HIDS 11209

From Atomicorp Wiki
Jump to: navigation, search

Rule ID

11209

Status

Active rule currently published.

Alert Message

Rule: 11209 Attempt to bypass firewall that can`t adequately keep state of FTP traffic.

Example Log Entry

proftpd[12630]: 127.0.0.1 (1.2.3.4[1.2.3.4]) - Refused PORT 192,168,1,34,206,55 (address mismatch)

Description

This rule detects when an FTP server reports that it has rejected a connection request from the client that is invalid, or possibly malicious. This generallyt occurs when a buggy client, or a poorly configured or designed firewall at the client side sends the wrong IP address for the FTP data connection, typically an internal IP address that does not match the source. In the example above, the clients IP address is 1.2.3.4, and the client as instructed the FTP server to send data to the IP address 192.168.1.34 (in the example above the application uses commas instead of periods).

This is invalid, as the FTP server is smart enough to recognize that the clients real IP address is 1.2.3.4, and not 192.168.1.34. The actual clients IP may in fact be 192.168.1.34, but the traffic will never reach it as the actual IP address the client is using is 1.2.3.4. This is typically seen, as mentioned above, when the clients firewall or FTP client does not properly manage FTP connections. This is not a problem with your server, it is a problem with the client.

False Positives

A false positive is not possible with this rule. It merely reports what the FTP server is doing.

Discussion

FTP is a very complex protocol, and one of the oldest protocols on the Internet. It is not like any other protocol. It uses multiple "channels" to send data to the client. The client can request the server to send data over a specific port and to a specific IP address. When FTP was created, the Internet was not the place it is today. There were no hackers or malicious attackers invisoned, so the protocol itself is very naive. It will allow a client to ask a server to send data to any IP and port on the Internet. This can be used to launch "bounce" attacks, where an attacker can instruct an FTP server to send data to other systems, and in so doing it can be used to bypass firewalls by attacking an FTP server behind a firewall and then using that server to attack other machines behing the firewall. Because of these limitations more modern FTP servers will check these IP addresses against the actual source IP address, and if they do not match it will reject them.

Tuning Recommendations

None. Do not disable this rule. The rule is only reporting the behavior of the FTP server, and disabling it will not prevent the FTP server from rejecting the connection. You will simply no longer be alerted that this has occurred, however the FTP server will still reject the connection, this time silently.

Similar Rules

None.

Personal tools