How did they get past my NAT? - Firewalls

This is a discussion on How did they get past my NAT? - Firewalls ; [this is a repost, I also sent to alt.computer.security] Sorry I'm new here, not sure this is the right newsgroup to post to - I have a question that is about routers, security, and connectivity all rolled into one. Yesterday ...

+ Reply to Thread
Page 1 of 4 1 2 3 ... LastLast
Results 1 to 20 of 64

Thread: How did they get past my NAT?

  1. How did they get past my NAT?

    [this is a repost, I also sent to alt.computer.security]

    Sorry I'm new here, not sure this is the right newsgroup to post to -
    I have a question that is about routers, security, and connectivity
    all rolled into one.

    Yesterday while I was working on my desktop all of a sudden a session
    kicked in on my VNC server - my desktop background image disappeared
    and the RealVNC system tray icon turned black to indicate a session in
    progress. Within a couple of seconds, something hit my start menu, run
    dialog, "cmd", and typed "TFT" in the new command prompt window. At
    this point I panicked and shutdown the VNC service ASAP.

    This post is not actually about the VNC problem, I found out today
    that the version I used had a known security flaw that allowed
    bypassing the password prompt. That is clearly what happened there,
    and could be easily fixed with upgrading to the newest version.

    My question is how the attacker got to my VNC port!

    Here's all the background I can muster:

    - I am running an ADSL router, "Xavi" brand, "7028r" model, and it
    seems to run a "GlobespanVirata" chipset. This was provided to me by
    my previous ADSL provider, Telefonica Spain.
    - I have a standard NAT lan, with a variety of devices connecting to
    the internet through the router.
    - I have certain very specific ports forwarded to my desktop for
    remote access, peer-to-peer connectivity, etc. \
    - I am NOT forwarding either of the VNC ports (standard ports 5900
    and 5800), so to my limited knowledge the VNC service should not be
    accessible from the internet. I have of course tested this, and found
    that to be correct. The VNC service is not publically accessible.
    - I do not have the firewall enabled on the router, because I assumed
    the NAT basically made it safe. I tried enabling the router firewall
    today but it also seems to block the services that I need to be able
    to access from the internet (eg HTTP, I run a small webserver), so
    that does not work for me.
    - I WAS running uTorrent at the time of the attack (and had been for
    a few hours)
    - I did get the IP address of the attacker from my VNC log, it was
    "85.239.126.86", an address in germany. I have not looked for or found
    any further information. I guess I could try a port scan but I assume
    it's a zombie computer so what's the point.

    Now my understanding is that "85.239.126.86" being an internet
    address, for the VNC session to work that address would need to be
    routable - the only way that that address could be routed on my
    network is through the ADLS router / gateway (I think). In theory I
    guess there could have been some sort of local tunnel set up, but I
    assume that would have required a virtual network adapter to have been
    set up on my computer? (I saw nothing like that, and virus and spyware
    scans have come up clean).

    If it was routed through my router, how could the attacker have
    convinced the router to initiate the communication to my internal port
    5900 on that particular machine??? The safety of a NAT, as I
    understand it, is that remote hosts cannot access an internal address
    unless there is explicit port forwarding enabled, or the session is
    initiated by a host behind the NAT, is that not correct?

    I guess I'm only coming to the real point of my post now - assuming
    that I'm on the right track, and that this communication on port 5900
    was happily handled by my router, could it have been initiated my
    another program on my desktop, specifically the uTorrent client? I've
    been logging sessions on my router since this morning, and I see that
    client connections are opened by the uTorrent client (very frequently,
    thousands per hour) with random local port numbers, that slowly seem
    to increase / cycle. It is possible that the uTorrent client made a
    client connection using local port number 5900 (which was also being
    used by the VNC server), and the computer/remote host that the
    uTorrent client was connecting to took advantage of this situation to
    test / probe / attack the VNC server on that port?

    I guess the questions are:
    - it it possible for a client TCP connection to be initiated by a
    local "client" program from a port that is already being used by a
    "server" program, like VNC server?
    - what are the chances, statistically speaking, that this would
    happen? Would it be worth a hacker's time to set up servers as
    bittorrent participants / seeds in the hopes that some client computer
    makes a connection using a special port (eg VNC), which could then
    allow the computer's VNC server to be probed / tested for the known
    VNC vulnerability? It's the only explanation that I can think of, but
    I just can't see how it would be worth a hacker's time!

