OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: PORT or PASV mode of IIS 4.0's FTP
From: Todd Garrison (tgarrisFRAMELOSS.ORG)
Date: Thu Aug 03 2000 - 10:23:34 CDT


This sounds alot like SynDefender responding to what it believed was a
syn flood. I have seen many an admin configure SYN flood protection on
their firewall not realizing the consequences. It is a dangerous
feature that I personally don't see the benefit of using, it is more
likely to make your server unavailable than to protect it.

A packet dump would probably be the most helpful - are your connections
normally torn down or do you just get cut off with an RST?

If it is configured for, say 100 SYNs per minute, and you have a
reasonbly quick connection - the 101st SYN packet through the firewall
would cause any connections from your IP to be dropped by the firewall.

>
> The ftp client is trying to "get" 15,000 1-K files from the IIS's FTP
> server, the connection is killed by FW-1 after it got 100 files. The
> fw-log shows that when the client's "source port" hit a "pre-defined
> service (port) in the rulebase, the connection is dropped. CP
> explained that FW-1 thought that it was a security violation.
>