FTP: Bounce Attack
This protocol anomaly triggers when it detects an FTP bounce attack. There are two possibilities: a PORT command specified an IP address different from the client address, or a PASV command resulted in a 227 message with an IP address different than the server.
Extended Description
This problem is a design issue with the common implementation of the FTP protocol. In essence, the vulnerability is as follows: when a user FTP's into a host to retrieve files, the connection is two way (i.e. when you log in and request a file, the server then opens a connection back to your host of origin to deliver your requested data). Most FTP servers support what is called 'active mode' which allows users to specify a number of parameters to the FTP daemon. One of these is the PORT command, which lets you specify *where* you would like the return data connection to be sent. Therefore, instead of opening a connection back to yourself to drop off your requested files or data, you can then open that connection back to another host. This is true with both retrieving and putting data. Attackers can exploit this in some instances to circumvent access control, export restrictions, etc.
Affected Products
Digital unix
Short Name
FTP:EXPLOIT:BOUNCE-ATTACK
Severity
Major
Recommended
False
Recommended Action
Drop
Category
FTP
Keywords
CA-1997-27 CVE-1999-0017 CVE-2010-1465 bid:126 bid:50614
Release Date
04/22/2003
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3693
False Positive
Rarely
Vendors
Rhino_software
Sco
Ibm
Sun
Mad_goat_software
Hp
Washington_university
Sgi
Freebsd
Digital
Netbsd
CVSS Score
7.5