FTP server software will often try to send an identd query to the client system by default. 30 seconds sounds like a common time-out value for an identd query.
This used to be somewhat useful in the past, but in modern networks, the identd service is usually disabled (or does not exist at all, like in Windows systems) and/or traffic to the identd port (113/TCP) is blocked in most firewalls.
There are two ways for a firewall to block a connection:
A) drop the connection, i.e. simply pretend the connection attempt did not exist. In the firewall rules, this is usually known as the DROP rule.
B) fake a response from the target system, saying essentially "this service is not available, don't bother trying." In the firewall rules, this is often known as the REJECT rule.
If there is no firewall, but the target system does not have the service requested, the target system would send a response identical to the type B.
When the FTP server sends an identd query, it expects to receive either a valid identd answer or a type B rejection.
If there is a firewall with a type A block for identd queries, the FTP server cannot detect it in any way: it is indistinguishable from a really slow connection. So the server must wait until the identd query times out.
But as the response to the identd query is optional, the connection can then proceed as normal.
Things to do at the FTP server side:
- If you wish to use the identd queries, make sure the FTP server's own iptables firewall does not block the identd responses.
- If you don't care about the identd queries, switch the identd query function off in the FTP server configuration.
Things to do for firewall administrators:
- Please don't use DROP rules for the identd service (113/TCP). Use the REJECT rules instead. If you're worried about someone using the rejection response as a component for DoS attacks, set up a firewall rule that limits the maximum number of identd connections, and uses the DROP rule only if the number of connections is excessive.
See also:
http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-rejectMK
MK
