Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Computer Security (http://www.velocityreviews.com/forums/f38-computer-security.html)
-   -   Re: How did they get past my NAT? (http://www.velocityreviews.com/forums/t543520-re-how-did-they-get-past-my-nat.html)

Leythos 10-11-2007 10:31 AM

Re: How did they get past my NAT?
 
In article <1192088852.392958.21220@r29g2000hsg.googlegroups. com>,
maniaque27@gmail.com says...
> I would need to set up a
> second router/firewall/NAT device like a linksys wrt54G to sit behind
> the telecoms-operator-provided Xavi router, forward the appropriate
> ports through both devices, and make sure that the firewall is turned
> on on the wrt54g? I can only assume that what was "missing" in my
> original setup was a firewall (which my adsl router claims to have,
> but when I turn it on all the port forwarding stops working, which
> sort of defeats the purpose). Or do you have any other suggestions on
> how this can be done using home equipment?


A NAT is not a firewall at all, it's basic routing - Most non-technical
types call NAT Routers firewalls, they are not.

a WRT54g is not a firewall, it's a nat router. NAT blocks "unsolicited"
inbound traffic, that's all.

No, port forwarding is what your problem is - if you forward ports then
you expose your computer/network and that's how people reach your
computer to do things you don't want.

You should learn to post in one group or to cross post so that your
thread is easy to work with for multiple groups that you've done this
in.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Maniaque 10-11-2007 04:31 PM

Re: How did they get past my NAT?
 
On Oct 11, 6:31 am, Leythos <v...@nowhere.lan> wrote:
> In article <1192088852.392958.21...@r29g2000hsg.googlegroups. com>,
> maniaqu...@gmail.com says...
>
>
> A NAT is not a firewall at all, it's basic routing - Most non-technical
> types call NAT Routers firewalls, they are not.


That I understand, but I'm always a little confused about what the
difference Exactly is... a firewall is a device that only allows
connections that you want to allow - a NAT is a device that allows
outgoing connections arbitrarily, but normally (or only sometimes? see
the STUN information Chris mentioned) prevents arbitrary incoming
connections. Most home routers additionally claim to have a "firewall"
function that you can turn on / off (including the WRT54G) - when do
you decide what is and what is not a ffirewall? I really would like to
know, it's something that's puzled me for years. Some things are
clearly not a firewall at all, like a "Full-cone" NAT router. Some
things are clearly a firewall first, and anything else after, like one
of those Cisco devices. But aren't most home routers somewhere in-
between?

>
> a WRT54g is not a firewall, it's a nat router. NAT blocks "unsolicited"
> inbound traffic, that's all.


not true. the WRT54G can block outgoing connections based on any
number of specified parameters, and then it has all those extra fancy
features that I don't understand ;)

Firewall Protection: Enable Disable
Additional Filters
Filter Proxy Filter Cookies
Filter Java Applets Filter ActiveX
Block Portscans Filter P2P Applications
Block WAN Requests
Block Anonymous Internet Requests
Filter Multicast
Filter Internet NAT Redirection
Filter IDENT(Port 113)

>
> No, port forwarding is what your problem is - if you forward ports then
> you expose your computer/network and that's how people reach your
> computer to do things you don't want.
>


Only if they get past the intended security of the service in
question, right?

> You should learn to post in one group or to cross post so that your
> thread is easy to work with for multiple groups that you've done this
> in.
>


Yep, thanks.

Tao



Leythos 10-11-2007 06:39 PM

Re: How did they get past my NAT?
 
In article <1192120303.414117.236860@g4g2000hsf.googlegroups. com>,
maniaque27@gmail.com says...
> not true. the WRT54G can block outgoing connections based on any
> number of specified parameters, and then it has all those extra fancy
> features that I don't understand ;)


it's a NAT device that can block outbound ports - it has no clue what
those ports are and doesn't know the difference between HTTP and SMTP
except that they use different ports.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

Maniaque 10-11-2007 06:43 PM

Re: How did they get past my NAT?
 
