Firewall reports FTP bounce attack using PASV FTP and sysplex distributor

Troubleshooting

Problem

The sysplex distributor function of z/OS Communications Server is being used to distribute incoming FTP requests across multiple LPARs. When setting PASV FTP on the FTP client, the connections are being flagged by a firewall as an FTP bounce attack.

Diagnosing The Problem

An FTP server trace with options SOC(3),SEC,CMD,BAS,FLO shows that the LISTEN request for the PASV connection fails with ERRNO2=744C7332 ( JRNOTSPDRVIPA ). This ERRNO means that the LISTEN request was made on a socket that is bound to a sysplex distributed DVIPA and is using an ephemeral port but the distributed DVIPA is not defined with SYSPLEXPORTS.

Resolving The Problem

When using passive mode FTP with a distributed DVIPA, SYSPLEXPORTS must be specified on the TCPIP profile definition for the distributed DVIPA (VIPADISTRIBUTE statement). Specifying SYSPLEXPORTS allows sysplex-wide coordination of ephemeral ports. For more information about sysplexports, see z/OS Communications Server: IP Configuration Guide. For more information about coding the VIPADISTRIBUTE, see z/OS Communications Server: IP Configuration Reference.

[{"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"Not Applicable","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"1.10;1.11;1.12;1.13;2.1;2.2","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Tips

Firewall reports FTP bounce attack using PASV FTP and sysplex distributor

Troubleshooting

Problem

Diagnosing The Problem

Resolving The Problem

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?