Comment by jmgao
2 years ago
Back in the days of blaster, if you were connected to a network with infected machines or had a public IP address because you were connected straight into your cable modem, you would get infected in the windows installer before it finished installing. Nowadays, everything is behind NAT and there aren't any infected Windows XP machines left on your local network, so that's not a problem anymore.
For some reason whenever somebody suggests that NAT might have security benefits, there is usually some hysterical screeching about how that isn't true. Often seen in IPv6 discussions.
> For some reason whenever somebody suggests that NAT might have security benefits, there is usually some hysterical screeching about how that isn't true.
It is not the address translation mechanism that does the protecting but rather the state tracking.
Until very recently I was with an ISP with IPv6, and things like my home printer had IPv6 addresses—but just because they were globally addressable did not mean that they were globally reachable.
Firewalls are a thing!
because it's unnecessary to get the same benefit. Being behind a firewall would have the same effect (and any ipv6 deployment will have this), it's just that NAT requires this. It's like saying eating a spoonfull of cinnamon has health benefits because it hydrates you when you have to drink a glass of water afterwards: you could just drink the water.
I don't quite understand what you mean by "any ipv6 deployment will have this". When my ISP switched to IPv6, my internal devices were exposed to the internet and the only thing that stopped the incredible amount of bot traffic was my own on-device firewall that I explicitly turned on and configured. Luckily I don't have any smarthome stuff, not sure how I'd configure a firewall on a lightbulb. These devices didn't have a public IPv4 before that. And a bonus - the ISP didn't say anything about this possible consequence, just "we're making some changes".
NAT has more benefits - I don't want anyone to know how many devices I have at home, I don't want anyone to know which one I'm using to access their website, I don't want anyone to try guess the OS and version of my devices, etc. And now I'm scared to have a simple DLNA media server because I can't just install WireGuard on the TV. I'm probably going to buy a router and make my own NAT soon (don't have access into the ISP modem).
I felt better when the whole municipality had a single IP address. A lot of bullshit ads - means the targeting wasn't working. Now they're way too good.
15 replies →
This looks like the usual ipv6 kool aid batshit. I don't want a bunch of kids and enemy states poking at and port scanning my laptop directly, regardless of whether or not I have a firewall enabled.
And, no, I don't think it's practical for everyone and their grandma to "just set up a bastion"
14 replies →
I think the usual security objection is that if the NAT router receives a packet from the outside, with its destination set to a local address, the router will just let it through, in the absence of a firewall.
But as far as I can tell, that's only relevant for an attacker who can MITM the connection between the local router and the next ISP router, since clearly the ISP wouldn't know who to forward the local address to. I'd think it isn't within the threat model of the "typical internet user" who'd be running such a poorly-configured network.
Isn't NAT slipstreaming a "real" vector?
https://samy.pl/slipstream/
NAT slipstreaming only works if your router allows protocols like SIP, FTP, WebRTC, and other such protocols that NAT breaks, luckily.
Unfortunately, I'm pretty sure that's all routers I've ever seen. You can protect yourself if you're willing to break web applications and applications built on web technology. Just disable all of the SIP ALGs in your router and you'll have the security of IPv6 on IPv4!
Because it's really important to know the difference between NAT and a firewall if you are into networks. And IPv6 discussions generally involve such people. In this case it's nothing to do with NAT and everything to do with being behind a firewall.
I would guesstimate about 20-30 seconds was all you needed to be connected for to pick up blaster...
Yep. Before I knew what it was, I genuinely thought that an issue occurred when my connection established. That’s how fast it was, and it was consistently that fast.
How did blaster do it so fast?
1 reply →
[flagged]
Herd immunity, huh?
More that NAT forces your network gear to filter inbound connections from the outside internet by default. This works with one device behind one router as a billion devices behind a billion routers.
>Nowadays, everything is behind NAT and there aren't any infected Windows XP machines
All end-user PCs have been behind NAT since the late 90s unless the system was a dialup straggler. Enterprise users raw-dogging the internet only have themselves to blame.
I'm afraid this is factually wrong, my computer had a public IP until the early 2010s as around these days modems were just models and not routers too.
And with IPv6 all my devices could be publicly addressed but I've enabled a firewall to block incoming traffic at the router level.
>my computer had a public IP until the early 2010s as around these days modems were just models and not routers too.
You realize that wasn't the norm though right?
4 replies →
Even discounting dial-up, this really depends on where you are in the world at the time. PPPoE and direct hookup (via the cable/ADSL modem) are still relatively common where I was at the time that Blaster was roaming around, while some countries have forced CGNAT even before CGNAT became a common word, usually for "protecting the children" like Cleanfeed (and even discounting that, event at the time you could still get IPv4 effortlessly there had been, and certainty there are still, crappy ISPs which don't really care about direct connections).
This is absolutely false. This only became common when wireless networking became ubiquitous, which wasn't until probably a decade later.
When I got my first broadband Internet connection my contract explicitly prohibited me from using NAT. Apparently my Internet provider was concerned I would use NAT to connect multiple computers thus “stealing” bandwidth. This concern was not completely unfounded since people sometimes would set up one connection and share it with neighboring apartments. Also having one computer per household was normal back then.
2 replies →