Security Home > Internet Services

Potential FTP Passive Connections Denial-of-Service in IIS

In certain situations using multiple passive FTP connections may cause errors, problems with system performance, as well as possible denial of service situations for both the FTP service and the WWW service running on a computer running IIS.

Issue

When multiple passive connections are made to a single FTP server through the PASV FTP command, it is possible to use up all available system threads for servicing clients. Once this happens, requests for additional connections will fail as discussed above, and will continue to fail until a client thread is again available. Further, the FTP and WWW services on a computer share a common thread pool, and exhausting the FTP thread pool will also cause a failure in connection requests for the WWW service.

This vulnerability does not affect other services running on the same system, nor does it cause the FTP or WWW service to crash. Once the passive connections time out, the system performance returns to normal.

Server Administrators will see the following error in the System Event Log:

"FTP Server could not create a client worker thread for user at host 'IPAddress'. The connection to this user is terminated. The data is the error."

Clients accessing either the WWW or FTP services might see either of the following two messages:

"Connection closed by remote host" or "The FTP session was terminated"

Affected Products

  • IIS 2.0, 3.0 and 4.0

Solution

Microsoft has produced an update for Windows NT Server's IIS versions 2.0, 3.0, and 4.0.

Intel Platforms

Windows NT Server's IIS 4.0:
ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/iis4-ftpfix/ftpfix4i.exe

Windows NT Server's IIS 3.0 and IIS 2.0:
ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/ftp-fix/ftpfix3i.exe

Alpha Platforms

Windows NT Server's IIS 4.0:
ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/ftp-fix/ftpfix4a.exe

Windows NT Server's IIS 3.0 and IIS 2.0:
ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/ftp-fix/ftpfix3a.exe

Further Details

Source: Microsoft Corporation

Reference: Microsoft Corporation

Updated: July 23, 1998

>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<

More Guides » Registry Guide Support Forums Software Guide Scripting Guide Search