Thursday, December 31, 2015

What is FTP Bounce Attack ?

What is FTP Bounce Attack ?

Suppose, X is a user on and X wants to transfer a file from But, X does not have permission to transfer file from There is another machine who has permission to transfer file from

So, X makes a plan. He opens an FTP connection to And then, instructs to transfer the file from to using FTP protocol. This is called FTP Bounce Attack.

How is FTP Bounce Attack perpetrated ?

This attack is possible when FTP Server in supports passive mode.

Let's look into what is passive mode of FTP connection.

FTP protocol normally uses two connections – one control connection and one data connection. Commands are transferred using control connection and data travels through the data connection.

In Active FTP, the FTP client first initiates the control connection from its port N to FTP Server's command port – port 21. The client then listens to port N+1 and sends the port N+1 to FTP Server. FTP Server then initiates the data connection, from its port M to the port N+1 of the FTP Client.

But, if the FTP Client has a firewall setup that controls the incoming data connections from outside, then active FTP may be a problem. And, a feasible solution for that is Passive FTP.

In Passive FTP, the client initiates the control connection from its port N to the port 21 of FTP Server. After this, the client issues a passv comand. The server then sends the client one of its port number M. And the client initiates the data connection from its port P to port M of the FTP Server.

In FTP Bounce Attack, the attacker exploits the passive mode of the FTP Server. He performs the following steps :

  • X opens an FTP connection from to the FTP Server
  • X issues a port command and asks the server to open a data connection to port M. But, he tricks the FTP Server. Instead of specifying IP address of, he gives the IP address of
  • X now sends the FTP Server a file of listed commands and requests it to execute that.
  • The file has the following set of commands :
    1. Open an FTP connection to
    2. uses passive mode. So, it must send a port number to which should open a data connection. specifies that with a port command, but instead of giving IP address of, the file specifies IP address of
    3. Transfer the required file over the connection thus established.

So, at this point, is tricked to request to open a data connection from to actually

And this is how FTP Bounce Attack is performed.

How to prevent FTP Bounce Attack ?

A commonly used countermeasure is to configure the FTP Server not to allow connections to be established with any other host other than the FTP Client.

This was an informative article on FTP Bounce Attack. Hope you enjoyed it.

No comments:

Post a Comment