Port scans through NAT router?

Well, does the RT314 which I went to the Netgear site and the RT314 is not listed as a product so I can even see the specs for it have SPI (Statefull Packet Inspection)?

SPI is also being talked about in the link below too.

If the NAT router doesn't have SPI as part of its firmware, then unsolicited packets/probes can come through the NAT router like a hot knife through butter just like they did when I was using a Linksys NAT router that didn't have SPI, which BlackIce I was using behind the NAT router at the time detected the probes coming through the router reaching the machines and stopped them.

I dumped the NAT router and got a low-end FW appliance for my needs. You may just need to get a NAT router that has SPI, if the RT314 doesn't have SPI or continue to supplement the NAT router with Sygate.

Duane :)

True. What is the nature of the traffic? Source/destination addresses and ports.

Bullshit. For lack of a NAT mapping, the router would have no idea where to forward the traffic. Many-to-one NATs are stateful by nature. If you persist in claiming such, I suggest you present a layer 2/3 packet capture to that effect.

I'm guessing that this mysterious traffic is Windows multicast uPNP or netbios name requests from the Netgear.

So you know this for a fact do you? Then what is SPI all about if the NAT router doesn't have it.

Your guess doesn't mean shit as fas as I am concerned. I know what the port probes that came through the NAT router at SQL server that was running on the machines on my network were about.

You know where you can stick it.

Duane :)

If that OP comes back and indicates that the IP(s) are WAN IP(s), then what the Hell are you going to say then?

Duane :)

SPI itself does not provide the router enough information to do port forwarding. How does it know which internal host to forward these packets to anyhow. I would be looking at the port forwarding rules that are in place.

BernieM

Hi,

Thanks for the responses. Please, I hope that this thread can be kept civil.

I'm going to respond to all of the posts (which I'm grateful for) in one post. I hope that this is ok.

The RT314 is an older Netgear product. It does not have have SPI.

In the configuration, there's a port mapping function/menu, where I can specify when a port or range of ports (e.g., 2000-3000) should be mapped to one of my "inside" IP addresses, which are on the 192.168.0 subnet.

From the Sygate security log, it looks like the scans are coming from outside, and when I do a backtrace in Sygate, the source of the scan varies.

"Somebody is scanning your computer. Your computer's TCP ports: 1166, 1177, 1183, and 1234 have been scanned from 195.37.77.141.."

I've put 2 BMPs showing the Sygate security log and backtrace at:

I think that the Sygate log indicates that this is TCP traffic, and not UDP.

BTW, as I think that I mentioned, I was also under the (possibly wrong) impression that the router would not route packets to any inside IP address unless a mapping was setup. That was the main reason for my post.

I think, but am not 100% sure that the times that I got this port scan warning, that I was in the process of visiting a website that seemed to have been associated with (at least) the same DNS domain name as the source of the port scan (e.g., see the BMP for the backtrace).

If I am visiting a website, say

is there some way for port scans to ride back into my NAT'ed network "on top of" the outgoing HTTP connection?

I hope that I've responded with enough additional info.

Thanks again!

Jim

SPI firewalls are capable of stateful operation using dynamic rules, not unlike the stateful operation of a NAT.

Likely spoofed traffic from your own infected SQL server.

I am going to tell you the conditions where probes came through that NAT router at SQL server running on my machines. And I am also going to say that it happened a few times that BlackIce at the time that I was using on the machine behind the Linksys BEFW11S4 v1 NAT router that had no SPI let the probes through and BI sounded off.

This started happening a couple a years ago when I would leave a machine connected to the Internet to the AT&T NG servers with it on a post where I left the post open which left the NNTP post 119 open on the machine for long periods of time. The machine was left in that state for hours and I had fallen asleep or I got up and left the machine in that state that were using the NT based O/S on the machines with SQL Server running that and the machines didn't go into a lockout mode as I didn't have that set on the machines at that time.

In that condition with port 119 setting open like that, I could see in the Wallwatcher logs IP(s) that where hammering at the router with a couple of those IP(s) making it past the NAT router where BlackIce sounded off about those IP(s) coming at port 1434 the SQL Server port that was being probed.

I produced BI logs showing this happening to the machines explaining there was no port forwarding going on period and yet BI was sounding off about this as I explained this to a couple of Top Guns in this NG at the time. They too asked about this and I showed them what I had at the time and they said nothing else about it to me.

I also did the same thing with the Watchguard that I went to because of what was happening with the Linksys, left BI on the machines and left them in the state above for hours at a time with the WG. Nothing came through that WG -- nothing and BI never sounded off.

No one in this NG can tell me that it didn't happen on my network - no one.

You can come up with all the excuses you want as to what you think may or may not have happened. But you were not there and you were not the one who was having it happening on your network as the probes came through that NAT router that didn't have SPI.

