What is FTP Bounce Attack?
Prerequisite – File Transfer Protocol
An FTP Bounce attack is an old type of network attack that is performed on FTP servers to send outbound traffic to a device typically another server in the network. It takes advantage of passive mode FTP, where the client is initiating both the control and data connections. The attacker issues a PORT command and tricks the FTP connection to execute commands and extract sensitive information from another device instead of the intended server. Through this attack, the attacker indirectly gains control of the victim’s machine in the network to request data and send traffic from an FTP server to it. This enables a way for the attacker to communicate to a third device on the network and gain unauthorized access to sensitive information from that device.
For example, consider a device A that does not have access to a server, but another device B that has access and permissions to access data in that server. An attacker carries out an FTP Bounce attack to gain access to the server through the authorized device B.
However, Today’s FTP Servers have features that by default prevent such attacks from happening, but if you misconfigure these features in modern-day FTP servers then it can lead to the server being vulnerable to an FTP Bounce attack.
FTP Bounce Attack Operation
An FTP Bounce Attack is carried as such:
- Let’s assume there is an attacker A.
- There are two servers (P and Q) and one client (C) in the network.
- Here Q is the third device on the network.
Step 1: Attacker A establishes an FTP control Connection between Client C and Server P.
Step 2: Attacker A issues a port command for data connection but instead of specifying the IP of Client C the attacker Specifies the IP of Server Q in the Port Command.
Step 3: Now the attacker A sends the lists of commands to execute to server P. The list includes Commands such as opening the passive connection to server Q from server P using a port command, but instead of giving the IP of server P attacker gives the IP of attacker A. Therefore, gaining unauthorized access to files on server Q.
Step 4: The server Q sends the data requested by server P. Server P then sends this data back to attacker A.
Damages can Cause
1. Loss of data to an unauthorized system: This is a huge data concern. The Loss of such data can affect any business or individual.
2. Attacker may modify sensitive data: The attacker may modify sensitive information that is crucial for your needs. The attacker may claim to release back original data only after you meet their demands. This will incur huge losses to the business in terms of data and money.
1. Modern FTP servers by default take care of such attacks. FTP Servers today only accept PORT commands that initiate a connection from the originating host. It denies any other PORT commands that may try to connect to different device IPs. An individual can check for this default feature in their systems.
2. Additionally one can configure their firewall to deny requests on port 20. Port 20 is the default port for Passive FTP and is considered very insecure.