Summary File Transfer Protocol (FTP) is a widely used protocol that makes us easily transfer files on the network. Early FTP did not involve security issues, and the requirements of security have continued to improve with the rapid growth of interconnect applications. This article introduces the basic characteristics of the FTP protocol, discusses the solution of FTP security issues from two aspects: Agreement exposes security function; protocol itself security issues and how users prevent it. 1. Introduction 1.1 FTP Some Features Early definitions of FTP indicate that FTP is a user-level protocol that is transmitted between host files on an ARPA computer network. Its main function is to facilitate file transfer between the host, and allow convenient storage and file processing on other hosts. [BA72] and now the FTP application range is Internet. Definition according to FTP STD 9, FTP's goals include: [PR85] 1) Contributing files (programs or data) sharing 2) Support indirectly or implicitly using remote computer 3) Help users avoid different 4) reliably Effectively transferring data about some of the other properties of FTP include: FTP can be used by the user in the terminal, but is usually used. Transmission Control Protocol (TCP) [PJ81], and Telnet Protocol [PJ83] are mainly adopted in FTP. 1.2 Important historical events [PR85] In 1971, the first FTP RFC (RFC 114) was made by A.K. Bhushan in 1971, and is achieved by MIT and Harvard experiment. In 1972, RFC 172 provides a user-level protocol for file transfer between host. In February 1973, an official document RFC 454 appeared after a long-term discussion (RFC 265, RFC 294, RFC 354, RFC 385, RFC 430). In August 1973, a revised new official document RFC 542 appeared. Established FTP functions, objectives, and basic models. At that time, the data transfer protocol used NCP. In 1980, since the underlying protocol changed from NCP to TCP, RFC 765 defined the FTP using TCP. In 1985, an official document of RFC 959 (STD 9) continued to date. 1.3 FTP Model [PR85] In terms of model, there is no change since 1973.
The picture below is FTP usage model: ------------- | / --------- / | || user || -------- || interface | <---> | user | | / ---- ^ ---- / | ---------------- | | | | / ------ / | Ftp commands | / ---- v ---- / | || Server | <----------------> | User || || Pi || FTP Replies || Pi || | / - ^ --- / | | / ---- ^ ---- / | | | | | | -------- | / - V --- / | DATA | / ---- V ---- / | -------- | File | <---> | server | <-------------- -> | | User | <---> | | | | | | || DTP || | / ------------ | / ------ / | | / --------- / | -------- --------------------- Server-FTP User-FTP Note : 1. Data Connection can be used two-way (duplex) 2. Data connection does not need to always exist. Figure 1 FTP User PI: User-Protocol Interpreter: User Protocol InterpeTer PI (Server-Protocol Interpreter): Service Protocol Interpreter Control Connection: Control Connection Data Connection: Data Connection FTP Commands: FTP Command. Describe the parameters of Data Connection, File Operation Type FTP Replies: FTP commands In the model described in Figure 1, the USER PI creates a Control Connection. Control Connection complies with the Telnet protocol. In the user initialization phase, the standard ftp command is generated by the User Pi and passed through the Control Connection to the server process. Server Pi will respond to the USER PI back by the CONTROL Connection. Data transfer is done by Data Connection. User DTP listens at a specific port and initializes the connection with a specified parameter with a specified parameter with a specified parameter. Another situation is that the user wants to deliver files on two non-local hosts. The user establishes the Control Connection with the two servers to arrange file transfer between two servers. The following figure depicts this model.
Control ------------ Control ----------> | User-ftp | <----------- | | User-pi | | | | "C" | | V ------------ V -------------------------- | Server -Ftp | data connection | Server-ftp | | "a" | <--------------------> | "b" | ------ -------- Port (a) port (b) -------------- Figure two server interactive model 2. FTP protocol security expansion [HL97] 2.1 Some safe Perform file transfer practice a. Transfer pre-encrypted files b. Transport pre-encrypted files c. Via PEM messages d. By using Kerberos RCP commands. 2.2 FTP before RFC 2228 is not safe While FTP performs Connection Control operations with Telnet protocol, and the Telnet protocol then adds the authentication and encryption options, but in the RFC 1123, the Telnet option negotiation is prohibited in Connection Control. In addition, the Telnet protocol does not provide integrity protection, and there is no protection of Data Connection. 2.3 Extended Command Auth (Authentication / Security Mechanism), Authentication and Security Mechanism Adat (Authentication / Security Data), Authentication and Security Data Prot (Data Channel Protection Level), Data Channel Protection Hierarchy PBSZ (Protection Buff Size), Protection Buffer Size CCC (Clear Command Channel), Clear Command Channel, Integrity Protected Command, Integrity Protection Command Conf (Confidential Protected Command), Secrecy Protection Command ENC (Privacy Protected Command), Private Protection Command A New Return Type (6YZ) Also introduced to protect the return value. 2.4 Protocol status Chart The following figure describes a process of authentication and and authorization in an improved FTP implementation. The square block indicates the state of the command to be issued, and the diamond block represents the status of the server needs to issue a response.
