CVE-2021-47865 Overview
CVE-2021-47865 is a denial of service vulnerability affecting ProFTPD 1.3.7a that allows remote attackers to overwhelm the FTP server by creating multiple simultaneous connections. By repeatedly establishing connections using threading techniques, attackers can exhaust server connection limits and effectively block legitimate user access to FTP services.
Critical Impact
Remote attackers can disrupt FTP service availability without authentication, preventing legitimate users from accessing critical file transfer services.
Affected Products
- ProFTPD 1.3.7a
Discovery Timeline
- 2026-01-21 - CVE-2021-47865 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2021-47865
Vulnerability Analysis
This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The core issue stems from ProFTPD's inadequate handling of concurrent connection requests, allowing malicious actors to consume all available connection slots through rapid, automated connection attempts.
The attack is network-accessible and requires no authentication or user interaction, making it particularly dangerous for internet-facing FTP servers. An attacker can leverage simple threading mechanisms to initiate numerous parallel connections, overwhelming the server's capacity to handle legitimate traffic.
The vulnerability specifically impacts service availability. While data confidentiality and integrity remain unaffected, the ability to render an FTP server completely unresponsive poses significant operational risks, particularly for organizations relying on FTP for critical file transfer operations.
Root Cause
The root cause of this vulnerability lies in ProFTPD's failure to implement proper resource allocation limits and throttling mechanisms for incoming connections. The server does not adequately restrict the rate at which new connections can be established from a single source, nor does it implement effective mechanisms to detect and mitigate connection flooding patterns.
This represents a classic resource exhaustion scenario where the server's finite connection pool can be depleted by a single malicious actor before legitimate users can establish their connections.
Attack Vector
The attack leverages network-based connection flooding targeting the FTP service port (typically port 21). An attacker initiates multiple concurrent TCP connections to the ProFTPD server using threading or multiprocessing techniques. Each connection consumes a slot in the server's connection pool until the maximum limit is reached.
Once all connection slots are exhausted, the server cannot accept new connections from any client, including legitimate users. The attacker can maintain this denial of service condition by keeping connections alive or continuously cycling through new connection attempts as old ones time out.
The attack requires no authentication and can be launched from a single host, though distributed attacks from multiple sources would be even more effective and harder to mitigate through simple IP-based blocking.
Detection Methods for CVE-2021-47865
Indicators of Compromise
- Unusually high number of simultaneous FTP connections from single or multiple IP addresses
- Rapid connection establishment and teardown patterns in FTP server logs
- Server connection pool consistently at or near maximum capacity
- Legitimate users reporting inability to connect to FTP services
- Network monitoring showing TCP SYN flood patterns targeting port 21
Detection Strategies
- Monitor FTP server connection counts and alert when thresholds approach maximum limits
- Implement network intrusion detection rules for connection flooding patterns on FTP ports
- Analyze server logs for rapid successive connection attempts from individual IP addresses
- Deploy network flow analysis to identify anomalous traffic volumes to FTP services
- Configure SIEM rules to correlate connection failures with potential DoS activity
Monitoring Recommendations
- Enable detailed connection logging in ProFTPD configuration for forensic analysis
- Set up real-time alerting for connection pool exhaustion events
- Monitor server resource utilization including file descriptors and memory
- Implement network-level traffic analysis for the FTP service segment
- Regularly review connection logs for patterns indicative of reconnaissance or attack attempts
How to Mitigate CVE-2021-47865
Immediate Actions Required
- Review and reduce the maximum connection limit (MaxInstances directive) to balance availability and resource protection
- Implement per-IP connection limits using the MaxClientsPerHost directive
- Deploy network-level rate limiting for incoming connections on FTP ports
- Consider placing ProFTPD behind a reverse proxy or load balancer with DoS protection capabilities
- Enable connection timeout settings to quickly release abandoned connections
Patch Information
Consult the ProFTPD Official Website and the GitHub ProFTPD Repository for the latest security updates and patches. Review the VulnCheck ProFTPD Advisory for detailed remediation guidance. Additional technical details about the vulnerability can be found at Exploit-DB #49697.
Workarounds
- Implement firewall rules to limit the rate of new connections from individual IP addresses
- Configure iptables or equivalent to drop excessive connection attempts using hashlimit or connlimit modules
- Use TCP wrappers or mod_wrap to restrict FTP access to known IP ranges where possible
- Deploy a network-based DoS mitigation appliance or cloud-based protection service in front of the FTP server
- Consider migrating to SFTP or other secure file transfer protocols with more robust connection handling
# Example ProFTPD configuration hardening
# Add these directives to /etc/proftpd/proftpd.conf
# Limit maximum simultaneous connections
MaxInstances 30
# Limit connections per client IP address
MaxClientsPerHost 3
# Set aggressive timeouts for idle connections
TimeoutIdle 120
TimeoutNoTransfer 300
TimeoutLogin 60
# Example iptables rate limiting for FTP port
# iptables -A INPUT -p tcp --dport 21 -m connlimit --connlimit-above 3 -j DROP
# iptables -A INPUT -p tcp --dport 21 -m hashlimit --hashlimit-name ftp --hashlimit-mode srcip --hashlimit-above 3/min --hashlimit-burst 5 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
