What is FTP Bounce Attack ?
Suppose, X is a user on attacker.com and X wants to transfer a file from target.com. But, X does not have permission to transfer file from target.com. There is another machine middle-man.com who has permission to transfer file from target.com.
So, X makes a plan. He opens an FTP connection to middle-man.com. And then, instructs middle-man.com to transfer the file from target.com to attacker.com using FTP protocol. This is called FTP Bounce Attack.
How is FTP Bounce Attack perpetrated ?
This attack is possible when FTP Server in middle-man.com supports passive mode.
Let's look into what is passive mode of FTP connection.
FTP protocol normally uses two connections – one control connection and one data connection. Commands are transferred using control connection and data travels through the data connection.
In Active FTP, the FTP client first initiates the control connection from its port N to FTP Server's command port – port 21. The client then listens to port N+1 and sends the port N+1 to FTP Server. FTP Server then initiates the data connection, from its port M to the port N+1 of the FTP Client.
But, if the FTP Client has a firewall setup that controls the incoming data connections from outside, then active FTP may be a problem. And, a feasible solution for that is Passive FTP.
In Passive FTP, the client initiates the control connection from its port N to the port 21 of FTP Server. After this, the client issues a passv comand. The server then sends the client one of its port number M. And the client initiates the data connection from its port P to port M of the FTP Server.
In FTP Bounce Attack, the attacker exploits the passive mode of the FTP Server. He performs the following steps :
- X opens an FTP connection from attacker.com to the FTP Server middle-man.com
- X issues a port command and asks the server to open a data connection to port M. But, he tricks the FTP Server. Instead of specifying IP address of attacker.com, he gives the IP address of target.com.
- X now sends the FTP Server a file of listed commands and requests it to execute that.
- The file has the following set of commands :
1. Open an FTP connection to target.com
2. middle-man.com uses passive mode. So, it must send a port number to which target.com should open a data connection. middle-man.com specifies that with a port command, but instead of giving IP address of middle-man.com, the file specifies IP address of attacker.com.
3. Transfer the required file over the connection thus established.
So, at this point, middle-man.com is tricked to request target.com to open a data connection from target.com to actually attacker.com.
And this is how FTP Bounce Attack is performed.
How to prevent FTP Bounce Attack ?
A commonly used countermeasure is to configure the FTP Server not to allow connections to be established with any other host other than the FTP Client.
This was an informative article on FTP Bounce Attack. Hope you enjoyed it.