IIS 4.0: FTP "Bounce" Attack and CERT Advisory CA-97.27

ID: Q185378

The information in this article applies to:
  • Microsoft Internet Information Server version 4.0

SUMMARY

The CERT (http://www.Cert.org) Advisory CA-97.27 warns of an FTP security attack called the "Bounce" attack. This involves misuse of the Port command to maliciously open a connection to a port on the File Transfer Protocol (FTP) server.

The FTP Server service in Microsoft Internet Information Server version 4.0 (IIS) is not susceptible to this attack.


MORE INFORMATION

The FTP server in IIS 4.0 disallows third-party data transfers. This is done via a modification to the implementation of the Port command. When the FTP server receives a Port command, the specified IP address must match the client's source IP address for the control channel.

The FTP server in IIS 4.0 also has another level of protection: disallowing the Port command from specifying reserved ports (those less than 1024) except Port 20 (the default data port). By default, any client attempt to issue a Port command with (port < 1024 and port != 20) causes the Port command to fail.

Keywords :
Version : WINNT:4.0
Platform : winnt
Issue type : kbinfo


Last Reviewed: May 3, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.