Really quick update - Michael Ziegler helped me find the issue on a
thread I badly cross-posted on alt.comp.networking.connectivity:
http://groups.google.com/group/alt.c...972156a51e0d/#

My router (Xavi 7768r with GlobespanVirata chipset, I think I had it
wrong above) has an Active FTP "NAT Helper" which allows any program
with TCP-connection-creation priviledges on any of my computers to
open an incoming port to this machine from a target site on the
internet. Java Applets, by default, have this functionality enabled.
You can test for this "feature" or "flaw" at the following site:
http://bedatec.dyndns.org/ftpnat/dotest_en.html

On the day this happened, I was browsing on at least a couple of sites
that could well have had "harmful content", probably including a java
applet that opened up my port to the attacking site by using the FTP
NAT helper trick. My VNC server was a flawed version which (I tested
that) allowed certain well-crafted incoming connections to bypass
authentication.

Now - at this point I have no proof that that was the course of
events, but "Occam's razor" and all that, it is definitely the
simplest explanation that fits all the facts. I will definitely do a
more thorough malware check on my machine and I will implement a
solution that allows be to forward the ports I want without the NAT
Helper flaw, but in the meantime I will sleep much better knowing that
chances are 95% that I at least know exactly what the problem was.

Thanks for all your help!
Tao




Leythos 10-11-2007 06:51 PM

Re: How did they get past my NAT?
 
In article <1192128212.845454.45420@22g2000hsm.googlegroups.c om>,
maniaque27@gmail.com says...
> My router (Xavi 7768r with GlobespanVirata chipset, I think I had it
> wrong above) has an Active FTP "NAT Helper" which allows any program
> with TCP-connection-creation priviledges on any of my computers to
> open an incoming port to this machine from a target site on the
> internet.


Another reason to never trust the ISP/Vendor supplied hardware.

Always get your own NAT/Firewall appliance and then you control
everything and manage it.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

Sebastian G. 10-11-2007 09:05 PM

Re: How did they get past my NAT?
 
Maniaque wrote:


>> A NAT is not a firewall at all, it's basic routing - Most non-technical
>> types call NAT Routers firewalls, they are not.

>
> That I understand, but I'm always a little confused about what the
> difference Exactly is... a firewall is a device that only allows
> connections that you want to allow - a NAT is a device that allows
> outgoing connections arbitrarily, but normally (or only sometimes? see
> the STUN information Chris mentioned) prevents arbitrary incoming
> connections.



NAT/NAPT is a mechanism to provide connectivity. Preventing incoming
connections might be a particularly useless side effect, depending on the
implementation. It has nothing to do with security.

> Most home routers additionally claim to have a "firewall"
> function that you can turn on / off (including the WRT54G)



Yes, but this is not related to NAT.

goarilla 10-11-2007 09:14 PM

Re: How did they get past my NAT?
 
Leythos wrote:
> In article <1192120303.414117.236860@g4g2000hsf.googlegroups. com>,
> maniaque27@gmail.com says...
>> not true. the WRT54G can block outgoing connections based on any
>> number of specified parameters, and then it has all those extra fancy
>> features that I don't understand ;)

>
> it's a NAT device that can block outbound ports - it has no clue what
> those ports are and doesn't know the difference between HTTP and SMTP
> except that they use different ports.
>


just some questions with as goal to learn more

so you call a firewall something with complex heuristics ?
really does iptables provide more than filtering between protocol, port
and state information, and do people actually use it. Because in essence
iirc
a nat router does the same it opens up a connection if somebody on the
inside requests it
and after that allows the connection untill it's broken down (FIN or RST)
do i have a point here or not ?

goarilla 10-11-2007 09:17 PM

Re: How did they get past my NAT?
 
Leythos wrote:
> In article <1192128212.845454.45420@22g2000hsm.googlegroups.c om>,
> maniaque27@gmail.com says...
>> My router (Xavi 7768r with GlobespanVirata chipset, I think I had it
>> wrong above) has an Active FTP "NAT Helper" which allows any program
>> with TCP-connection-creation priviledges on any of my computers to
>> open an incoming port to this machine from a target site on the
>> internet.

>
> Another reason to never trust the ISP/Vendor supplied hardware.
>
> Always get your own NAT/Firewall appliance and then you control
> everything and manage it.
>

i wholeheartly agree with you on this one

the problem is ... some ISP's filter on specific device (MAC), some
ISP's lent you the router for
personal usage and some ISP's dissallow other so called 'not supported'
router and put a
clause in little lettres on your contract.

here in belgium it's actually pretty worse in this field. even worse the
biggest ISP here belgacom
disallows secured pop (ssl/tls) or imap to non business users, which
still costs +40 EURO/month.

