[Full-disclosure] Circumventing NAT via UDP hole punching.



A new write up at InfoSec Institute on circumventing NAT. The process works
in the following way. We assume that both the systems A and B know the IP
address of C.



a) Both A and B send UDP packets to the host C. As the packets pass through
their NAT's, the NAT's rewrite the source IP address to its globally
reachable IP address. It may also rewrite the source port number, in which
case UDP hole punching would be almost impossible.



b) C notes the IP address and port of the incoming requests from A and B.
Let the port number for A equal X and the port number for B equal Y.



c) C then tells A to send UDP packet to the global IP address of the NAT for
B at port Y, and similarly tells B to send UDP packet to the global IP
address of the NAT for A at port X.



d) The first packets for both A and B get rejected while entering into each
other's NAT's. However as the packet passes from the NAT of A to the NAT of
B at port Y, NAT A makes note of it and hence punches a hole in its firewall
to allow incoming packets from the IP address of the NAT of B, from port Y.
The same happens with the NAT of B and it makes a rule to allow incoming
packets from the IP address of the NAT of A from port X.



e) Now when A and B send packets to each other, these get accepted and hence
a P2P connection is established.



http://resources.infosecinstitute.com/udp-hole-punching/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: [Full-disclosure] Circumventing NAT via UDP hole punching.
    ... As the packets pass through their NAT's, the NAT's rewrite the source IP address to its globally reachable IP address. ... It may also rewrite the source port number, in which case UDP hole punching would be almost impossible. ... C then tells A to send UDP packet to the global IP address of the NAT for B at port Y, and similarly tells B to send UDP packet to the global IP address of the NAT for A at port X. ...
    (Full-Disclosure)
  • Re: ISPs can easily decrease net abuse
    ... |use NAT with forwarding? ... When one of the inside systems wants to go out, the NAT device has to ... address to as it sends out the packets. ... Suppose the NAT box allocates port ...
    (comp.security.misc)
  • Re: How did they get past my NAT?
    ... network), I get no response, because there is no "Default host" set up ... behind my NAT, and no port forwarding for that port - if an explicit ... as I understand?), and not forwarded on the router, so there should be ...
    (comp.security.firewalls)
  • Re: firewall test and NAT
    ... off Internet address is 192.168.0.xxx. ... Port probes are looking for any open Port, and if they don't find one, they move on to the next possible victim without ever responding with an ACK to the Server. ... SRC is my NAT router on my 1st Ethernet port ...
    (microsoft.public.windowsxp.general)
  • Re: Processs PreciseMail AntiSpam Gateway - any experience so far ?
    ... Client sending system ... >> ISP using dynamic NAT with port overloading. ... >> 10.11.12.1 is the clients real address and it opens a connection from its port ...
    (comp.os.vms)