I noticed that when you FTP into ZServer it doesn't matter what userid or password you use, it allways says 'Login Successful'. Of course, your not authorized to see anything but your still logged in and there is still an open Medusa channel. Couldn't this be a hole into a possible Denial of Service attack? Michel
At 02:56 PM 1/26/99 -0500, Michel Pelletier wrote:
I noticed that when you FTP into ZServer it doesn't matter what userid or password you use, it allways says 'Login Successful'. Of course, your not authorized to see anything but your still logged in and there is still an open Medusa channel. Couldn't this be a hole into a possible Denial of Service attack?
Sounds like it. We need to think carefully about how to limit FTP access. It's hard to differentiate between anonymous and non-anonymous users, because authorization is defined on a per-directory basis. So basically how things work now, you must 'cd' to a directory where your userid is defined before you can do much. This means you can't easily evaluate the validity of a user at login time. So it's hard to do things like limit the number of concurrent anonymous FTP logins. One partial solution would be to limit the total number of FTP connections, though annoying people could simply fill all those, and prevent anyone else from getting through. On the upside, the HTTP sever would still work fine. Another solution would be to limit FTP access to users defined in the top-level Folder. Or maybe limit the number of connections from users not defined in the top-level Folder. These issues deserve serious thought. -Amos
On 26 Jan 99, at 12:57, Amos Latteier wrote:
One partial solution would be to limit the total number of FTP connections, though annoying people could simply fill all those, and prevent anyone else from getting through. On the upside, the HTTP sever would still work fine.
Another solution would be to limit FTP access to users defined in the top-level Folder. Or maybe limit the number of connections from users not defined in the top-level Folder.
Or, if a user hasn't successfully accessed a directory that requires authorization within xx minutes of connecting, then disconnect. Or, allow connections to be denied based on ftp client's ip subnet or domain name. We make an FTP server for Novell NetWare, so we're versed with these issues... Brad Clements, bkc@murkworks.com (315)268-1000 http://www.murkworks.com (315)268-9812 Fax netmeeting: ils://ils.murkworks.com ICQ: 14856937 We must come down from our heights, and leave our straight paths, for the byways and low places of life, if we would learn truths by strong contrasts; and in hovels, in forecastles, and among our own outcasts in foreign lands, see what has been wrought upon our fellow-creatures by accident, hardship, or vice. - Richard Henry Dana, Jr. 1836
On Tue, 26 Jan 1999, Amos Latteier wrote:
Another solution would be to limit FTP access to users defined in the top-level Folder. Or maybe limit the nu At 02:56 PM 1/26/99 -0500, Michel Pelletier wrote:
I noticed that when you FTP into ZServer it doesn't matter what userid or password you use, it allways says 'Login Successful'. Of course, your not authorized to see anything but your still logged in and there is still an open Medusa channel. Couldn't this be a hole into a possible Denial of Service attack?
Sounds like it. We need to think carefully about how to limit FTP access.
It's hard to differentiate between anonymous and non-anonymous users, because authorization is defined on a per-directory basis. So basically how things work now, you must 'cd' to a directory where your userid is defined before you can do much. This means you can't easily evaluate the validity of a user at login time. So it's hard to do things like limit the number of concurrent anonymous FTP logins.
Maybe do some sort of port trick where if they come in on port 5000 they are rooted in the top of the database and have to be defined at that level and if they come in at 5001 it could root them at /spam/eggs/anon or something like that.
These issues deserve serious thought.
-Amos
--------------------------------------------------- - Scott Robertson Phone: 714.972.2299 - - CodeIt Computing Fax: 714.972.2399 - - http://codeit.com - ---------------------------------------------------
Scott Robertson wrote:
On Tue, 26 Jan 1999, Amos Latteier wrote:
Another solution would be to limit FTP access to users defined in the top-level Folder. Or maybe limit the nu At 02:56 PM 1/26/99 -0500, Michel Pelletier wrote:
I noticed that when you FTP into ZServer it doesn't matter what userid or password you use, it allways says 'Login Successful'. Of course, your not authorized to see anything but your still logged in and there is still an open Medusa channel. Couldn't this be a hole into a possible Denial of Service attack?
Sounds like it. We need to think carefully about how to limit FTP access.
It's hard to differentiate between anonymous and non-anonymous users, because authorization is defined on a per-directory basis. So basically how things work now, you must 'cd' to a directory where your userid is defined before you can do much. This means you can't easily evaluate the validity of a user at login time. So it's hard to do things like limit the number of concurrent anonymous FTP logins.
I think an expedient solution would be, if you are not authorized to see anything, then you will be forcibly disconnected after seeing an informational message. If you are connected and can't view anything, then there will be little difference to you because what you can do (nada) when connected will be same as what you can do (nada) when disconnected.
Maybe do some sort of port trick where if they come in on port 5000 they are rooted in the top of the database and have to be defined at that level and if they come in at 5001 it could root them at /spam/eggs/anon or something like that.
These issues deserve serious thought.
-Amos
--------------------------------------------------- - Scott Robertson Phone: 714.972.2299 - - CodeIt Computing Fax: 714.972.2399 - - http://codeit.com - ---------------------------------------------------
Michel Pelletier wrote:
I noticed that when you FTP into ZServer it doesn't matter what userid or password you use, it allways says 'Login Successful'. Of course, your not authorized to see anything but your still logged in and there is still an open Medusa channel. Couldn't this be a hole into a possible Denial of Service attack?
How is this different from anonymous FTP? How do other servers limit denial of service attacks on anonymous FTP? Note that a medusa connection does not consume many resources and doesn't tie up the application in any way. Jim
Jim Fulton wrote:
Michel Pelletier wrote:
I noticed that when you FTP into ZServer it doesn't matter what userid or password you use, it allways says 'Login Successful'. Of course, your not authorized to see anything but your still logged in and there is still an open Medusa channel. Couldn't this be a hole into a possible Denial of Service attack?
How is this different from anonymous FTP? How do other servers limit denial of service attacks on anonymous FTP?
There is the minor difference that anonymous FTP can be turned off, thus denying even making a connection. Also anonymous access is only granted for the anonymous uid with the option to verify with a password. With medusa I can login with joe:blow and still tie a line. Paul mentioned the throttling.
Note that a medusa connection does not consume many resources and doesn't tie up the application in any way.
Your right there, Medusa may be so darn fast that it won't matter, I'm going to experiment with a simple DOS script today, see if I can bring Medusa to it's knees. Michel
Jim
participants (6)
-
Amos Latteier -
Brad Clements -
Guido Sohne -
Jim Fulton -
Michel Pelletier -
Scott Robertson