Microsoft Firewall re-writes FTP PORT address

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

How can I configure the firewall to prevent it from rewriting the address
included in an FTP PORT command?

I am trying a 3-way file transfer (RFC 959 section 5.2. CONNECTIONS), where
my PC sends a PASV command to server A and then sends the returned address in
a PORT command to server B, the firewall re-rwites the command and replaces
the address with the PC's address. This rewriting prevents the
server-to-server transfer.
 
The only way to do this is to shut down the FTP ALG service. If you did not
select "Unblock" the first time you used your FTP client, you will also need
to go enable it in the list on the Exceptions tab of the Windows Firewall
control panel.

As a bit of historical information, what you are seeing is behavior that was
debated about and done on purpose. The feature you describe is also known
as the FTP bounce attack, and can be used to port scan other machines, get
around IP restrictions on FTP servers, work around remote firewalls, or even
just a simple DOS attack against one server using more bandwidth than the
client would otherwise have. There is lots of potential for mischief,
especially in the case of trojaned computers that were part of "bot nets"
(even a computer on dialup can launch a multi-megabit/second attack using
this method).

The research that was done when the ALG was designed indicated that there
were very, very few instances of this feature being used legitimately.
Given that information, the decision was made to go the secure route and
prevent the attack. Yes, someone actively attacking from their own machine
could always disable the FTP ALG service just like you can. BUT, the
feature does prevent the use of the bounce attack in the scenario where a
user has a trojan infecting their machine that is launching the attack
without the user's knowledge, so it definitely adds value.
 
Back
Top