---------- Forwarded message ----------
From: Marcos Guillen (winnt2@RAN.ES)
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Date: Sun, 5 Jul 1998 22:54:05 +0200
Subject: Alert: MS IIS 4.0 FTP Denial of Service Attack

 If a site is running IIS 4.0 FTP server with more than 100 diferent FTP
Virtual Directorys or Virtual sites, a Denial of Service Attack can be
easily performed sending more than 10 simultaneous PUT or DELETE ftp orders
against a public ftp directory.

 After a few minutes, the FTP server start responding with a "426 Connection
closed; transfer aborted" error to ALL FTP  public or private Virtual
directories and sites on that machine, making it unabaileble to any user,
including Administrators. Only a complete IIS 4.0 stop and restart will
solve the problem.

 Further more, if a legitimated user trys to replace files on the server
after the attack is performed, the files will be locked and overwrited with
a 0 Kb file with the same name than the old one the user was trying to
replace. This will produce a "File contains no data" error to any browser
trying to display that file from the IIS 4.0 Web Service. The file will
remain locked even from a local Administrator Windows NT Explorer console,
untill a complete IIS 4.0 stop and restart is performed.

Regards,
Marcos Guillen
Ran Internet