COMMAND

    IIS FTP Server

SYSTEMS AFFECTED

    Win NT with IIS 2.0, 3.0, 4.0

PROBLEM

    When multiple passive connections are made to a single FTP  server
    via the PASV FTP command, it  is possible to use up all  available
    system threads for servicing clients. Once this happens,  requests
    for additional connections will fail as discussed above, and  will
    continue  to  fail  until  a  client  thread  is  again available.
    Further, the  FTP and  WWW services  on a  machine share  a common
    thread pool,  so exhausting  the FTP  thread pool  also will cause
    connection requests for the WWW service to fail.  Once the passive
    connections  time  out,  the  system  performance  will  return to
    normal.

    Server Administrators will see  the following error in  the System
    Event Log:

        FTP Server could not create a client worker thread for user
        at host 'IPAddress'. The connection to this user is terminated.
        The data is the error.

    Clients  accessing  either  the  WWW  or  FTP  services  might see
    messages such as the either of the following:

        - Connection closed by remote host
        - The FTP session was terminated

SOLUTION

    Microsoft has produced an update for MS ISS v2.0, 3.0 and 4.0:

    Intel Platforms
    ---------------
        ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/ftp-fix/ftpfix4i.exe
        ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/ftp-fix/ftpfix3i.exe
    Alpha Platforms
    ---------------
        ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/ftp-fix/ftpfix4a.exe
        ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/ftp-fix/ftpfix3a.exe

    NOTE: Although this fix  makes it significantly more  difficult to
    mount a denial of service attack against an FTP server, and limits
    the potential impact and severity  of such an attack, it  does not
    make an attack impossible. Malicious  use of the PASV FTP  command
    could still exhaust server resources and have a limited effect  on
    the operation of  the FTP server.   Clients that use  passive mode
    connections to connect to the FTP server may be denied service and
    clients that are  uploading information to  the FTP server  may be
    denied service.  If this  happens, there  will be  many event  log
    entries of the type shown  below. The event log entries  will give
    the user name of the  attacker and the IP address  that originated
    the attack. Using this  information, the FTP server  administrator
    could  choose  to  deny  access  to  the  attacker,  or take other
    appropriate actions.  Event Log Entries:

        - Passive connect from user %1 at host %2 timed out.
        - File received from user %1 at host %2 timed out.

    If you are seeing  a large number of  either of these events,  you
    may be experiencing an attack.