Security gain from NAT (was: Re: Cool IPv6 Stuff)

Perry Lorier perry at
Tue Jun 5 12:54:28 UTC 2007

> The only ways into these machines would be if the NAT/PAT device were
> misconfigured, another machine on the secure network were compromised, or
> another gateway into the secure network was set up. Guess what? All of these
> things would defeat a stateful inspection firewall as well.
I disagree.  (All of the below is hypothetical, I haven't tested it, but 
I believe it to be true.)

Premise 1: The machines behind the firewall are actually on and 
functioning, and presumably may be even being used.

Premise 2: The OS's on the machines will periodically do *some* kind of 
traffic.  Some common examples might be ntp syncronisation, or DNS 
resolving of an update service for antivirus, OS patches, whatever.  The 
traffic may be provided by the user actually using the machine for 
whatever real users actually do.

Premise 3: Many NAPT's are of the "Cone" type.  This is desirable for 
end users as it allows their applications/devices to use their NAPT 
busting technologys (STUN, Teredo etc) without having to configure 
static port forwards.

Premise 4: The external port chosen for an outgoing protocol is easily 
guessed.  Many NAPT boxes will prefer to use the same port as the 
original host, or will assign port mappings sequentially a bit of 
research here would go a long way, presumably entire networks are likely 
to be using the same NAPT's in an ISP's provided CPE.

Thus, for example if you are running a single host behind a NAPT box 
that is doing regular NTP queries and I can guess the external port on 
the NAPT box which with a bit of research I suspect is trivial, I can 
send that port on your external IP a packet and it will be forwarded 
back to your machine.  This could easily lead to a compromise via a 
buffer overflow or other exploit.

This would primarily work for UDP based services that by design tend to 
be used over the Internet itself such as DNS, NTP, SIP etc.  It seems 
unlikely that this would work against TCP based services.  Exploits in 
ICMP could also be "tunneled" back through a NAPT box in a similar 
manner.  GRE/IPIP/IPv6/ESP/AH can probably use similar techniques to 
infect machines behind a NAPT box (Disclaimer I don't know those 
protocols very well, but on the flipside, I suspect that NAPT boxes 
don't know them very well either and do dumb things with them like 
forward all GRE packets to the one host inside your network that has 
ever spoken GRE).

Just because you've never seen someone exploit through a NAPT box 
doesn't mean it won't happen. 

More information about the NANOG mailing list