, ----------------- User __ / | unauthenticated | _________ / | / | (new connection) | / | | `------------ -------- '| | | | | | Auth | | | | / / | | 4YZ, 5YZ / / 234 | ----------------- ------->. | | / / | | | | | | | | |, -------------- ------, | | | NEED Security Data | <-. | | | `------------------ '| | | | | | | | | | | | | | | | | | 4YZ, 5YZ / / 335 | | | `<------- <> --------- - '| | | | | | | | 235 | |, ---------------. | |, ---> | Authenticated | <-------- '| When customers are using the server | `---------------' | Complete certification, such as | | | fruit integrity | | | | User | Must perform | | | | Integrity Protection. CCC | | <----------------- 'command can be used to relax | V. | / / | 4YZ, 5YZ / / 2YZ | <---------> ----------->. | / / | | / _ / | | | 3YZ | | V |, ---------------. | | | | `--------------- '| | | | | | PASS | | V | | / / | | 4YZ, 5YZ / / / 2YZ | | <---------> | / / | | | / _ / | | | |, --------------. | | | -------- -------- '| | | | | | ACCT | | V | | / / | | 4YZ, 5YZ / / / 2YZ | `<--------- <> ------ -------> | / / | / _ / | | | | 3YZ | V |, -------------. | | Authorized | / ________ | (logged in) | / `------------ '3. Agreement security issues and prevention measures [AO99] 3.1 Prevent rebound attack (the Bounce Attack) a. Vulnerability FTP Specification [PR85] Defined" Agent FTP "mechanism, that is, inter-server interaction model. Support customers build an FTP control connection and then transfer files between two services. At the same time, the FTP specification does not have any restrictions on the port number of TCP, while the TCP port number from 0-1023 retains a well-known network service. Therefore, through "agent FTP", the customer can order the FTP server to attack any well-known services on any machine. B. Bounce Attack Customer Send a network address and port number of the network address and port number of the attacked machine and service. At this time, the customer requested the FTP server to send a file to the attacked service, which should contain commands related to the attacked service (for example: SMTP, NNTP).
Since it is a command third party to connect the connection service, not directly connected, not only makes tracking attackers become difficult, but also avoids network address-based access restrictions. C. The easiest way to prevent measures is to seal the vulnerability. First, the server preferably does not establish a TCP port number below 1024 or less. If the server receives a port command containing the TCP port number at 1024 or less, the server can return message 504 ([PR85] is defined as "to" the parameter command cannot be implemented "). Second, it is forbidden to use the port command to be an optional solution to prevent rebound attacks. Most file transfer only needs the PASV command. The disadvantage of this is that the possibility of using "agent ftp" is lost, but in some environments do not need "proxy FTP". D. Left proof Light Control 1024 The connection will still cause the user-defined service (TCP port number at 1024 or more) to subjected to rebound attack. 3.2 Restricted Access A. Requirements For some FTP servers, network-based address-based access control is very eager. For example, the servers may wish to limit access to certain files from certain locations (for example, for some files that are not transferred to the organization). In addition, customers also need to know that the connection is established by the desired server. B. Attackers can take advantage of such a situation, the control connection is above the trusted host, and the data is connected is not. c. Preventive measures Before establishing the connection, both sides need to authenticate the remote host control connection, whether the network address of the data connection is credible (such as within the organization), D. Levied issues based on network address access control can play a role But it is also possible to attack "SPOF) attack. In the SPOOF attack, the attack machine can use the network address of the machine within the organization to download the file to an unauthorized machine outside the organization. 3.3 Protecting Passwords a. Vulnerability First, in FTP Standard [PR85], the FTP server allows unlimited input passwords. Second, the "pass" command transmits a password B. Attack strong attacks have two performances: directly power attacks on the same connection; and the server builds multiple, and the parallel connection is powerful. C. Preventive measures For the first incentive attack, suggesting that the server restrictions attempts to enter the number of correct passwords. After several attempts fail, the server should turn off and the customer's control connection. Before shutting down, the server can send return code 421 (service unavailable, shut down control connection "). In addition, the server should suspend a few seconds before the corresponding" pass "command should be suspended to reduce the effectiveness of the powerful attack. If possible, The mechanism provided by the target operating system can be used to complete the above recommendations. For the second powerful attack, the server can limit the maximum number of control connections, or the suspicious behavior in the probabilistic session and reject the connection request of the site later. Communication The problem can be resolved in the FTP extension to prevent eavesdropping certification mechanisms. D. Left remains, however, the introduction of the above two measures will be attacked by "business veto", and attackers can deliberately disable access to effective users. 3.4 Privacy (Privacy) In the [PR85] in the FTP standard, all data and control information transmitted on the network are not encrypted. To ensure the privateness of the FTP transfer data, the strong encryption system should be used as much as possible. 3.5 Protect User name UserNames A . Vulnerability When the username in the "User" command is rejected, the corresponding return code 530 is defined in [PR85] in the FTP standard. The user name is effective but requires a password, and the FTP will use the return code 331. b. Attack attacker can determine if a username is valid by using the user name returned by the User operation, no matter how it is, two cases return 331.3 port stealing port stealing a. Vulnerability When using the operating system related method allocation port Number, usually allocated in order.
