What exactly is TFTP (Trivial File Transfer Protocol) and how does it differ from other file transfer tools?
A key aspect of every network engineer’s job is to find a way to work more efficiently. With all the tech support fires you need to put out every day, you don’t want anything slowing you down when it comes to system admin tasks.
Along those lines, if you’re looking for an always-on, service-based tool to simplify the transfer of system and configuration files across your network, it’s worth considering TFTP—the Trivial File Transfer Protocol. While not offering all the capabilities of the File Transfer Protocol (FTP), TFTP is simpler to use.
Due to its lack of security, using TFTP over the open Internet can be risky. Thus, TFTP is generally only used on private intranets and local networks.
As a client-server, application-layer protocol, TFTP clients run the client software, and servers run the server software. It primarily comes into play when you do not require user-authentication and directory visibility. The protocol saves you time and effort when uploading and downloading files, and it can transfer operating system software and device configuration files across network computers and devices.
TFTP messages come in five types:
- RRQ (read request) to request devices to read files.
- WRQ (write request) to request devices to write files.
- DATA to carry file blocks.
- ACK (acknowledge) to acknowledge received file blocks.
- ERROR to tell the sending device when an operation cannot be performed.
Each file block has an identification number so that ACK messages from target devices can correctly report back to sending devices if a block is received successfully. The ERROR message can occur for various reasons, such as an invalid file name or a file that does not have read/write permissions for the target device.
TFTP - FTP Comparison At A Glance
|
TFTP |
FTP |
|
|
Logins |
Does not use logins |
Requires user logins |
|
Transport Layer |
UDP |
TCP |
|
Number of Connections |
One (stop and wait) |
Two |
|
Commands |
Five |
60+ |
How TFTP Works
As a lightweight file transfer protocol with a relatively small foot print, TFTP can fit inside small boot ROMs (Read Only Memory). Using ASCII (American Standard Code for Information Interchange) and binary modes, file transfers complete faster since TFTP uses UDP (User Datagram Protocol) for the transport layer protocol, which is much simpler compared to the complicated TCP (Transmission Control Protocol).
TFTP sends data block-by-block, with block sizes split into 512 bytes each. Since reliable delivery is not guaranteed by UDP, TFTP requires target devices to acknowledge if each block has been successfully received. Subsequent blocks are sent only after acknowledgement has been received by the sending device.
If acknowledgement for a block is not received within a specified time limit, the sending device pushes it out again until acknowledged by the target device. The last file block is always sent with a size less than 512 bytes so the target device knows it’s the last block. If the entire set of file blocks happens to be evenly divisible by 512, the sending device will send a block with zero bytes.
Thus, TFTP is a stop-and-wait protocol. Flow control is achieved by the sending device, one block at any instant of time.
Specific use-cases for TFTP include the device bootstrap process for downloading an OS (Operating System) and configuration files. You can also copy configuration files between nodes on the same network. For devices that get their IP (Internet Protocol) address through BOOTP (Bootstrap Protocol) or DHCP (Dynamic Host Configuration Protocol), they can use the TFTP protocol to download the bootstrap image and configuration files. You can also use TFTP in combination with FTP, such as loading the boot image and OS using TFTP, and the system image via FTP.
TFTP Leveraged—As An Attack Vector
As reported by SecurityIntelligence in June 2016, Akamai issued an advisory warning for distributed denial-of-service (DDoS) attacks leveraging TFTP. Most of the campaigns consisted of multi-vector attacks that included TFTP reflection. Akamai also found indications that this method may have been integrated into at least one site offering DDoS-as-a-service.
The attack engaged TFTP servers connected to the Internet by making a default request for a file, and the victim server returned data to the requesting target host as a result of this request, regardless of a file name mismatch. Because the target of the DDoS attack never acknowledged the data being exfiltrated, only the first block was sent. This mitigated the potential of higher amplification based on single requests.
Akamai also recommended a few mitigation techniques. For those hosting TFTP servers, assess the need to have UDP port 69 exposed to the Internet. This should be firewalled and only allowed to trusted sources. Intrusion detection systems can also help flag suspicious activities on the network.
Despite attacks like this one, TFTP remains a viable transfer protocol for downloading bootstrap images, operating systems and configuration files across private intranets and local networks. Just be sure to not expose any of your TFTP servers to the Internet!