Re: [Full-disclosure] DNS and NAT (was: DNS and CheckPoint)



Thomas Cross <tcross@xxxxxxxxxx> wrote:
We've also been wondering whether NAT devices ought to randomly assign
UDP source ports, although no NAT vendor that wea**re aware of has done
this to date.

Some quick testing implies that ipchains MASQUERADE-based NAT doesn't
suffer this problem because it preserves the source port.

My test setup is as follows: call the computer inside the NAT Alice, and
the computer outside Bob. Alice contacts Bob via Trent, a linux-based
router, in my case a DLink DSL-2540B DSL modem / router combo. On
Alice, I run the following:

( for j in $(seq 1 100); do i=$RANDOM; /bin/echo -n "$i "; echo $i | nc -q 0 -vv -p $i -u <Bob> 5555; sleep 1; done ) &> foo.Alice

On Bob, I run

( while true; do nc -vv -l -u -p 5555 -q 0 </dev/null; done ) &> foo.Bob

At the end, I compare the actual source port in foo.Alice to the
apparent source port in foo.Bob. In my setup, they are always
identical.

Obviously it is impossible to guarantee that this will always be the
case; in order to identify dangerous corner cases one would have to
consult the ipchains code, but given the relative frailty of the
randomized source port / randomized sequence number solution, for a
small number of computers behind a NAT (e.g., home users) I claim that's
a second-order danger at best.

In a large production environment where there is a huge amount of NAT
traffic being generated one would do well to consider a solution like
Thomas's suggestion that the servers be moved outside the firewall.

-=rsw

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: [Full-disclosure] DNS and NAT (was: DNS and CheckPoint)
    ... confirming your result with linux ipchains. ... provides an example approach that NAT vendors can look to. ... I compare the actual source port in foo.Alice to the ...
    (Full-Disclosure)
  • Re: [Full-disclosure] DNS and NAT (was: DNS and CheckPoint)
    ... confirming your result with linux ipchains. ... provides an example approach that NAT vendors can look to. ... Alice contacts Bob via Trent, ... I compare the actual source port in foo.Alice to the ...
    (Full-Disclosure)
  • Re: ntpd on a NAT gateway seems to do nothing
    ... of 123 whilst ntpdate will use a dynamic source port. ... will be competing for the same ip quadtuple at the NAT box. ... Usually the clients behind the NAT gateway use the ntpd ...
    (freebsd-stable)
  • Re: Just want to keep the crap out!!
    ... I guess we should distinguish between the concept of NAT and particular implementations. ... It should never assign a source port corresponding to an unrelated service. ... defective NAT implementations are as good as a direct connection. ...
    (comp.security.firewalls)
  • Re: Fully sick
    ... The longer word adds nothing to the meaning. ... note, Nat, Tony, Bob, etc, this is an on-topic posting). ...
    (alt.usage.english)