Browse Prior Art Database

FTP Security Considerations (RFC2577)

IP.com Disclosure Number: IPCOM000003164D
Original Publication Date: 1999-May-01
Included in the Prior Art Database: 2000-Sep-13
Document File: 7 page(s) / 17K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

M. Allman: AUTHOR [+2]

Abstract

The specification for the File Transfer Protocol (FTP) contains a number of mechanisms that can be used to compromise network security. The FTP specification allows a client to instruct a server to transfer files to a third machine. This third-party mechanism, known as proxy FTP, causes a well known security problem. The FTP specification also allows an unlimited number of attempts at entering a user's password. This allows brute force "password guessing" attacks. This document provides suggestions for system administrators and those implementing FTP servers that will decrease the security problems associated with FTP.

This text was extracted from a ASCII document.
This is the abbreviated version, containing approximately 16% of the total text.

Network Working Group M. Allman

Request for Comments: 2577 NASA Glenn/Sterling Software

Category: Informational S. Ostermann

Ohio University

May 1999

FTP Security Considerations

Status of this Memo

This memo provides information for the Internet community. It does

not specify an Internet standard of any kind. Distribution of this

memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (1999). All Rights Reserved.

Abstract

The specification for the File Transfer Protocol (FTP) contains a

number of mechanisms that can be used to compromise network security.

The FTP specification allows a client to instruct a server to

transfer files to a third machine. This third-party mechanism, known

as proxy FTP, causes a well known security problem. The FTP

specification also allows an unlimited number of attempts at entering

a user's password. This allows brute force "password guessing"

attacks. This document provides suggestions for system

administrators and those implementing FTP servers that will decrease

the security problems associated with FTP.

1 Introduction

The File Transfer Protocol specification (FTP) [PR85] provides a

mechanism that allows a client to establish an FTP control connection

and transfer a file between two FTP servers. This "proxy FTP"

mechanism can be used to decrease the amount of traffic on the

network; the client instructs one server to transfer a file to

another server, rather than transferring the file from the first

server to the client and then from the client to the second server.

This is particularly useful when the client connects to the network

using a slow link (e.g., a modem). While useful, proxy FTP provides

a security problem known as a "bounce attack" [CERT97:27]. In

addition to the bounce attack, FTP servers can be used by attackers

to guess passwords using brute force.

This document does not contain a discussion of FTP when used in

conjunction with strong security protocols, such as IP Security.

These security concerns should be documented, however they are out of

the scope of this document.

This paper provides information for FTP server implementers and

system administrators, as follows. Section 2 describes the FTP

"bounce attack". Section 3 provides suggestions for minimizing the

bounce attack. Section 4 provides suggestions for servers which

limit acces...