Help and Support

FTP Passive Mode May Terminate Session

View products that this article applies to.
Article ID:189262
Last Review:September 22, 2005
Revision:4.1
This article was previously published under Q189262
On This Page

SYMPTOMS

The Internet Information Server FTP service includes a passive mode command (PASV) to request that the server wait for a connection instead of initiating one after receiving a transfer command. Certain situations using multiple passive connections may result in errors, problems with system performance as well as denial of service situations for both the Web and FTP services.

Server Administrators will see the following error in the System Event Log:
FTP Server could not create a client worker thread for user at host
<IPAddress>. The connection to this user is terminated. The data is
the error.

Clients accessing either the WEB or FTP services may see a message similar to one of the following:
Connection closed by remote host
The FTP session was terminated

Back to the top

CAUSE

When multiple passive connections are made at the same time to a single FTP server it is possible to use up all available system threads for servicing clients. Any additional connection requests will result in the errors listed above until a client thread is available again.

Back to the top

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows NT 4.0 or Windows NT Server 4.0, Terminal Server Edition. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
152734 (http://support.microsoft.com/kb/152734/EN-US/) How to Obtain the Latest Windows NT 4.0 Service Pack

NOTE: The fix for a bug in the W3 and FTP Performance Monitor ALSO fixes the problem described in this article. If you plan to use the Performance Monitor, please see the following article in the Microsoft Knowledge Base:
185349 (http://support.microsoft.com/kb/185349/EN-US/) : Problems Remotely Accessing W3 or FTP Perfmon Counters

To resolve this problem, download and install one of the following fixes or wait for the next Windows NT service pack.

Back to the top

Intel Platforms

IIS 4.0:
ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/iis4-ftpfix/ftpfix4i.exe (ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/iis4-ftpfix/)

IIS 3.0 and IIS 2.0:
ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/iis3-ftpfix/ftpfix3i.exe (ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/iis3-ftpfix/)

Back to the top

Alpha Platforms

IIS 4.0:
ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/iis4-ftpfix/ftpfix4a.exe (ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/iis4-ftpfix/)

IIS 3.0 and IIS 2.0:
ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/iis3-ftpfix/ftpfix3a.exe (ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/iis3-ftpfix/)

NOTE: Each of the above URLs above is one path; it has been wrapped for readability.

NOTE: You might also consider running the WEB and FTP services on separate servers to further decrease the possibility of attacks against multiple services.

For additional information, please see the following article in the Microsoft Knowledge Base:
189271 (http://support.microsoft.com/kb/189271/EN-US/) : Minimal services to run on a secure IIS Server

NOTE: This fix limits the denial of service attack and lessens it's severity. However, there will still be a limited effect on the operation of the FTP server. Clients that use PASV mode connections to connect to the FTP server may be denied service and clients that are uploading information to the FTP server may be denied service. If this attack occurs, there will be many event log entries of the type shown below. The event log entries will give the user name of the attacker and the IP address that originated the attack. This will enable the attacked machine's owner to deny the user or originating site access to the FTP server.

Event Log Entries:
1.Passive connect from user %1 at host %2 timed out. If you are seeing a large number of these events, you may be experiencing a denial of service attack. See http://www.microsoft.com/security (http://www.microsoft.com/security) for more information.
2.File received from user %1 at host %2 timed out. If you are seeing a large number of these events, you may be experiencing a denial of service attack. See http://www.microsoft.com/security (http://www.microsoft.com/security) for more information.

Back to the top

STATUS

Microsoft has confirmed that this problem could result in some degree of security vulnerability in the Microsoft products listed at the beginning of this article. This problem was first corrected in Windows NT 4.0 Service Pack 4.0 and Windows NT Server 4.0, Terminal Server Edition Service Pack 4.

Back to the top

MORE INFORMATION

For additional information, please see the following article in the Microsoft Knowledge Base:
181743 (http://support.microsoft.com/kb/181743/EN-US/) : Error Message 426 Trying to Retrieve File from FTP Server

Back to the top

APPLIES TO
Microsoft Windows NT Server 4.0, Terminal Server Edition
Microsoft Internet Information Server 2.0
Microsoft Internet Information Server 3.0
Microsoft Internet Information Server 4.0

Back to the top

Keywords: 
kbbug kbfix kbqfe kbhotfixserver KB189262

Back to the top

Article Translations

 

Other Support Options

  • Contact Microsoft
    Phone Numbers, Support Options and Pricing, Online Help, and more.
  • Customer Service
    For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
  • Newsgroups
    Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.