I don't know what the conditions are for the OP where he indicates that probes are coming through the NAT router. It did happen to my network where it forced me to find a better solution where I didn't need something like BlackIce to supplement it or back it up.

Duane :)

You don't know what the Hell you're talking about - so stop posting to me.

Duane

I can only tell you in the post that I made as to what was happening in my situation where that Linksys NAT router didn't have SPI and probes came through it with BlackIce sounding off about the probes coming through it.

I'll try to be civil about it. But I don't need some *clown* telling me about what was happening on my network just because the *clown* has not experienced it.

Duane :)

I believe that it's possible for the site to sneak UDP back in, since the NAT router will be allowing all traffic in from whatever site you're visiting, however, you mentioned it was TCP. I suppose theoretically the NAT router would allow ALL traffic inbound from whatever site you're visiting. So it seems possible. That is my understanding, however, I may be wrong and I'm not that well versed in routers yet, still fairly new to them myself. I used software firewalls for years until just about 6 months ago. At any rate, Sygate (or any software fw) will block the inbound traffic/scans so you're safe enough. I would not worry much about anything getting thru unless it's from some random IP address. Then it might be time for a new router.

Duane,

Thanks for taking the time to explain your experience so well. I don't doubt it happened, I just doubt the 'reason'.

So your Linksys router was performing NAT on incoming traffic and forwarding it to one of your internal hosts and you've associated that behaviour with the fact that it didn't have SPI.

Regardless of the detail ie. TCP/UDP/port, was there at least one 'forwarding rule' configured on the router for that internal host?

I'd say there was and the routers behaviour was due to a bug associated with its NAT/PAT/port forwarding not simply because it didn't support SPI. If the latter was the case then I would not go near that brand of router again.

How did you fix the problem? Only real choices would have been to either software upgrade the existing router or replace it. In either case, apart from getting SPI in the 'new' router, what would have also changed would have been code associated with port forwarding. So how can you tell what change fixed the problem? You can't.

#1 rule for troubleshooting ... make one change at a time and then test. Perhaps that's the #2 rule, with #1 being ... have some way of regressing your change ;-)

BernieM

Is the host in question configured as a DMZ host?

That is correct. Port Address Translation utilizes socket-based mappings. Traffic destined for other ports is dropped, even if it is from a currently mapped IP.

Only if the source and destination sockets match an active NAT mapping.

Dom,

No, the machine is not set as a DMZ host. In the RT314, you set the IP of the machine (it only allows 1) that you want to be in the DMZ in the same menu where you set any other port mappings, and I don't have anything set there for the DMZ.

Jim

Enough of your paranoid rambling; present your evidence.

I recommend performing a frame capture to determine the ethernet source of the traffic in question.

BernieM wrote:

No, no rules were being forwarded in the Linksys BSFW11s4 V1 router. The BEFW11S4 V1 router did have SPI in the firmware when I first purchased the router back in 2001. And I was doing the same thing with the machines on my network when connecting to a NG server leaving a post open therefore leaving port 119 open in the process. For lack of better words, SPI is to ensure that inbound packets are due to outbound packets leaving a machine behind the router, otherwise they are dropped along with some other things the program does to inspect packets. BlackIce was on the machines at the time and not one time did BI sound off about probes/traffic reaching its FW that was unsolicited. Then Linksys removed the SPI from the 11s4 v1 router's firmware because Linksys was having a lot of trouble with the firmware and SPI getting them to work. From what I know to date, Linksys as not incorporated SPI in any of the BEFW11S4 Vx router firmware from that point forward. Once that SPI came out of the firmware that's when I started having problems with unsolicited packets reaching the machine due to port 119 being left open for long periods of time. In addition to this, I got on the phone with Linksys back at that time and asked about the removal of the SPI from the firmware and was told about the troubles Linksys was having and was told to supplement the router with a PFW solution, which I was already doing that.

No, and it happened on the two machines that I had SQL Server running on too. And on different occations that I had either left the laptop or the desktop connected to the the NNTP server with a post open that had ever happened that unsolicited traffic or probes came past that router and BlackIce sounded off about it.

Well, after getting the Watchguard that I now own and getting some reports on how a NAT router can be attacked, I don't trust a NAT router that much and for sure one that doesn't have SPI in the firmware. BTW, one person at the time swore it was a SOHO marketing gimmick about how the NAT router can be attacked that I posted to this NG way back when. :)

Yeah, I went and got a low-end Watchguard and the problem was solved for me. I also stopped using BlackIce on the machines when connected to the WG and also don't use the FW on the Linux machine too while I am at home.

I got enough of that just trying to get the programs I have written and I am now doing regression testing into a production status at a client's site. I don't want to hear a about a Unit Test Plan or Detail Design artifacts. :)

Duane :)

Can you stop posting to me you *clown*. You hold no standing in the NG and you mean absolutely *nothing* to me you POS.