If your public IP from your ISP is 12.13.14.15, and your internal block is 192.168.0.0/24, then your ISP can send a packet to 12.13.14.15 destined for 192.168.0.7, and without a firewall your router will happily forward it. An attacker who can convince intervening routers to send traffic destined for 192.168.0.7 to 12.13.14.15 (and these attacks do exist, particularly over UDP) can also do that.
You're using somewhat sloppy terminology that will confuse things. An IP packet can't be addressed both to 12.13.14.15 AND to 192.168.0.7.
The realistic attack here is that your ISP sends a packet with destination address 192.168.0.7 to the MAC of your router (the MAC that corresponds to 12.13.14.15). This is a realistic attack scenario if the device that your router connects directly to gets compromised (either by an attacker or by the ISP itself).
Getting a public route that would take packets destined for 192.168.0.7 to reach your router over the Internet is far more unlikely.
True, the frame is addressed to the router's hw interface but I'm talking to people who think NAT drops traffic so I figured keep it simple
But, yes, the ISP (or whoever has compromised/suborned/social engineered the ISP) is absolutely the main worry here and I don't understand how people are dismissing that so easily
Okay, so not only do you have to create a bogus packet, you have to convince every piece of equipment in between you and the end user to collude with it, in the hopes that the final router is so woefully misconfigured as to act upon it?
The ISP is the primary threat vector here (do you trust yours? Along with their contractors and anyone who might have compromised them?). But like I said route-poisoning attacks do exist.
No, the router will only forward it with specific implementations that don’t isolate routing tables between the external and internal. Or an easier approach is just a stateless ACL on the external interface. Neither are a stateful firewall.
Send packets to the device? A NAT is in it's most basic form a mapping from one IP/port set to another IP/port set describable by some function "f" and its inverse "g". The common home user case has the firewall detect a flow from inside the network and modify "f" and "g" to allow this flow. Without the firewall, and assuming you want your devices to talk to the internet in some way, the NAT would forward (with modifications) traffic based on "f" and "g" to all your devices.
If your public IP from your ISP is 12.13.14.15, and your internal block is 192.168.0.0/24, then your ISP can send a packet to 12.13.14.15 destined for 192.168.0.7, and without a firewall your router will happily forward it. An attacker who can convince intervening routers to send traffic destined for 192.168.0.7 to 12.13.14.15 (and these attacks do exist, particularly over UDP) can also do that.
You're using somewhat sloppy terminology that will confuse things. An IP packet can't be addressed both to 12.13.14.15 AND to 192.168.0.7.
The realistic attack here is that your ISP sends a packet with destination address 192.168.0.7 to the MAC of your router (the MAC that corresponds to 12.13.14.15). This is a realistic attack scenario if the device that your router connects directly to gets compromised (either by an attacker or by the ISP itself).
Getting a public route that would take packets destined for 192.168.0.7 to reach your router over the Internet is far more unlikely.
True, the frame is addressed to the router's hw interface but I'm talking to people who think NAT drops traffic so I figured keep it simple
But, yes, the ISP (or whoever has compromised/suborned/social engineered the ISP) is absolutely the main worry here and I don't understand how people are dismissing that so easily
1 reply →
Okay, so not only do you have to create a bogus packet, you have to convince every piece of equipment in between you and the end user to collude with it, in the hopes that the final router is so woefully misconfigured as to act upon it?
The ISP is the primary threat vector here (do you trust yours? Along with their contractors and anyone who might have compromised them?). But like I said route-poisoning attacks do exist.
22 replies →
No, the router will only forward it with specific implementations that don’t isolate routing tables between the external and internal. Or an easier approach is just a stateless ACL on the external interface. Neither are a stateful firewall.
Send packets to the device? A NAT is in it's most basic form a mapping from one IP/port set to another IP/port set describable by some function "f" and its inverse "g". The common home user case has the firewall detect a flow from inside the network and modify "f" and "g" to allow this flow. Without the firewall, and assuming you want your devices to talk to the internet in some way, the NAT would forward (with modifications) traffic based on "f" and "g" to all your devices.