On Fri, Mar 05, 2004 at 04:35:37PM -0500, Ghanta, Bose wrote:
> I was working on what I originally thought was a bug in our FTP client.
> Your ftp site has a very long banner (due to the crypto warnings and what
> all), and the bug opened against our FTP client was that it would disconnect
> partly through the login banner. After using a packet sniffer, I determined
> that what is happening is that at a certain point, as your FTP server is
> sending banner lines, it drops the connection.
This is a relatively common failure mode for scenarios involving a
stateful protocol-inspecting firewall being in the way. Many popular
implementations insist on a divisional newline being within the first
packet; to establish state (when using PASV) and protect against a
common attack method (see below). If the banner size starts coming
close to the MTU and the handshake is fragmented these implementations
can break the internet.
See:
http://www.securityfocus.com/archive/1/46655
http://www.checkpoint.com/techsupport/alerts/pasvftp.html
for a description of why the check occurs, and see:
http://lists.virus.org/fw1-0302/msg00599.html
for instructions on how to disable the check in the most common
implementation which displays this behaviour (checkpoint). It would be
worth investigating wether such a device is between you and the
ftp server, and whether or not it is responsible for your problems.
--
Colm MacCárthaigh Public Key: [EMAIL PROTECTED]