Leythos 10-11-2007 09:25 PM

Re: How did they get past my NAT?
 
In article <470e921a$0$29265$ba620e4c@news.skynet.be>, goarilla <"kevin
DOT paulus AT skynet DOT be"> says...
> Leythos wrote:
> > In article <1192120303.414117.236860@g4g2000hsf.googlegroups. com>,
> > maniaque27@gmail.com says...
> >> not true. the WRT54G can block outgoing connections based on any
> >> number of specified parameters, and then it has all those extra fancy
> >> features that I don't understand ;)

> >
> > it's a NAT device that can block outbound ports - it has no clue what
> > those ports are and doesn't know the difference between HTTP and SMTP
> > except that they use different ports.
> >

>
> just some questions with as goal to learn more
>
> so you call a firewall something with complex heuristics ?
> really does iptables provide more than filtering between protocol, port
> and state information, and do people actually use it. Because in essence
> iirc
> a nat router does the same it opens up a connection if somebody on the
> inside requests it
> and after that allows the connection untill it's broken down (FIN or RST)
> do i have a point here or not ?


Does the device, in the standard/default mode, block traffic in both
directions?

Does the device know the difference between HTTP and SMTP or only TCP 80
and TCP 25?

Does the device understand being attacked and auto-block sources of
attacks or unauthorized traffic?

Does the device use NAT or can it be setup with rules without using NAT?
If it forces NAT then I don't consider it a firewall unless it can do
all the others - since MOST of the devices that force NAT are
residential device (yea, not all inclusive, but you should get the idea
without us going off the deep end).



--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

goarilla 10-11-2007 10:03 PM

Re: How did they get past my NAT?
 
Leythos wrote:
> In article <470e921a$0$29265$ba620e4c@news.skynet.be>, goarilla <"kevin
> DOT paulus AT skynet DOT be"> says...
>> Leythos wrote:
>>> In article <1192120303.414117.236860@g4g2000hsf.googlegroups. com>,
>>> maniaque27@gmail.com says...
>>>> not true. the WRT54G can block outgoing connections based on any
>>>> number of specified parameters, and then it has all those extra fancy
>>>> features that I don't understand ;)
>>> it's a NAT device that can block outbound ports - it has no clue what
>>> those ports are and doesn't know the difference between HTTP and SMTP
>>> except that they use different ports.
>>>

>> just some questions with as goal to learn more
>>
>> so you call a firewall something with complex heuristics ?
>> really does iptables provide more than filtering between protocol, port
>> and state information, and do people actually use it. Because in essence
>> iirc
>> a nat router does the same it opens up a connection if somebody on the
>> inside requests it
>> and after that allows the connection untill it's broken down (FIN or RST)
>> do i have a point here or not ?

>
> Does the device, in the standard/default mode, block traffic in both
> directions?


no ok you got me here, it only does this for INBOUND traffic but i myself
don't block outbound traffic on my box (slackware) as well
because i consider myself knowledgeable enough to be trusted :D

> Does the device know the difference between HTTP and SMTP or only TCP 80
> and TCP 25?
>
> Does the device understand being attacked and auto-block sources of
> attacks or unauthorized traffic?
>
> Does the device use NAT or can it be setup with rules without using NAT?
> If it forces NAT then I don't consider it a firewall unless it can do
> all the others - since MOST of the devices that force NAT are
> residential device (yea, not all inclusive, but you should get the idea
> without us going off the deep end).
>
>
>

do you consider netfilter to be a firewall (well in essence it's a
statefull packet filter)
because iirc there is no smtp or http netfilter module
and it does its filtering mostly on the data link and transport
protocol's headers
like most firewalls do. it would be very costly performance wise to
implement
application protocol filters into firewalls and i've yet to see one that
does
also implementing complex heuristics because let's face it the higher
you go up in
the tcp/ip stack the more complex the headers and payload become, the
more bugs you'll get
in the code that does the heuristics --> the more flaws there are to be
exploited!


All times are GMT. The time now is 10:07 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.