How did they get past my NAT?

NAT doesn't make it safe.

Simply ask for it? Wait until it comes up?

What about implicit forwarding, for example by protocol helper implementations?

No.

No, but using a protocol helper you can do this for a different port.

Assuming that the timeout for the NAT table entries is five minutes, it could be a completely different source.

Then implement this concept.

Or DoS attacks.

Maybe, but unless you know the implementation....

OK, thanks very much for the reply, although now I feel like I've been made to wear the donkey hat and stand in the corner of the classroom... :)

What do you mean by "Ask for it"? If I do that (from outside the network), I get no response, because there is no "Default host" set up behind my NAT, and no port forwarding for that port - if an explicit port forwarding has not been set up, how can a remote host "Ask for" that server? Is this something that is allowed by the average NAT but requires extra network programming skills?

But why would it ever come up? Why would that port ever be opened to the outside from that machine? The port is bound to the VNC server (so no other program on the desktop should be able to do anything with it, as I understand?), and not forwarded on the router, so there should be no reason for a NAT session entry pointing that port to the outside ever to be opened, right? (I certainly don't open VNC connections to the internet, despite my limited knowledge I am very aware that basic VNC communication is totally unprotected, both authentication and data)

Sounds interesting, what is this? Is this the sort of thing that can sometimes make regular "Active" FTP work from behind a NAT, where the firewall automatically sees the FTP control port communication and opens up/forwards the data port as required? If so, how could the router be convinced to do this for an arbitrary port? Is there some sort of standard for triggering this behaviour?

I have just tested Active FTP from behind my NAT and it did not work (to an FTP server where passive FTP is working without issues) - does that say anything about this possibility?

I've searched online for any information about "protocol helper", it seems to be synonymous with "IP helper" - I see a windows API, but that looks like it would reuire the attacker to be running arbitrary C/ C++ code on the desktop (or other device on the network?). Do you know where I could find any information about what this is, how it works etc?

OK, I'm going to show my complete lack of understanding about how NAT works here (if I haven't already :)), but it's the NAT device keeping track of the ip addresses (and some additional "magic" session information?) at both ends of the communication? What happens if two client machines try to open a connection from the same client-side port at the same time, does the NAT simply refuse one of them? I was under the impression that there could be multiple machines communicating to/from the same port from behind a NAT without problems. For that to be true, the NAT device would need to be looking at each incoming packet and sending it to the correct internal host based on some filtering logic, right (rather than a simple temporary port-to-host mapping table)? Are you saying that some arbitrary third- party IP address can send in a packet and have it be routed to a specific host behind the NAT, as long as the attacker has seen one of the packets of the communication between the legitimate remote host and the local host behind the NAT?

If I understand what you are saying correctly, and a remote attacker can actually direct arbitrary packets into any Existing NAT session by spying on a legitimate packet destined to/from the NAT-ed host, that still doesn't explain how the port session could be opened on the NAT device in the first place - is this where you are saying that the "Protocol Helper" comes in?

So... given that my ADSL connection uses PPPoA (which is non- bridgeable I believe, as opposed to PPPoE), I would need to set up a second router/firewall/NAT device like a linksys wrt54G to sit behind the telecoms-operator-provided Xavi router, forward the appropriate ports through both devices, and make sure that the firewall is turned on on the wrt54g? I can only assume that what was "missing" in my original setup was a firewall (which my adsl router claims to have, but when I turn it on all the port forwarding stops working, which sort of defeats the purpose). Or do you have any other suggestions on how this can be done using home equipment?

Meh, I'm not so concerned. Why would anyone bother? I'm a home user, I'm running a silly little website with 10 pageviews/month, my only concern is that someone gets into my machine / network and installs malicious code, spies on me, enlists my computer into a botnet of some sort, turns me into an infection vector for some or other virus / worm / trojan, etc. That would suck. It is incredibly unpleasant to have your desktop suddenly taken over via VNC, too, although I don't think that can happen again in quite the same way, I did upgrade away from the defective RealVNC version.

