Re: NAT router inbound network traffic subversion

[Joe <joe () jretrading com>]

In message <1106892739.9371.26.camel@localhost.localdomain>, Kristian 
Hermansen <khermansen () ht-technology com> writes
> I have Googled around and asked a highly-respected Professor at my
> University whether it is possible to direct packets behind a NAT router
> without the internal 192.168.x.x clients first requesting a connection
> to the specific host outside.  The answer I received is "not possible".
> I also asked if this can be thought of as a security feature, to which
> the reply was again "yes".

Yes. But see later.
> Now, I wouldn't place all my bets on his answer and I am calling on
> someone out there to clear up my question.  If NAT really does only
> allow inbound connections with a preliminary request as he suggests, it
> seems that the only way to get an "unauthorized" packet behind the
> router is by some flaw in the firmware of the device.

If you are not offering any services to the Internet, yes. If you are, 
then you have ports open on the router, redirecting to real machines, 
which may be running software which can be exploited. This is how worms 
spread. the home user is unlikely to be hit by a worm, unless they are 
running a Windows NT-derived operating system, such as XP, without a 
firewall and/or NAT device. Commercial installations such as web servers 
are the main targets for worms.
> How about if the client has requested a connection to Google.com from
> behind his Linksys home NAT router: would it be possible for an outside
> attacker to spoof packets from Google's IP to get packets into the
> network?  Or do we need to know the sequence numbers as well?  Or is
> there an even more devious way to get packets on the inside without a
> client's initiative?

Google for "man in the middle" attack.
> Has there been any research into this?  Are there statistics on worm
> propagation and exploited network hosts in relation to those individuals
> that did not own routers (and instead connected directly to their
> modem)?  If *all* home users on the Internet had NAT routers during the
> summer of 2003, would we have significantly slowed the spread of
> Blaster?  I believe these all to be very important questions and the
> security aspects of the ability to route packets behind NAT really
> interests me...maybe some of you can elaborate :-)

Worms are not usually an issue for home users, except when someone sells 
an operating system with ports open to the Internet by default. XP 
pre-service pack 2 is such an operating system. Its users were duly 
hammered by worms, and would not have been if they used the built-in 
firewall, which was not enabled by default. I'm not sure how much a NAT 
device would have helped on its own. Modern versions of Windows are 
extremely talkative, and it may well have invited the bad guys in of its 
own accord. But widespread use of the firewall would have stopped it.

More troublesome for home users are viruses spread by email, which 
initiate connections through the firewall, router or other device from 
the inside. The security device cannot generally tell whether the user 
or a virus has made the request, though third-part 'personal' firewalls, 
running on the user's workstation, are becoming quite good at this.

I don't think Internet Explorer currently runs any code in an incoming 
email automatically, as it once did, but it's not hard to persuade many 
users to click on a button and run the virus themselves. Most viruses 
are now also worms, they will attempt to spread both by email and by 
direct contact with unprotected machines.
--
Joe
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html