FTP PASV mode usage on the net
     I just connected to microsoft's FTP server to get stats on the percentage of individuals using
     the FTP passive mode, a copy of the session follows:
Connected to ftp.microsoft.com.
Escape character is '^]'.
220 ftp Microsoft FTP Service (Version 3.0).
331 Anonymous access allowed, send identity (e-mail name) as password.
230-Please see the dirmap.txt file for
230-more information.
230 Anonymous user logged in.
200-ABOR : 302878
    ACCT : 6
    ALLO : 1
    APPE : 12
    CDUP : 180296
    CWD  : 2643776
    DELE : 969
    HELP : 2825
    LIST : 1960318
    MKD  : 763
    MODE : 315
    NLST : 58931
    NOOP : 539571
    PASS : 1593667
    PASV : 1428243
    PORT : 2120405
    PWD  : 1080190
    QUIT : 349168
    REIN : 13
    REST : 293760
    RETR : 1495575
    RMD  : 240
    RNFR : 158
    RNTO : 16
    SITE : 3933
    STAT : 6098
    STOR : 6566
    STRU : 550
    SYST : 381727
    TYPE : 3183166
    USER : 1610611
    XCWD : 21
    XMKD : 39
    XPWD : 1866
    XRMD : 23
200 End of stats.
221 Thank you for using FTP.MICROSOFT.COM!

Here's the highlights:

    PASV : 1428243
    PORT : 2120405

     PASV mode usage accounts for 40.25% of the users on microsoft's site while PORT mode usage
     accounts for 59.75%.
     That means that if an FTP pizza thief program is successful in beating out connections to the
     data port 50% of the time, you'd be able to DoS 20% of the users and obtain 20% of the
     information flowing through the site.
     If you'd like to try getting the Microsoft site stats yourself it's quite simple. In Windows,
     click on the START button, click on RUN, type in (without the quotes) "telnet ftp.microsoft.com
     21" and click on OK. You will see "220 ftp Microsoft FTP Service (Version 3.0)" and at that point
     you can type (but you won't see your typing) "USER FTP" followed by the enter key, then type
     "PASS FTP" followed by the enter key. You will now see "230 Anonymous user logged in" if you
     logged in OK. If not, you may want to see what you're typing.. click on Terminal, Preferences,
     and check the box that says "local echo" and click on OK. Now dump the site statistics by typing
     "SITE STATS" and then hit enter.
     That's all there is to it. After doing "SITE STATS" if you feel like it type "PASV" and hit
     enter. It will respond like this: "227 Entering Passive Mode (198,105,232,1,13,131)." The
     198,105,232,1 is the internet address of the microsoft server. The 13,131 is the magic port
     number that has been opened for you. now do another PASV command.. you'll see the port number
     (last two numbers) change.
     Watch this:
     227 Entering Passive Mode (198,105,232,1,14,242).
     227 Entering Passive Mode (198,105,232,1,14,252).
     That was two PASV commands almost right after each other. The data port incremented by 10 (242 to
     252). That means that ports 243,244,245,246,247,248,249,250,251 were allocated for other people
     within that split second. If I have a program to try connecting to those ports and I actually
     connect before the other people get to them, I get the data they should have gotten.. all this
     because I can guess at what ports they're using by what ports I'm being given. I can also guess
     that the next ports 253,254,255... will be allocated and because I'm trying to connect at the
     same time as someone else is being told "here's a port for you to use", I get an even faster jump
     on them.
     Have fun and play around with it.. let me know what questions you have. Also let me know what
     questions people have about the exploit.. after I have those, I'll write a more directed and
     detailed synopsis.
     -Jeff Gerber