Port-based protection gets pwned
A neat and clever hack has undermined long held assumptions about the network security protections offered by properly configured routers and firewalls.
The technique, dubbed ‘NAT Slipstreaming’, allows an attacker to remotely access any TCP/UDP service bound to a victim machine, bypassing avictim’s network address translation (NAT) or firewall security controls in the process – providing a victim is first tricked into visiting a site under the would-be hacker’s control.
Network address translation remaps an IP address space for traffic passing through a networking device. The technique proved very useful in conserving address space and thereby forestalling IPv4 address exhaustion, but it also has some security benefits that NAT Slipstreaming runs all over.
This JavaScript-based attack, developed by security researcher Samy Kamkar, only works if the targeted NAT/firewall support Application Level Gateways (ALG), a technology needed to support protocols that require multiple ports (control channel and data channel) to work such as VoIP protocols such as SIP and H323, file transfer protocol (FTP), and more.
Caught in the Slipstream
The NAT Slipstream attack – a new packet injection technique that works across all major modernbrowsers – takes advantage of arbitrary control of the data portion of some TCP and UDP packets without reference to HTTP or other headers, Kamkar explains in a detailed technical blog post:
NAT Slipstreaming exploits the user's browser in conjunction with the Application Level Gateway (ALG) connection tracking mechanism built into NATs, routers, and firewalls by chaining internal IP extraction via timing attack or WebRTC, automated remote MTU and IP fragmentation discovery, TCP packet size massaging, TURN authentication misuse, precise packet boundary control, and protocol confusion through browser abuse.
As it’s the NAT or firewall that opens the destination port, this bypasses any browser-based port restrictions.
Put more simply, NAT Slipstreaming exploits a flaw in how some routers implement ALG that allows NAT to be bypassed.
Kamkar told The Daily Swig that fixing the security shortcomings laid bare by his research may be a challenge.
“Routers can disable ALG but this makes them less convenient (VoIP phones stop working). The SIP ALG can be improved, but SIP was just one example, [and] other ALGs expose this,” Kamkar said during an exchange on Twitter.
“Browsers can block port 5060, but I don't think that's the end of it. This area is a bit of whack-a-mole,” he added.
Even the “vulnerabilities” at play are tricky to define and perhaps better described as “security shortcomings”.
Kamkar explained: “Everything is working to spec; it's simply the combination of various protocols and features that can have complex interactions when chained together.”
RELATED HTTP/3: Everything you always wanted to know about the next-generation web protocol
FAQs
NAT Slipstream allows an attacker outside the firewall to remotely access any TCP or UDP services running on a local machine, behind a NAT firewall, simply by tricking the victim into visiting a malicious website.
What is NAT slipstreaming? ›
Samy summarizes the attack in a single sentence: “NAT Slipstreaming allows an attacker to remotely access any TCP/UDP service bound to a victim machine, bypassing the victim's NAT/firewall (arbitrary firewall pinhole control), just by the victim visiting a website.”
Is NAT done on router or firewall? ›
A Network Address Translation (NAT) firewall operates on a router to protect private networks. It works by only allowing internet traffic to pass through if a device on the private network requested it. A NAT firewall protects the identity of a network and doesn't show internal IP addresses to the internet.
Is NAT firewall good? ›
NAT helps conserve IP addresses by “splitting” one IP into many, giving unique IPs to devices on the same network. This way, NAT provides increased security and privacy by masking the device's IP address on public networks.
What is the benefit of slipstream? ›
This allows the following car to get closer to the lead car, and in turn pushes high-pressure air forward, which means less fast moving air will hit the lead cars spoiler. Ultimately this reduces drag for both cars and increases performance.
What is NAT bridge mode? ›
NAT mode is ideal if you want to keep your VM private and secure, or if you have limited IP addresses on your network. Bridge mode should be considered if you want to make your VM public and accessible, or if you need to run network-intensive applications or services.
Can a router do natting? ›
NAT stands for network address translation. It's a way to map multiple private addresses inside a local network to a public IP address before transferring the information onto the internet. Organizations that want multiple devices to employ a single IP address use NAT, as do most home routers.
What is the NAT rule on a router? ›
DNAT translates destination IP addresses, usually translating IP addresses of internal servers (such as the WWW server or SMTP server) protected by the device to public IP addresses. In the DNAT page, you can perform the following actions: From the Virtual Router drop-down menu, select the desired virtual router.
How do I know if my router is a NAT? ›
Go to www.whatismyip.com. If the IP it shows is different from the IP of your NIC, you're behind a NAT. If by NAT you mean any NAT including a WIFI router for example click the windows button, type cmd, click on command prompt, type in ipconfig and press enter, see what it says to the right of "IPv4 Address".
What is the disadvantage of using NAT? ›
One disadvantage of using NAT is related to network performance, particularly for real time protocols such as VoIP. NAT increases switching delays because the translation of each IPv4 address within the packet headers takes time. The first packet is always process-switched going through the slower path.
Applications like digital signatures do not work with NAT because the source address changes before reaching the host. Also applications that use physical addressing as opposed to qualified domain names do not reach the destination.
What is the best NAT type for router? ›
NAT type 3 is the strictest and the most secure NAT type. It restricts the data entering the network and is also the safest of the three. Strict NAT protects you from various attacks and is enabled by default in most routers.
What is NAT mode used for? ›
What Is NAT? NAT stands for network address translation. It's a way to map multiple private addresses inside a local network to a public IP address before transferring the information onto the internet. Organizations that want multiple devices to employ a single IP address use NAT, as do most home routers.
What is NAT in steam? ›
Network Address Translation (NAT) is the process where a network device, usually a firewall, assigns a public address to a computer (or group of computers) inside a private network. The main use of NAT (Generally Speaking) is to limit the number of public IP addresses.
What is the purpose of a NAT device? ›
NAT conserves IP addresses that are legally registered and prevents their depletion. Network address translation security. NAT offers the ability to access the internet with more security and privacy by hiding the device IP address from the public network, even when sending and receiving traffic.
What is the purpose of NAT sound? ›
Nat is short for natural and is the audio portion that accompanies your video clip. This audio plays a role in supporting the background of the piece. But more importantly, it's a powerful tool that can be used to drive home the key moments of your story.