Date: Fri, 26 Jul 2002 23:22:55 +0300 From: Ruslan Ermilov <ru@FreeBSD.ORG> To: Yar Tikhiy <yar@FreeBSD.ORG> Cc: net@FreeBSD.ORG Subject: Re: ftpd(8) DoS: SIZE in ASCII mode Message-ID: <20020726202255.GA9263@sunbay.com> In-Reply-To: <20020726155745.B2089@comp.chem.msu.su>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --]
On Fri, Jul 26, 2002 at 03:57:45PM +0400, Yar Tikhiy wrote:
> Hi everybody,
>
> I've been pointed out by Maxim Konovalov recently that our stock
> ftpd(8) allowed an easy DoS attack against a server running it by
> issuing numerous "SIZE" commands on huge files when in ASCII mode.
> In this case, ftpd(8) has to read a whole file instead of just
> issuing a single stat(2) syscall, thus eating up the server's
> disk bandwidth.
>
> The obvious solution is to disable the "SIZE" command when in ASCII
> mode. So I'd like to ask the community whether anyone thinks there
> must be an option to enable it back. Personally, I feel the command
> must be disabled completely (for ASCII mode, of course) since I see
> no good use for it at all.
>
How about going the lukemftpd(8) way?
if (stbuf.st_size > 10240) {
reply(550, "%s: file too large for SIZE.", filename);
(void) fclose(fin);
return;
}
Cheers,
--
Ruslan Ermilov Sysadmin and DBA,
ru@sunbay.com Sunbay Software AG,
ru@FreeBSD.org FreeBSD committer,
+380.652.512.251 Simferopol, Ukraine
http://www.FreeBSD.org The Power To Serve
http://www.oracle.com Enabling The Information Age
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
iD8DBQE9Qa+fUkv4P6juNwoRAqo2AKCE5oUO7a4IQvJImtUast7R2cAoigCePlG6
zXYc+Ttujr3GuNtPK6UmM9E=
=Lf8d
-----END PGP SIGNATURE-----
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020726202255.GA9263>