httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm MacCarthaigh <c...@stdlib.net>
Subject Re: ftp site
Date Tue, 09 Mar 2004 13:14:41 GMT
On Fri, Mar 05, 2004 at 04:35:37PM -0500, Ghanta, Bose wrote:
>  I was working on what I originally thought was a bug in our FTP client.
> Your ftp site has a very long banner (due to the crypto warnings and what
> all), and the bug opened against our FTP client was that it would disconnect
> partly through the login banner.  After using a packet sniffer, I determined
> that what is happening is that at a certain point, as your FTP server is
> sending banner lines, it drops the connection. 

This is a relatively common failure mode for scenarios involving a
stateful protocol-inspecting firewall being in the way. Many popular
implementations insist on a divisional newline being within the first
packet; to establish state (when using PASV) and protect against a
common attack method (see below).  If the banner size starts coming
close to the MTU and the handshake is fragmented these implementations
can break the internet.

See:

	http://www.securityfocus.com/archive/1/46655
	http://www.checkpoint.com/techsupport/alerts/pasvftp.html

for a description of why the check occurs, and see:

	http://lists.virus.org/fw1-0302/msg00599.html

for instructions on how to disable the check in the most common
implementation which displays this behaviour (checkpoint). It would be
worth investigating wether such a device is between you and the 
ftp server, and whether or not it is responsible for your problems.

-- 
Colm MacCárthaigh                        Public Key: colm+pgp@stdlib.net

Mime
View raw message