lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <hYZrCEI0Mj+BFw79@jretrading.com> From: joe at jretrading.com (Joe) Subject: NAT router inbound network traffic subversion In message <1106892739.9371.26.camel@...alhost.localdomain>, Kristian Hermansen <khermansen@...technology.com> writes >I have Googled around and asked a highly-respected Professor at my >University whether it is possible to direct packets behind a NAT router >without the internal 192.168.x.x clients first requesting a connection >to the specific host outside. The answer I received is "not possible". >I also asked if this can be thought of as a security feature, to which >the reply was again "yes". Yes. But see later. > >Now, I wouldn't place all my bets on his answer and I am calling on >someone out there to clear up my question. If NAT really does only >allow inbound connections with a preliminary request as he suggests, it >seems that the only way to get an "unauthorized" packet behind the >router is by some flaw in the firmware of the device. If you are not offering any services to the Internet, yes. If you are, then you have ports open on the router, redirecting to real machines, which may be running software which can be exploited. This is how worms spread. the home user is unlikely to be hit by a worm, unless they are running a Windows NT-derived operating system, such as XP, without a firewall and/or NAT device. Commercial installations such as web servers are the main targets for worms. > >How about if the client has requested a connection to Google.com from >behind his Linksys home NAT router: would it be possible for an outside >attacker to spoof packets from Google's IP to get packets into the >network? Or do we need to know the sequence numbers as well? Or is >there an even more devious way to get packets on the inside without a >client's initiative? Google for "man in the middle" attack. > >Has there been any research into this? Are there statistics on worm >propagation and exploited network hosts in relation to those individuals >that did not own routers (and instead connected directly to their >modem)? If *all* home users on the Internet had NAT routers during the >summer of 2003, would we have significantly slowed the spread of >Blaster? I believe these all to be very important questions and the >security aspects of the ability to route packets behind NAT really >interests me...maybe some of you can elaborate :-) Worms are not usually an issue for home users, except when someone sells an operating system with ports open to the Internet by default. XP pre-service pack 2 is such an operating system. Its users were duly hammered by worms, and would not have been if they used the built-in firewall, which was not enabled by default. I'm not sure how much a NAT device would have helped on its own. Modern versions of Windows are extremely talkative, and it may well have invited the bad guys in of its own accord. But widespread use of the firewall would have stopped it. More troublesome for home users are viruses spread by email, which initiate connections through the firewall, router or other device from the inside. The security device cannot generally tell whether the user or a virus has made the request, though third-part 'personal' firewalls, running on the user's workstation, are becoming quite good at this. I don't think Internet Explorer currently runs any code in an incoming email automatically, as it once did, but it's not hard to persuade many users to click on a button and run the virus themselves. Most viruses are now also worms, they will attempt to spread both by email and by direct contact with unprotected machines. -- Joe
Powered by blists - more mailing lists