data connections
   will be made using the Transmission Control Protocol (TCP) [Pos81].
   TCP port numbers in the range 0 - 1023 are reserved for well known
   services such as mail, network news and FTP control connections
   [RP94].  The FTP specification makes no restrictions on the TCP port
Show full document text