Friday, March 13, 2015

FTP bounce attack

Have you been digging deep into your IDS logs and noticed this snort alert ever?

alert (msg:"FTPP_FTP_BOUNCE"; sid:8; gid:125; rev:1; metadata:rule-type preproc, service ftp; classtype:bad-unknown; reference:cve,1999-0017; reference:url,; )

Let's try to figure out what it means. So I opened my packet capture and saw 2 records.

X1.X2.X3.X4:18663 => Y1.Y2.Y3.Y4:21 [ FTP , COMMAND=PORT, ARGS=Z1,Z2,Z3,Z4,P1,P2 ] X1.X2.X3.X4:42762 => Y1.Y2.Y3.Y4:21 [ FTP , COMMAND=PORT, ARGS=Y1,Y2,Y3,Y4,P3,P4 ]

The source IP X1.X2.X3.X4 was a Post NAT address where a lot of traffic goes through. The destination IP Y1.Y2.Y3.Y4 was some externally hosted FTP server. But those FTP commands looked a bit weird so I had to google what they meant. This old article about the FTP port command tells me that Z1,Z2,Z3,Z4 actually is listing the client's ip address Z1.Z2.Z3.Z4! And P1,P2 is a hex formatted version of the Client's Port. Same thing then for Y1,Y2,Y3,Y4 and P3,P4.

So what the Snort rule is trying to tell you is that the Source IP is sending 2 FTP PORT requests, but the Client IPs provided in the PORT command don't the match the real client's IP. This flaw is old and most modern FTP servers handle this scenario by validating that the Source IP and the IP provided by the client match the original ones given, but it's interesting to see an alert on it anyways.

Conclusion: This was a false positive. Why? Because IDS didn't know that this was a Post NAT IP address (basically every user inside a company is seen to the outside world has coming from 1 IP address from your company). And thus the IDS didn't know that this really wasn't the same user, it was 2 different users hidden behind the NAT. Thus this situation requires some tuning in your IDS or SIEM monitoring tools to ignore.

Keep monitoring those logs!

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment