FTP Security Considerations
RFC 2577
Network Working Group M. Allman
Request for Comments: 2577 NASA Glenn/Sterling Software
Category: Informational S. Ostermann
Ohio University
May 1999
FTP Security Considerations
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1999). All Rights Reserved.
Abstract
The specification for the File Transfer Protocol (FTP) contains a
number of mechanisms that can be used to compromise network security.
The FTP specification allows a client to instruct a server to
transfer files to a third machine. This third-party mechanism, known
as proxy FTP, causes a well known security problem. The FTP
specification also allows an unlimited number of attempts at entering
a user's password. This allows brute force "password guessing"
attacks. This document provides suggestions for system
administrators and those implementing FTP servers that will decrease
the security problems associated with FTP.
1 Introduction
The File Transfer Protocol specification (FTP) [PR85] provides a
mechanism that allows a client to establish an FTP control connection
and transfer a file between two FTP servers. This "proxy FTP"
mechanism can be used to decrease the amount of traffic on the
network; the client instructs one server to transfer a file to
another server, rather than transferring the file from the first
server to the client and then from the client to the second server.
This is particularly useful when the client connects to the network
using a slow link (e.g., a modem). While useful, proxy FTP provides
a security problem known as a "bounce attack" [CERT97:27]. In
addition to the bounce attack, FTP servers can be used by attackers
to guess passwords using brute force.
Allman & Ostermann Informational [Page 1]
RFC 2577 FTP Security Considerations May 1999
This document does not contain a discussion of FTP when used in
conjunction with strong security protocols, such as IP Security.
These security concerns should be documented, however they are out of
the scope of this document.
This paper provides information for FTP server implementers and
system administrators, as follows. Section 2 describes the FTP
"bounce attack". Section 3 provides suggestions for minimizing the
bounce attack. Section 4 provides suggestions for servers which
limit access based on network address. Section 5 provides
recommendations for limiting brute force "password guessing" by
clients. Next, section 6 provides a brief discussion of mechanisms
to improve privacy. Section 7 provides a mechanism to prevent user
identity guessing. Section 8 discusses the practice of port
stealing. Finally, section 9 provides an overview of other FTP
security issues related to software bugs rather than protocol issues.
2 The Bounce Attack
The version of FTP specified in the standard [PR85] provides a method
for attacking well known network servers, while making the
perpetrators difficult to track down. The attack involves sending an
FTP "PORT" command to an FTP server containing the network address
and the port number of the machine and service being attacked. At
this point, the original client can instruct the FTP server to send a
file to the service being attacked. Such a file would contain
commands relevant to the service being attacked (SMTP, NNTP, etc.).
Instructing a third party to connect to the service, rather than
connecting directly, makes tracking down the perpetrator difficult
and can circumvent network-address-based access restrictions.
As an example, a client uploads a file containing SMTP commands to an
FTP server. Then, using an appropriate PORT command, the client
instructs the server to open a connection to a third machine's SMTP
port. Finally, the client instructs the server to transfer the
uploaded file containing SMTP commands to the third machine. This
may allow the client to forge mail on the third machine without
making a direct connection. This makes it difficult to track
attackers.
3 Protecting Against the Bounce Attack
The original FTP specification [PR85] assumes that data connections
will be made using the Transmission Control Protocol (TCP) [Pos81].
TCP port numbers in the range 0 - 1023 are reserved for well known
services such as mail, network news and FTP control connections
[RP94]. The FTP specification makes no restrictions on the TCP port
Show full document text