Not sure what you meant here - I know exactly how I have everything set up, but I don't know much about the workings / functionality of the router itself. There are no configuration manuals online or anything. In fact, I was able to get it to forward logging info to a syslog server on my desktop by browsing through and editing the "configuration backup" file, but afterwards remembered what I'd read a few months ago on some forum - you have to turn logging off on this router, because otherwise it hangs when it runs out of log space. No cycling, no "forward to syslog server but do not store locally", it simply hangs.

So it looks like at an absolute minimum I'm going to need to set up the second-level linksys wrt54g firewall/router, but I guess I'd like your criticism if you have any thoughts on the sensibleness of this idea, and whether it helps to "implement this concept" as you suggested above :)

Thanks so much for the feedback! Tao

A NAT is not a firewall at all, it's basic routing - Most non-technical types call NAT Routers firewalls, they are not.

a WRT54g is not a firewall, it's a nat router. NAT blocks "unsolicited" inbound traffic, that's all.

No, port forwarding is what your problem is - if you forward ports then you expose your computer/network and that's how people reach your computer to do things you don't want.

You should learn to post in one group or to cross post so that your thread is easy to work with for multiple groups that you've done this in.

I have also used a badged GlobespanVirata running in NAT with no firewall but with selected port forwarding. (Behind that runs a linux box that does have a firewall, but that's moot just now.)

Based on what you're saying, I'd concur with you.

NAT will inherently block all externally originated inbound traffic with the exception of those ports that you have selected for port forwarding. On that understanding it makes for an adequate external facing firewall. It is not a good substitude for a proper thought-out policy and implementation, though.

Again, based on my experience with the GV chipset and firmware I'd agree with you there, too.

Or through some other port-forwarded service. (Instant messenger flaw, SOCKS, internal web proxy,...)

Your virus/spyware scans obviously didn't pick up that you were running the flawed VNC service (I wouldn't expect them to do so), so they won't pick up any other software you run that has similar security flaws. I'd check them all out if I were you.

I'd also be inclined to boot cold (if you can) and run a virus checker from outside your installed OS. If you're up to it, then either pop your disk drive into a different Windows box and scan from that known safe system, or else get a Linux-based "live CD" distribution and run something like clam AV (with all its updates, please!) against your installed OS. Otherwise there's no guarantee that your AV software hasn't been modified by some virus/trojan you've accidentally installed.

That's correct. Further, the GV chipset that I have - which /may/ or may not be the same as yours - does NAT such that a rule only allows traffic on the 5-tuple (proto, sport, saddr, dport, daddr) to pass. (Some NAT devices are more liberal than that. I say they're broken. STUN users say they're great.)

I thought that Bit Torrent was essentially built around a UDP based protocol. VNC on the other hand is TCP. So, no, I don't see how one could influence the other. Trojans and flawed software not withstanding.

That's typical behaviour, yes.

This should not be possible.

It is possible for a service to bind to a port using INADDR_ANY ("listen for connections to this port on all local interfaces"), and for another process to bind more tightly to that port ("listen for connections to this port from this specific local interface"), but then that second process would receive the connection request rather than the original.

However, also bear in mind that VNC can be used to initiate a server session (i.e. it pushes your screen out to a remote viewing client). Perhaps you - or some trojan - accidentally triggered this?

Chris

hmm, subtle dig? :)

right, but would it show up logged with the public IP address in my event log? That's what I'm surprised by - the VNC client / attacker did not look like it was coming from some local address that was being tunneled by some local proxy or malware - it was logged as a public internet address - does that not mean that it had to go through my regular NIC? Or are you saying that the malware would have set up its own routing rules in windows to forward traffic for that specific IP to itself instead of my regular NIC - to do that, would it not need to show up in some device list in windows? Sorry, my lack of knowledge about OS-level networking in windows is clear here.

Yep, still doing. Next check is Apache, it's been a little while since I upgraded.

In another thread that I inelegantly cross-posted, Leythos (other post above) provided lots of helpful advice on better scanning for malware, I'll have a go at that too:

Yep, will do, thanks!

Woah, now there's an interesting bit of news! Based on the diagram at this wikipedia article, it looks like the only types of NAT that would fit my assumptions, and consequently be "as safe as I expected", would be a "Symmetric" NAT and a "Restricted Port" NAT?

