[
https://issues.apache.org/jira/browse/FTPSERVER-240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12656593#action_12656593
]
Jörg Schubert commented on FTPSERVER-240:
-----------------------------------------
Well, I'm pretty fine. A rough saturday evening hack should not be in 1.0 ;-)
Some rethinking led me into a possible security risk:
A SYN-attack in the range of passive ports could lead to a mix-up of the
association of ftp-command and allocated port.
Scenario is this this:
1. a passive port ist opened
2. a false SYN caused accept() to return, the session runs into an error
3. a slow client might connect to the newly allocated port of the NEXT session
or command
To prevent this, there should be an allocation counter at each port, which can
be stored and verified against the session (or the command?). And the ports
should be allocated in a round-robin or - maybe better - random fashion.
I suppose this can also happen in plain 1.0.0-M4, but the probability is much
bigger, that it happens in my patched version. I did not verify it yet, it just
a theory. Do You have a JMeter-Setup or similar which verifies the content of
transfered files under heavy load? I'd like to do some testing, but setting up
JMeter seems not so easy :-(
If I find something in 1.0.0-M4, I'll open a bug. Or should I do it now?
> Multiple Simultaneous Connections On Passive Data Ports
> --------------------------------------------------------
>
> Key: FTPSERVER-240
> URL: https://issues.apache.org/jira/browse/FTPSERVER-240
> Project: FtpServer
> Issue Type: Improvement
> Affects Versions: 1.0.0-M4
> Reporter: Jörg Schubert
> Fix For: WISHLIST
>
> Attachments: patch_ServerSocket.txt
>
> Original Estimate: 5h
> Remaining Estimate: 5h
>
> Hello,
> the current Implementation limits the maximum number of simultaneous
> connections to the number of activated data ports in passive mode. This is
> not really enterprise grade!
> I'm not sure if the ftp-spec allows this, but it works.
> I have a working patch against 1.0.0-M4 (tested with filezilla), but
> unfortunaltely I can't attach it here.
> Should I send it to the mailing list?
> With best Regards,
> Jörg Schubert
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
