PORT commands

An FTP client in PROXY mode with your FTP server can establish a data connection to another FTP server and send large amounts of data from your server to the other server. Therefore, a malicious FTP client in PROXY mode can attack servers by sending large amounts of data from your server to another, resulting in severe performance degradation. Since the client is indirectly sending the data, it is more difficult to immediately determine the location of the malicious client.

You can prevent this type of attack by selecting "No" under the question "Should the server accept port commands?". However, in selecting "No", the server loses some ability to transfer data in PROXY mode. If the client is not configured as firewall friendly, the client cannot execute commands such as GET, PUT, MPUT, MGET and APPEND in proxy mode. A firewall friendly client can still execute these commands in proxy mode.

Since indicating the server should not accept PORT commands results in significant limitations, an alternative is restrict the usage of the PORT command. You can allow clients in proxy mode to do data transfers, but can apply the following restrictions.

  1. Data transfers from your server to another server will be allowed only if the other server has the same IP address as the client. This is set by checking the box labeled "If it specifies an IP address different from the client's".
  2. Data transfers from your server to another server will be allowed only if the other servers are not listening on a well known port (i.e. a port greater than 1024). This is set by checking the box labeled "If it specifies a port number lower than 1024".