lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date:	Thu, 1 Mar 2007 13:21:23 -0800
From:	Robert Dyck <>
Subject: Application on MASQ node can hijack port used by application on gateway

When nodes on the LAN are masqueraded Linux on the gateway will attempt to use 
the same port that an app on the LAN used. This can only be done once after 
which Linux will arbitrarily assign ports.

Using the example of VoIP phones which use a default port of 5060, the first 
phone to register with proxy server will be assigned port 5060 on the gateway 
and the second would be assigned port 1024. Keep-alive packets are used by 
the phones, the proxy or both to maintain the NAT bindings. The proxy makes 
note of the originating port. Incoming packets are routed correctly.

Now consider the case of a application running on the gateway box. It would 
send and listen on port 5060. In this case we would not use keep-alive 
packets. We open port 5060 on the firewall so that we can receive calls from 
the public internet. I have observed that a phone on the LAN can bind to port 
5060 even though the application had grabbed port 5060. The result is that 
packets intended for the application will be routed to the phone on the LAN. 
The phone on the LAN also gets packets intended for it.

This was confirmed by /proc/net/ip_conntrack and also by capturing packets 
with a sniffer. The contents of the packets showed that some of the packets 
were clearly not intended for the phone that received them. The application 
listening on port 5060 received nothing.

Rob Dyck
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at

Powered by blists - more mailing lists