Re: How did they get past my NAT?

Maniaque wrote:


- I do not have the firewall enabled on the router, because I assumed
the NAT basically made it safe.


NAT doesn't make it safe.

If it was routed through my router, how could the attacker have
convinced the router to initiate the communication to my internal port
5900 on that particular machine???


Simply ask for it? Wait until it comes up?

The safety of a NAT, as I
understand it, is that remote hosts cannot access an internal address
unless there is explicit port forwarding enabled, or the session is
initiated by a host behind the NAT, is that not correct?


What about implicit forwarding, for example by protocol helper implementations?

> It is possible that the uTorrent client made a

client connection using local port number 5900 (which was also being
used by the VNC server), and the computer/remote host that the
uTorrent client was connecting to took advantage of this situation to
test / probe / attack the VNC server on that port?


No.

I guess the questions are:
- it it possible for a client TCP connection to be initiated by a
local "client" program from a port that is already being used by a
"server" program, like VNC server?


No, but using a protocol helper you can do this for a different port.

- what are the chances, statistically speaking, that this would
happen? Would it be worth a hacker's time to set up servers as
bittorrent participants / seeds in the hopes that some client computer
makes a connection using a special port (eg VNC), which could then
allow the computer's VNC server to be probed / tested for the known
VNC vulnerability? It's the only explanation that I can think of, but
I just can't see how it would be worth a hacker's time!


Assuming that the timeout for the NAT table entries is five minutes, it could be a completely different source.

I'm very much counting on the
fact that only specific selected ports should be accessible from
outside.


Then implement this concept.

In theory, if any port on the desktop can be exposed, then my
windows filesharing setup is just one of the things that would be
vulnerable to brute-force attack.


Or DoS attacks.

Is there anything else I can do to
investigate this or help prevent future issues? Does anyone have any
experience with the Xavi router or GlobespanVirata chipset that could
help me get it set up to prevent this from happening again?


Maybe, but unless you know the implementation....
.

Relevant Pages

  • Re: Processs PreciseMail AntiSpam Gateway - any experience so far ?
    ... >>There is no need to be concerned about NAT. ... > It does matter because your example which uses a client on the 10 address space ... > ISP using dynamic NAT with port overloading. ... > 10.11.12.1 is the clients real address and it opens a connection from its port ...
    (comp.os.vms)
  • Re: Processs PreciseMail AntiSpam Gateway - any experience so far ?
    ... >>There is no need to be concerned about NAT. ... > It does matter because your example which uses a client on the 10 address space ... > ISP using dynamic NAT with port overloading. ... > 10.11.12.1 is the clients real address and it opens a connection from its port ...
    (comp.os.vms)
  • Re: ISPs can easily decrease net abuse
    ... |use NAT with forwarding? ... When one of the inside systems wants to go out, the NAT device has to ... address to as it sends out the packets. ... Suppose the NAT box allocates port ...
    (comp.security.misc)
  • Re: FreeBSD Firewall + NAT Traversal + IPsec
    ... To my understanding, the mechanism of how NAT works is that, the client ... connections from the intranet are mapped to separate ports on the NAT ... connections to port 500 are mapped to port 500 on the external interface ...
    (freebsd-net)
  • Re: How did they get past my NAT?
    ... network), I get no response, because there is no "Default host" set up ... behind my NAT, and no port forwarding for that port - if an explicit ... as I understand?), and not forwarded on the router, so there should be ...
    (comp.security.firewalls)