FTP (File Transfer Protocol)
Description
FTP is one of the oldest and most widely used file transfer protocols on the internet. It allows clients to upload and download data from remote servers through a control connection and a separate data channel. Since FTP was designed before modern security standards existed it does not include encryption by default. Because of this FTP is often replaced by more secure alternatives but it is still heavily used in legacy systems and simple internal networks.
Technical Details
- Uses two primary ports which are port 21 for control commands and port 20 for data transfer.
- Operates in two modes known as active mode and passive mode.
- Transmits usernames commands and file contents in plain text with no encryption.
- Supports authentication through simple username and password pairs.
- Uses separate channels for managing the session and transferring data.
How To Work
FTP works by creating two separate communication channels between the client and the server. The first channel is the control connection which remains active for the entire session. It is used for sending commands and receiving responses. The second channel is the data connection which is created and closed repeatedly whenever files or directory listings need to be transferred.
When a client wants to begin an FTP session it starts by connecting to the server on port 21. This initial connection is responsible for handling all command based communication. The client sends a greeting request and the server replies with a banner message that typically includes server version information and a status code.
After the greeting the client must authenticate. Authentication is often done through a username and password pair but some servers allow anonymous access where the username is set to anonymous and no password or a simple email address is required. Since FTP does not use encryption these credentials are visible to anyone monitoring the network.
Once authentication is complete the client sends commands such as PWD to show the current directory or LIST to request a directory listing. Commands are sent over the control channel as plain text. The server responds with numerical status codes that indicate whether the requested action was successful or whether an error occurred.
When the client requests a file transfer or directory listing the server and client must establish a second channel known as the data connection. Unlike the control channel the data connection is temporary and is only active while the transfer occurs. This separation makes FTP flexible but also introduces complexity when dealing with firewalls.
FTP has two modes for handling the data connection. In active mode the client tells the server which port it is listening on. The server then initiates the data connection from its port 20 to the client port. This design works well on open networks but fails when the client is behind NAT or firewalls that block incoming connections.
Passive mode resolves this issue by reversing the connection flow. Instead of the server connecting to the client the server listens on a random port and tells the client which port to connect to. The client then initiates the data connection. This method is more firewall friendly and has become the standard in most modern FTP implementations.
During a file transfer the server sends the requested data through the data connection in either binary mode or ASCII mode. Binary mode delivers raw data with no modifications which is essential for images archives and programs. ASCII mode is used for plain text files and can adjust line endings depending on the system type.
The control channel remains active throughout the entire process and keeps sending status updates during transfers. When the transfer is complete the data connection is closed automatically. The server then returns a final message over the control channel confirming that the operation ended successfully or indicating that an error occurred.
When the client is finished it sends a QUIT command to the server. The server acknowledges the termination and closes the control channel. Logs are generated for each session including login attempts directory listings downloaded files uploaded files and any errors. These logs play a critical role in auditing and detecting unauthorized activity.
Security Considerations
FTP is not secure because everything is transmitted in plain text. Attackers can capture credentials or file contents using simple packet sniffing techniques. The protocol does not protect against man in the middle attacks or tampering. Firewalls also struggle with FTP because it uses dynamic ports making it more difficult to manage securely.
Potential Abuse Cases
Attackers can abuse FTP servers by performing anonymous login attempts if the server allows unrestricted access. Weak credentials can be brute forced easily. Once inside an attacker may upload malicious files or exfiltrate sensitive data. Open FTP servers are frequently indexed by automated bots that search for exposed information.
Detection Strategies
Detection often begins with monitoring logs for failed login attempts or anonymous access. Unusual file uploads or unexpected directory modifications are strong indicators of misuse. Network monitoring tools can inspect unencrypted FTP traffic to identify suspicious commands or unauthorized transfers. Alerting systems can flag large data movements over port 21.
Mitigation Techniques
The most effective mitigation is replacing FTP with secure alternatives such as SFTP or FTPS. If FTP must remain active admins should disable anonymous login enforce strong credentials and restrict access by IP. File system permissions must be limited to the minimum required level. Using firewalls to control passive mode port ranges can also reduce exposure.