We're running ftp services on our webserver using IIS5. IP Filtering is
enabled and allows TCP 21, 80 and 443 through. Directory security is
enabled on the ftp server so we can "control" who uses the anonymous login.
At some point yesterday, a user whose ip address is not in the allowed list
started trying to get into the ftp site. They are still trying to login,
about once every 2-3 minutes. If I run a netstat command, it appears that a
connection gets added each time they attempt to login, it gets placed in the
CLOSE_WAIT state and stays there. There were hundreds of connections before
I rebooted the machine and now they're starting to build up again.

Enough background, now for the questions...

Will this lead to a denial of service situation?
Does this happen "naturally" or should I consider it to be a malicious
attack?
Is there a way to prevent it from happening?

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]