I'll have to get my hands on a STUN client (and access to a server) to see if I can test this out - if I understand correctly anything other than Symmetric and Restricted Port is "Bad", in that it could allow open windows for remote hosts to contact me on ports that I do not want, or for hosts that I have not reached out to to reach out to me - both of these were things I did not think were allowed by a normal NAT, outside of special "Per-Protocol" exceptions like Active FTP.

ok, thank for confirming. I guess I'll wait to see if Sebastian G gets back to me with any refutations of this "NAT-shielding-against-public- access-of-services" theory.

Right, exactly what IIS does. I did not know that this was inherent to the O/S, thanks for confirming.

Hmm, thanks for that, but no - my VNC server event log entries clearly show the connection coming in from outside, without any authentication step between the connection being accepted and my killing the server after they had successfully reached my desktop session (which is the signature of the VNC vulnerability, I checked it and tried it myself before upgrading to the patched/newer VNC version):

Connections: accepted: 85.239.126.86::4623 Connections: closed: 85.239.126.86::4623 (Server shutdown)

Thanks very much for the help! Tao

That I understand, but I'm always a little confused about what the difference Exactly is... a firewall is a device that only allows connections that you want to allow - a NAT is a device that allows outgoing connections arbitrarily, but normally (or only sometimes? see the STUN information Chris mentioned) prevents arbitrary incoming connections. Most home routers additionally claim to have a "firewall" function that you can turn on / off (including the WRT54G) - when do you decide what is and what is not a ffirewall? I really would like to know, it's something that's puzled me for years. Some things are clearly not a firewall at all, like a "Full-cone" NAT router. Some things are clearly a firewall first, and anything else after, like one of those Cisco devices. But aren't most home routers somewhere in- between?

not true. the WRT54G can block outgoing connections based on any number of specified parameters, and then it has all those extra fancy features that I don't understand ;)

Firewall Protection: Enable Disable Additional Filters Filter Proxy Filter Cookies Filter Java Applets Filter ActiveX Block Portscans Filter P2P Applications Block WAN Requests Block Anonymous Internet Requests Filter Multicast Filter Internet NAT Redirection Filter IDENT(Port 113)

Only if they get past the intended security of the service in question, right?

Yep, thanks.

Tao

it's a NAT device that can block outbound ports - it has no clue what those ports are and doesn't know the difference between HTTP and SMTP except that they use different ports.

Really quick update - Michael Ziegler helped me find the issue on a thread I badly cross-posted on alt.comp.networking.connectivity:

My router (Xavi 7768r with GlobespanVirata chipset, I think I had it wrong above) has an Active FTP "NAT Helper" which allows any program with TCP-connection-creation priviledges on any of my computers to open an incoming port to this machine from a target site on the internet. Java Applets, by default, have this functionality enabled. You can test for this "feature" or "flaw" at the following site: On the day this happened, I was browsing on at least a couple of sites that could well have had "harmful content", probably including a java applet that opened up my port to the attacking site by using the FTP NAT helper trick. My VNC server was a flawed version which (I tested that) allowed certain well-crafted incoming connections to bypass authentication.

Now - at this point I have no proof that that was the course of events, but "Occam's razor" and all that, it is definitely the simplest explanation that fits all the facts. I will definitely do a more thorough malware check on my machine and I will implement a solution that allows be to forward the ports I want without the NAT Helper flaw, but in the meantime I will sleep much better knowing that chances are 95% that I at least know exactly what the problem was.

Thanks for all your help! Tao

Another reason to never trust the ISP/Vendor supplied hardware.

Always get your own NAT/Firewall appliance and then you control everything and manage it.

huh ? what doe you mean keep sending SYN packets to a certain port and wait untill the connection is established ?

are you talking about uPNP ?

Exactly. Of course, the cause of such a forwarding rule appearing in the NAT state table might be highly unrelated.

