> I don't know of any ftp clients which make use of this feature (multiple
> data channels supported concurrently) as the original ftp clients were all
> line-based and only suported one transfer at a time. Maybe this is
> reasonable, but it would be a shame for the default defense to this attack
> to mean you can't use FTP to it's full potential (i.e. start a transfer
> from the current session but keep using the current `login' session, maybe
> to start other transfers, as requried). Triming the number of concurrent
> data sessions to a maximum of 1-5 (by default) would probably be enough,
> with the capability to set this higher/lower as required.
The OpenBSD ftpd has never permitted more than 1 connection at a time
in PASV mode, thus this particular denial of service attack does not
work.
I caused myself some difficulties by accidentally starting up 400 perl
instances, though..
One of the Linux's out there also ships with our ftpd, so they will
not have a problem with this either. It's either Debian or Suse...
