Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 26 Jul 2002 23:22:55 +0300
From:      Ruslan Ermilov <ru@FreeBSD.ORG>
To:        Yar Tikhiy <yar@FreeBSD.ORG>
Cc:        net@FreeBSD.ORG
Subject:   Re: ftpd(8) DoS: SIZE in ASCII mode
Message-ID:  <20020726202255.GA9263@sunbay.com>
In-Reply-To: <20020726155745.B2089@comp.chem.msu.su>
References:  <20020726155745.B2089@comp.chem.msu.su>
next in thread | previous in thread | raw e-mail | index | archive | help 

--nFreZHaLTZJo0R7j
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Jul 26, 2002 at 03:57:45PM +0400, Yar Tikhiy wrote:
> Hi everybody,
>=20
> I've been pointed out by Maxim Konovalov recently that our stock
> ftpd(8) allowed an easy DoS attack against a server running it by
> issuing numerous "SIZE" commands on huge files when in ASCII mode.
> In this case, ftpd(8) has to read a whole file instead of just
> issuing a single stat(2) syscall, thus eating up the server's
> disk bandwidth.
>=20
> The obvious solution is to disable the "SIZE" command when in ASCII
> mode.  So I'd like to ask the community whether anyone thinks there
> must be an option to enable it back.  Personally, I feel the command
> must be disabled completely (for ASCII mode, of course) since I see
> no good use for it at all.
>=20
How about going the lukemftpd(8) way?

	if (stbuf.st_size > 10240) {
		reply(550, "%s: file too large for SIZE.", filename);
		(void) fclose(fin);
		return;
	}


Cheers,
--=20
Ruslan Ermilov		Sysadmin and DBA,
ru@sunbay.com		Sunbay Software AG,
ru@FreeBSD.org		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine

http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age

--nFreZHaLTZJo0R7j
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQE9Qa+fUkv4P6juNwoRAqo2AKCE5oUO7a4IQvJImtUast7R2cAoigCePlG6
zXYc+Ttujr3GuNtPK6UmM9E=
=Lf8d
-----END PGP SIGNATURE-----

--nFreZHaLTZJo0R7j--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020726202255.GA9263>