    Final blurb: I set up a syslog server on my desktop and have been
    logging all incoming and outgoing sessions from my router (generating
    a nasty amount of log data, but I'll put up with it). This way I'll be
    able to see how the session gets set up, if I ever become aware of
    another similar situation. I will upgrade my VNC server of course, so
    the attack would need to use another vector. My concern of course is
    that I may NOT be aware of it next time. My desktop is not hardened as
    a public server with all ports exposed - I'm very much counting on the
    fact that only specific selected ports should be accessible from
    outside. In theory, if any port on the desktop can be exposed, then my
    windows filesharing setup is just one of the things that would be
    vulnerable to brute-force attack. Is there anything else I can do to
    investigate this or help prevent future issues? Does anyone have any
    experience with the Xavi router or GlobespanVirata chipset that could
    help me get it set up to prevent this from happening again? For now I
    will probably install a local firewall on the desktop allowing only
    the servers I need to work, but that of course makes all sorts of
    things more complicated - file and printer sharing, VPN client
    software setup, HTTP proxy setup, etc etc. I just wish I could feel
    safe in my own network again!

    Sorry about the monster first post, I would appreciate any and all
    feedback.

    Thanks,
    Tao


  2. Re: How did they get past my NAT?

    Maniaque wrote:


    > - I do not have the firewall enabled on the router, because I assumed
    > the NAT basically made it safe.



    NAT doesn't make it safe.

    > If it was routed through my router, how could the attacker have
    > convinced the router to initiate the communication to my internal port
    > 5900 on that particular machine???



    Simply ask for it? Wait until it comes up?

    > The safety of a NAT, as I
    > understand it, is that remote hosts cannot access an internal address
    > unless there is explicit port forwarding enabled, or the session is
    > initiated by a host behind the NAT, is that not correct?



    What about implicit forwarding, for example by protocol helper implementations?

    > It is possible that the uTorrent client made a


    > client connection using local port number 5900 (which was also being
    > used by the VNC server), and the computer/remote host that the
    > uTorrent client was connecting to took advantage of this situation to
    > test / probe / attack the VNC server on that port?



    No.

    > I guess the questions are:
    > - it it possible for a client TCP connection to be initiated by a
    > local "client" program from a port that is already being used by a
    > "server" program, like VNC server?



    No, but using a protocol helper you can do this for a different port.

    > - what are the chances, statistically speaking, that this would
    > happen? Would it be worth a hacker's time to set up servers as
    > bittorrent participants / seeds in the hopes that some client computer
    > makes a connection using a special port (eg VNC), which could then
    > allow the computer's VNC server to be probed / tested for the known
    > VNC vulnerability? It's the only explanation that I can think of, but
    > I just can't see how it would be worth a hacker's time!



    Assuming that the timeout for the NAT table entries is five minutes, it
    could be a completely different source.

    > I'm very much counting on the
    > fact that only specific selected ports should be accessible from
    > outside.



    Then implement this concept.

    > In theory, if any port on the desktop can be exposed, then my
    > windows filesharing setup is just one of the things that would be
    > vulnerable to brute-force attack.



    Or DoS attacks.

    > Is there anything else I can do to
    > investigate this or help prevent future issues? Does anyone have any
    > experience with the Xavi router or GlobespanVirata chipset that could
    > help me get it set up to prevent this from happening again?



    Maybe, but unless you know the implementation....

  3. Re: How did they get past my NAT?

    OK, thanks very much for the reply, although now I feel like I've been
    made to wear the donkey hat and stand in the corner of the
    classroom...




    On Oct 10, 12:35 pm, "Sebastian G." wrote:


    > Simply ask for it?


    What do you mean by "Ask for it"? If I do that (from outside the
    network), I get no response, because there is no "Default host" set up
    behind my NAT, and no port forwarding for that port - if an explicit
    port forwarding has not been set up, how can a remote host "Ask for"
    that server? Is this something that is allowed by the average NAT but
    requires extra network programming skills?


    > Wait until it comes up?


