Full Disclosure mailing list archives
Re: DNS and NAT (was: DNS and CheckPoint)
From: Thomas Cross <tcross () us ibm com>
Date: Mon, 14 Jul 2008 16:13:28 -0400
Huzeyfe ONAL wrote me to mention that he had tested OpenBSD's pf and found that it was assigning random ports for every new connection. Some references [1], [2] seem to confirm this. The interesting thing about this approach is that it may protect vulnerable DNS servers from attack if they are placed behind it. Also, a coworker directed me to this really excellent Internet Draft on port randomization: http://www.ietf.org/internet-drafts/draft-ietf-tsvwg-port-randomization-01.txt [1] http://www.openbsd.org/papers/asiabsdcon07-network_randomness/mgp00020.html [2] http://www.openbsd.org/faq/pf/nat.html (note the mention of source port randomization) "Riad S. Wahby" <rsw () jfet org> To 07/10/2008 11:06 Thomas Cross/Atlanta/IBM@IBMUS PM cc full-disclosure () lists grok org uk Subject Re: DNS and NAT (was: DNS and CheckPoint) Thomas Cross <tcross () us ibm com> wrote:
We've also been wondering whether NAT devices ought to randomly assign UDP source ports, although no NAT vendor that wea**re aware of has
done
this to date.
Some quick testing implies that ipchains MASQUERADE-based NAT doesn't suffer this problem because it preserves the source port. My test setup is as follows: call the computer inside the NAT Alice, and the computer outside Bob. Alice contacts Bob via Trent, a linux-based router, in my case a DLink DSL-2540B DSL modem / router combo. On Alice, I run the following: ( for j in $(seq 1 100); do i=$RANDOM; /bin/echo -n "$i "; echo $i | nc -q 0 -vv -p $i -u <Bob> 5555; sleep 1; done ) &> foo.Alice On Bob, I run ( while true; do nc -vv -l -u -p 5555 -q 0 </dev/null; done ) &> foo.Bob At the end, I compare the actual source port in foo.Alice to the apparent source port in foo.Bob. In my setup, they are always identical. Obviously it is impossible to guarantee that this will always be the case; in order to identify dangerous corner cases one would have to consult the ipchains code, but given the relative frailty of the randomized source port / randomized sequence number solution, for a small number of computers behind a NAT (e.g., home users) I claim that's a second-order danger at best. In a large production environment where there is a huge amount of NAT traffic being generated one would do well to consider a solution like Thomas's suggestion that the servers be moved outside the firewall. -=rsw
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- DNS and NAT (was: DNS and CheckPoint) Thomas Cross (Jul 10)
- Re: DNS and NAT (was: DNS and CheckPoint) Riad S. Wahby (Jul 10)
- Re: DNS and NAT (was: DNS and CheckPoint) Thomas Cross (Jul 11)
- Re: DNS and NAT (was: DNS and CheckPoint) Valdis . Kletnieks (Jul 11)
- Re: DNS and NAT (was: DNS and CheckPoint) Riad S. Wahby (Jul 11)
- Re: DNS and NAT (was: DNS and CheckPoint) Marco Slaviero (Jul 16)
- Re: DNS and NAT (was: DNS and CheckPoint) Thomas Cross (Jul 11)
- Re: DNS and NAT (was: DNS and CheckPoint) Riad S. Wahby (Jul 10)
- Re: DNS and NAT (was: DNS and CheckPoint) Ryan McBride (Jul 16)
- <Possible follow-ups>
- Re: DNS and NAT (was: DNS and CheckPoint) Elazar Broad (Jul 11)
- Re: DNS and NAT (was: DNS and CheckPoint) Thomas Cross (Jul 14)