Comment by tsimionescu

1 month ago

And if you have only the first line, what will happen if someone sends a request to the NAT's external IP on some random port?

8 comments

tsimionescu

Reply
benlivengood  1 month ago

Without at least some filtering a Gateway NAT appliance is vulnerable to:

* LAN IP address spoofing from the WAN

* Potential for misconfigured "internal" daemons to accept WAN traffic (listening on 0.0.0.0 instead of the LAN or localhost)

* Reflection amplification attacks

  • tsimionescu  1 month ago

    LAN IP address spoofing is indeed a valid attack vector, if the ISP is compromised.

    Internal daemons on machines other than the router itself in the LAN network listening on 0.0.0.0 are not insecure (unless you have the problem from point 1, malicious/compromised ISP). The router won't route packets with IPs that are not in its LAN to them. Of course, the router itself could be compromised if it accidentally listens on 0.0.0.0 and accepts malicious packets.

    Not sure what you mean by reflection amplification attacks, but unless they are attacking the router itself, or they are arriving on WAN with LAN IPs (again, compromised/malicious ISP), I don't see how they would reach LAN machines.

    • zajio1am  1 month ago

      You do not need compromised ISP for spoofed LAN IP traffic, the attack could came from other clients on the same WAN segment.

Dagger2  1 month ago

Whichever machine has the NAT's external IP assigned to it will accept or refuse the connection, depending on whether they have a server running on that port or not.

  • tsimionescu  1 month ago

    The machine that has the NAT's external IP to it is, well, the NAT, by definition. So you admit that the NAT box will act almost exactly like a connection tracking firewall, even if only NAT is enabled.

    • Dagger2  1 month ago

      No, I'm not going to "admit" that, because I know full well that it won't.

      It's not like I'm sat here thinking "I know it does block traffic, but I'm going to lie to everyone that it won't". NAT in fact, actually, really and honestly, doesn't block traffic, and I think I've been pretty consistent in saying as much.

      2 replies →