    But why would it ever come up? Why would that port ever be opened to
    the outside from that machine? The port is bound to the VNC server (so
    no other program on the desktop should be able to do anything with it,
    as I understand?), and not forwarded on the router, so there should be
    no reason for a NAT session entry pointing that port to the outside
    ever to be opened, right? (I certainly don't open VNC connections to
    the internet, despite my limited knowledge I am very aware that basic
    VNC communication is totally unprotected, both authentication and
    data)

    >
    > > The safety of a NAT, as I
    > > understand it, is that remote hosts cannot access an internal address
    > > unless there is explicit port forwarding enabled, or the session is
    > > initiated by a host behind the NAT, is that not correct?

    >
    > What about implicit forwarding, for example by protocol helper implementations?
    >


    Sounds interesting, what is this? Is this the sort of thing that can
    sometimes make regular "Active" FTP work from behind a NAT, where the
    firewall automatically sees the FTP control port communication and
    opens up/forwards the data port as required? If so, how could the
    router be convinced to do this for an arbitrary port? Is there some
    sort of standard for triggering this behaviour?

    I have just tested Active FTP from behind my NAT and it did not work
    (to an FTP server where passive FTP is working without issues) - does
    that say anything about this possibility?

    >
    > > I guess the questions are:
    > > - it it possible for a client TCP connection to be initiated by a
    > > local "client" program from a port that is already being used by a
    > > "server" program, like VNC server?

    >
    > No, but using a protocol helper you can do this for a different port.


    I've searched online for any information about "protocol helper", it
    seems to be synonymous with "IP helper" - I see a windows API, but
    that looks like it would reuire the attacker to be running arbitrary C/
    C++ code on the desktop (or other device on the network?). Do you know
    where I could find any information about what this is, how it works
    etc?

    >
    > Assuming that the timeout for the NAT table entries is five minutes, it
    > could be a completely different source.
    >


    OK, I'm going to show my complete lack of understanding about how NAT
    works here (if I haven't already ), but it's the NAT device keeping
    track of the ip addresses (and some additional "magic" session
    information?) at both ends of the communication? What happens if two
    client machines try to open a connection from the same client-side
    port at the same time, does the NAT simply refuse one of them? I was
    under the impression that there could be multiple machines
    communicating to/from the same port from behind a NAT without
    problems. For that to be true, the NAT device would need to be looking
    at each incoming packet and sending it to the correct internal host
    based on some filtering logic, right (rather than a simple temporary
    port-to-host mapping table)? Are you saying that some arbitrary third-
    party IP address can send in a packet and have it be routed to a
    specific host behind the NAT, as long as the attacker has seen one of
    the packets of the communication between the legitimate remote host
    and the local host behind the NAT?

    If I understand what you are saying correctly, and a remote attacker
    can actually direct arbitrary packets into any Existing NAT session by
    spying on a legitimate packet destined to/from the NAT-ed host, that
    still doesn't explain how the port session could be opened on the NAT
    device in the first place - is this where you are saying that the
    "Protocol Helper" comes in?


    > > I'm very much counting on the
    > > fact that only specific selected ports should be accessible from
    > > outside.

    >
    > Then implement this concept.
    >


    So... given that my ADSL connection uses PPPoA (which is non-
    bridgeable I believe, as opposed to PPPoE), I would need to set up a
    second router/firewall/NAT device like a linksys wrt54G to sit behind
    the telecoms-operator-provided Xavi router, forward the appropriate
    ports through both devices, and make sure that the firewall is turned
    on on the wrt54g? I can only assume that what was "missing" in my
    original setup was a firewall (which my adsl router claims to have,
    but when I turn it on all the port forwarding stops working, which
    sort of defeats the purpose). Or do you have any other suggestions on
    how this can be done using home equipment?


    > > In theory, if any port on the desktop can be exposed, then my
    > > windows filesharing setup is just one of the things that would be
    > > vulnerable to brute-force attack.

    >
    > Or DoS attacks.


    Meh, I'm not so concerned. Why would anyone bother? I'm a home user,
    I'm running a silly little website with 10 pageviews/month, my only
    concern is that someone gets into my machine / network and installs
    malicious code, spies on me, enlists my computer into a botnet of some
    sort, turns me into an infection vector for some or other virus /
    worm / trojan, etc. That would suck. It is incredibly unpleasant to
    have your desktop suddenly taken over via VNC, too, although I don't
    think that can happen again in quite the same way, I did upgrade away
    from the defective RealVNC version.

