> I don't know of any ftp clients which make use of this feature (multiple > data channels supported concurrently) as the original ftp clients were all > line-based and only suported one transfer at a time. Maybe this is > reasonable, but it would be a shame for the default defense to this attack > to mean you can't use FTP to it's full potential (i.e. start a transfer > from the current session but keep using the current `login' session, maybe > to start other transfers, as requried). Triming the number of concurrent > data sessions to a maximum of 1-5 (by default) would probably be enough, > with the capability to set this higher/lower as required. The OpenBSD ftpd has never permitted more than 1 connection at a time in PASV mode, thus this particular denial of service attack does not work. I caused myself some difficulties by accidentally starting up 400 perl instances, though.. One of the Linux's out there also ships with our ftpd, so they will not have a problem with this either. It's either Debian or Suse...
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:19:08 PDT