What is TFTP (Trivial File Transfer Protocol)?

May 25, 2017 Security and Compliance, MOVEit

What exactly is TFTP (Trivial File Transfer Protocol) and how does it differ from other file transfer tools?

A key aspect of every network engineer’s job is to find a way to work more efficiently. With all the tech support fires you need to put out every day, you don’t want anything slowing you down when it comes to system admin tasks.

Along those lines, if you’re looking for an always-on, service-based tool to simplify the transfer of system and configuration files across your network, it’s worth considering TFTP—the Trivial File Transfer Protocol. While not offering all the capabilities of the File Transfer Protocol (FTP), TFTP is simpler to use.

Due to its lack of security, using TFTP over the open Internet can be risky. Thus, TFTP is generally only used on private intranets and local networks.

As a client-server, application-layer protocol, TFTP clients run the client software, and servers run the server software. It primarily comes into play when you do not require user-authentication and directory visibility. The protocol saves you time and effort when uploading and downloading files, and it can transfer operating system software and device configuration files across network computers and devices.

TFTP messages come in five types:

  • RRQ (read request) to request devices to read files.
  • WRQ (write request) to request devices to write files.
  • DATA to carry file blocks.
  • ACK (acknowledge) to acknowledge received file blocks.
  • ERROR to tell the sending device when an operation cannot be performed.

Each file block has an identification number so that ACK messages from target devices can correctly report back to sending devices if a block is received successfully. The ERROR message can occur for various reasons, such as an invalid file name or a file that does not have read/write permissions for the target device.

TFTP - FTP Comparison At A Glance

TFTP

FTP

Logins

Does not use logins

Requires user logins

Transport Layer

UDP

TCP

Number of Connections

One (stop and wait)

Two

Commands

Five

60+

 

How TFTP Works

As a lightweight file transfer protocol with a relatively small foot print, TFTP can fit inside small boot ROMs (Read Only Memory). Using ASCII (American Standard Code for Information Interchange) and binary modes, file transfers complete faster since TFTP uses UDP (User Datagram Protocol) for the transport layer protocol, which is much simpler compared to the complicated TCP (Transmission Control Protocol).

TFTP sends data block-by-block, with block sizes split into 512 bytes each. Since reliable delivery is not guaranteed by UDP, TFTP requires target devices to acknowledge if each block has been successfully received. Subsequent blocks are sent only after acknowledgement has been received by the sending device.

If acknowledgement for a block is not received within a specified time limit, the sending device pushes it out again until acknowledged by the target device. The last file block is always sent with a size less than 512 bytes so the target device knows it’s the last block. If the entire set of file blocks happens to be evenly divisible by 512, the sending device will send a block with zero bytes.

Thus, TFTP is a stop-and-wait protocol. Flow control is achieved by the sending device, one block at any instant of time.

Specific use-cases for TFTP include the device bootstrap process for downloading an OS (Operating System) and configuration files. You can also copy configuration files between nodes on the same network. For devices that get their IP (Internet Protocol) address through BOOTP (Bootstrap Protocol) or DHCP (Dynamic Host Configuration Protocol), they can use the TFTP protocol to download the bootstrap image and configuration files. You can also use TFTP in combination with FTP, such as loading the boot image and OS using TFTP, and the system image via FTP.

TFTP Leveraged—As An Attack Vector

As reported by SecurityIntelligence in June 2016, Akamai issued an advisory warning for distributed denial-of-service (DDoS) attacks leveraging TFTP. Most of the campaigns consisted of multi-vector attacks that included TFTP reflection. Akamai also found indications that this method may have been integrated into at least one site offering DDoS-as-a-service.

The attack engaged TFTP servers connected to the Internet by making a default request for a file, and the victim server returned data to the requesting target host as a result of this request, regardless of a file name mismatch. Because the target of the DDoS attack never acknowledged the data being exfiltrated, only the first block was sent. This mitigated the potential of higher amplification based on single requests.

Akamai also recommended a few mitigation techniques. For those hosting TFTP servers, assess the need to have UDP port 69 exposed to the Internet. This should be firewalled and only allowed to trusted sources. Intrusion detection systems can also help flag suspicious activities on the network.

Despite attacks like this one, TFTP remains a viable transfer protocol for downloading bootstrap images, operating systems and configuration files across private intranets and local networks. Just be sure to not expose any of your TFTP servers to the Internet!

Kevin Conklin

Kevin joined Ipswitch in 2015 and leads the company’s product and content marketing practices. He is widely recognized for his product marketing accomplishments in information technologies. He is a serial startup executive having played instrumental roles in the success of such companies as for Prelert, VKernel, Mazu Networks and Smarts, Inc. and has been instrumental to the success of these IT management technology companies. Kevin is also the co-host of the PICNIC Podcast live show (https://picnic-podcast.com/), sharing experiences and best practices, providing a voice of expertise, and educating IT professionals with the latest technology challenges.

Read next Managed File Transfer (MFT) vs. File Transfer Protocol (FTP)