Re: How did they get behind my NAT?

Thanks for all your help Leythos!

The double NAT setup makes sense, I did not understand that you meant
using the first NAT as DMZ.

I am familiar with Microsoft's Baseline security checklists, multi-
layer security, etc - I'm just more concerned with having a solid
first layer for this simple home-hosting situation, and keeping all my
"convenience" functionality (eg VNC service hidden from public access,
rather than disabled) around. I don't have a machine to spare as my
web server, so until I get truly fried I'll soldier on... :)

I'm pretty sure I found the attack vector in the end, it turned out to
be neither downloaded malware nor a compromized service (although I am
aware that both remain a possibility):

Michael Ziegler helped me find the issue on a thread I badly cross-
posted on alt.comp.networking.connectivity:
http://groups.google.com/group/alt.comp.networking.connectivity/browse_thread/thread/8c6a972156a51e0d/#

My router (Xavi 7768r with GlobespanVirata chipset, I think I had it
wrong above) has an Active FTP "NAT Helper" which allows any program
with TCP-connection-creation priviledges on any of my computers to
open an incoming port to this machine from a target site on the
internet. Java Applets, by default, have this functionality enabled.
You can test for this "feature" or "flaw" at the following site:
http://bedatec.dyndns.org/ftpnat/dotest_en.html

On the day this happened, I was browsing on at least a couple of sites
that could well have had "harmful content", probably including a java
applet that opened up my port to the attacking site by using the FTP
NAT helper trick. My VNC server was a flawed version which (I tested
that) allowed certain well-crafted incoming connections to bypass
authentication.

Now - at this point I have no proof that that was the course of
events, but "Occam's razor" and all that, it is definitely the
simplest explanation that fits all the facts. I will definitely do a
more thorough malware check on my machine and I will implement a
solution that allows be to forward the ports I want without the NAT
Helper flaw, but in the meantime I will sleep much better knowing that
chances are 95% that I at least know exactly what the problem was. And
at the same time I learned a lot about what NAT is and isn't!

Thanks for all your help!
Tao

.

Relevant Pages

  • Re: ISPs can easily decrease net abuse
    ... |use NAT with forwarding? ... When one of the inside systems wants to go out, the NAT device has to ... address to as it sends out the packets. ... Suppose the NAT box allocates port ...
    (comp.security.misc)
  • Re: How did they get past my NAT?
    ... network), I get no response, because there is no "Default host" set up ... behind my NAT, and no port forwarding for that port - if an explicit ... as I understand?), and not forwarded on the router, so there should be ...
    (comp.security.firewalls)
  • Re: firewall test and NAT
    ... off Internet address is 192.168.0.xxx. ... Port probes are looking for any open Port, and if they don't find one, they move on to the next possible victim without ever responding with an ACK to the Server. ... SRC is my NAT router on my 1st Ethernet port ...
    (microsoft.public.windowsxp.general)
  • Re: firewall test and NAT
    ... off Internet address is 192.168.0.xxx. ... Port probes are looking for any open Port, and if they don't find one, they move on to the next possible victim without ever responding with an ACK to the Server. ... SRC is my NAT router on my 1st Ethernet port ... "John John" sends a message to "ToddAndMargo", NAT forwards the message and remembers this, it "waits" for a reply from ToddAndMargo and when the reply arrives from ToddAndMargo NAT sends it to John John. ...
    (microsoft.public.windowsxp.general)
  • Re: Processs PreciseMail AntiSpam Gateway - any experience so far ?
    ... Client sending system ... >> ISP using dynamic NAT with port overloading. ... >> 10.11.12.1 is the clients real address and it opens a connection from its port ...
    (comp.os.vms)