Possible Hack with FTP - What are the solutions?

Posted by iamrohitbanga on Super User See other posts from Super User or by iamrohitbanga
Published on 2010-04-04T19:13:59Z Indexed on 2010/04/04 19:23 UTC
Read the original article Hit count: 184

Filed under:

I was reading the FTP rfc and hence had this idea.

Suppose there are several public ftp servers that allow anonymous user login. I open a control connection on port 21 to each of these servers.

Now suppose there is a web server a.com with ip address x.y.z.w listening on port 80. FTP allows a user to specify the host on which the data connection is to be setup. So a user specifies the host and port number of a.com web server. Now the ftp server starts sending data to a.com for which it is not a valid HTTP request and hence it is rejected. But a.com notes that the invalid http request came from a public ftp server and not my ip address. Can this not lead to a distributed attack by utilizing all public ftp servers. worse still the the data being sent by ftp server could be a valid http request which could trigger a.com to send a file back to the ftp server.

Is there a solution for this or is it no problem at all.

© Super User or respective owner

Related posts about ftp