No, this would be rather straight-forward. I'm talking about application layer protocol engines that inspect the traffic and setup proper rules. For example, if the implementation sees traffic like "PORT 192,168,0,1,47,11", it might believe that it's part of an Active FTP session setup and might add an appropriate rule for the reply. Or if it sees an TCP connection to some server on port 4661 (eDonkey P2P protocol), it might decide to permanently forward 4662/TCP and 4665/UDP to that client, without even checking for the actual protocol. Even worse, what about connections to 1119/TCP? Very likely that it's a computer game using Battle.net Online service, so better forward

5000-10000/TCP to that client... oh, and there the VNC server goes.

NAT/NAPT is a mechanism to provide connectivity. Preventing incoming connections might be a particularly useless side effect, depending on the implementation. It has nothing to do with security.

Yes, but this is not related to NAT.

just some questions with as goal to learn more

so you call a firewall something with complex heuristics ? really does iptables provide more than filtering between protocol, port and state information, and do people actually use it. Because in essence iirc a nat router does the same it opens up a connection if somebody on the inside requests it and after that allows the connection untill it's broken down (FIN or RST) do i have a point here or not ?

i wholeheartly agree with you on this one

the problem is ... some ISP's filter on specific device (MAC), some ISP's lent you the router for personal usage and some ISP's dissallow other so called 'not supported' router and put a clause in little lettres on your contract.

here in belgium it's actually pretty worse in this field. even worse the biggest ISP here belgacom disallows secured pop (ssl/tls) or imap to non business users, which still costs +40 EURO/month.

there is your problem you haven't upgraded in a while and you let people into your website ? (port 80 is forwarded at your NAT to your WAMP box )

do you mean i haven't upgraded windows in a while or apache or both ?

Does the device, in the standard/default mode, block traffic in both directions?

Does the device know the difference between HTTP and SMTP or only TCP 80 and TCP 25?

Does the device understand being attacked and auto-block sources of attacks or unauthorized traffic?

Does the device use NAT or can it be setup with rules without using NAT? If it forces NAT then I don't consider it a firewall unless it can do all the others - since MOST of the devices that force NAT are residential device (yea, not all inclusive, but you should get the idea without us going off the deep end).

no ok you got me here, it only does this for INBOUND traffic but i myself don't block outbound traffic on my box (slackware) as well because i consider myself knowledgeable enough to be trusted :D

do you consider netfilter to be a firewall (well in essence it's a statefull packet filter) because iirc there is no smtp or http netfilter module and it does its filtering mostly on the data link and transport protocol's headers like most firewalls do. it would be very costly performance wise to implement application protocol filters into firewalls and i've yet to see one that does also implementing complex heuristics because let's face it the higher you go up in the tcp/ip stack the more complex the headers and payload become, the more bugs you'll get in the code that does the heuristics --> the more flaws there are to be exploited!

that would be a shitty NAT router/gateway !

On Oct 11, 5:02 pm, "Sebastian G." wrote:

OK, so I guess my source of confusion is with regards to "Intended Purpose" vs "Effect". A completely basic Symmetrical NAT effectively does the same basic thing a basic firewall will often be used to do - prevent unintended inbound traffic, allow outbound traffic, optionally allow inbound traffic on specified ports to a specified server. However, the "Intended Purpose" of a NAT is actually to allow multiple machines behind a network to coexist using one public IP address, besides the most basic symmetric NAT features, any additional features (heuristic detection of traffic intention, protocol helpers, "full- cone" or "restricted cone" functionality, etc) will take you further and further from the "safety" I assumed. By contrast, while the most basic firewall in the most common configuration may basically be doing the same thing as the most basic NAT I described, the more sophisticated the firewall gets, the better it gets at enhancing said "safety", eg allowing the Active FTP Data connection only on the condition that the traffic from the remote server is made up of valid FTP data... does this sound like a reasonable summary of the distinction? This basically means that ANY home router that implements anything other than the most basic symmetric NAT with no extra features, should also contain a firewall, turned on by default, to limit the exposure to the internet, because every additional "helper" feature in the NAT makes the network behind it a little more public / exposed.

Thanks for the clarification - I'm still ridiculously happy to have found the actual (or significantly most likely) cause of the other day's debacle and be able to address it easily :)

Thanks, Tao