Maybe I am missing something, but after looking at the ASM code that ussr provided, it seems as if they are just doing a standard "connection flood". I see absolutely nothing significant or specific to WarFTPD here. The same type of attack would affect any number of FTP servers when done from a fast enough link. In other words, the good ole' hose + a tiny fragment of code to actually send a username/pass is all that is needed to duplicate this. The only denial of service I see here is a "max connections" problem. This would be harder to combat if the attack cam from random ip's... but that is not the case in this instance. So, did I miss something in this case? /tmy At 06:41 PM 12/14/1999, Ussr Labs wrote: >Strange, no body report this problem only you :(, the war ftp deamnon stop >responding wen reseive lots of incomming connections, the porgram no CRASH >just only stop responding. > >u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h >http://www.ussrback.com > > > >-----Original Message----- >From: Malartre [mailto:malartreat_private] >Sent: Tuesday, December 14, 1999 8:46 PM >To: Ussr Labs >Cc: BUGTRAQat_private >Subject: Re: Local / Remote D.o.S Attack in War FTP Daemon 1.70 >Vulnerability > > >Ussr Labs wrote: > > > > Local / Remote D.o.S Attack in War FTP Daemon 1.70 Vulnerability > >I am personnaly not able to reproduce this on my computer. I was using >the program on the same computer that war-ftpd is. > >It's a Pentium 200 with win95b, no firewalls, nothing special. > >My cable-modem connection was down during the use of the program, but >this is because I was flooding myself. > >After a minute or two, I closed the program and my connection was back >and War FTP was ok. >Thank You >-- >[Malartre][malartreat_private] -- Diving into infinity my consciousness expands in inverse proportion to my distance from singularity +-------- ------- ------ ----- ---- --- -- ------ --------+ | Tim Yardley (yardleyat_private) | http://www.students.uiuc.edu/~yardley/ +-------- ------- ------ ----- ---- --- -- ------ --------+
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:21:10 PDT