    >
    > > Is there anything else I can do to
    > > investigate this or help prevent future issues? Does anyone have any
    > > experience with the Xavi router or GlobespanVirata chipset that could
    > > help me get it set up to prevent this from happening again?

    >
    > Maybe, but unless you know the implementation....


    Not sure what you meant here - I know exactly how I have everything
    set up, but I don't know much about the workings / functionality of
    the router itself. There are no configuration manuals online or
    anything. In fact, I was able to get it to forward logging info to a
    syslog server on my desktop by browsing through and editing the
    "configuration backup" file, but afterwards remembered what I'd read a
    few months ago on some forum - you have to turn logging off on this
    router, because otherwise it hangs when it runs out of log space. No
    cycling, no "forward to syslog server but do not store locally", it
    simply hangs.

    So it looks like at an absolute minimum I'm going to need to set up
    the second-level linksys wrt54g firewall/router, but I guess I'd like
    your criticism if you have any thoughts on the sensibleness of this
    idea, and whether it helps to "implement this concept" as you
    suggested above

    Thanks so much for the feedback!
    Tao



  4. Re: How did they get past my NAT?

    In article <1192088852.392958.21220@r29g2000hsg.googlegroups.c om>,
    maniaque27@gmail.com says...
    > I would need to set up a
    > second router/firewall/NAT device like a linksys wrt54G to sit behind
    > the telecoms-operator-provided Xavi router, forward the appropriate
    > ports through both devices, and make sure that the firewall is turned
    > on on the wrt54g? I can only assume that what was "missing" in my
    > original setup was a firewall (which my adsl router claims to have,
    > but when I turn it on all the port forwarding stops working, which
    > sort of defeats the purpose). Or do you have any other suggestions on
    > how this can be done using home equipment?


    A NAT is not a firewall at all, it's basic routing - Most non-technical
    types call NAT Routers firewalls, they are not.

    a WRT54g is not a firewall, it's a nat router. NAT blocks "unsolicited"
    inbound traffic, that's all.

    No, port forwarding is what your problem is - if you forward ports then
    you expose your computer/network and that's how people reach your
    computer to do things you don't want.

    You should learn to post in one group or to cross post so that your
    thread is easy to work with for multiple groups that you've done this
    in.

    --

    Leythos
    - Igitur qui desiderat pacem, praeparet bellum.
    - Calling an illegal alien an "undocumented worker" is like calling a
    drug dealer an "unlicensed pharmacist"
    spam999free@rrohio.com (remove 999 for proper email address)

  5. Re: How did they get past my NAT?

    Maniaque wrote:
    > - I am running an ADSL router, "Xavi" brand, "7028r" model, and it
    > seems to run a "GlobespanVirata" chipset. This was provided to me by
    > my previous ADSL provider, Telefonica Spain.


    I have also used a badged GlobespanVirata running in NAT with no firewall
    but with selected port forwarding. (Behind that runs a linux box that
    does have a firewall, but that's moot just now.)


    > - I have certain very specific ports forwarded to my desktop for
    > remote access, peer-to-peer connectivity, etc. \
    > - I am NOT forwarding either of the VNC ports (standard ports 5900
    > and 5800), so to my limited knowledge the VNC service should not be
    > accessible from the internet.


    Based on what you're saying, I'd concur with you.


    > - I do not have the firewall enabled on the router, because I assumed
    > the NAT basically made it safe.


    NAT will inherently block all externally originated inbound traffic with
    the exception of those ports that you have selected for port forwarding.
    On that understanding it makes for an adequate external facing firewall.
    It is not a good substitude for a proper thought-out policy and
    implementation, though.


    > I tried enabling the router firewall
    > today but it also seems to block the services that I need to be able
    > to access from the internet (eg HTTP, I run a small webserver), so
    > that does not work for me.


    Again, based on my experience with the GV chipset and firmware I'd agree
    with you there, too.


    > - I WAS running uTorrent at the time of the attack (and had been for
    > a few hours)


    > Now my understanding is that "85.239.126.86" being an internet
    > address, for the VNC session to work that address would need to be
    > routable - the only way that that address could be routed on my
    > network is through the ADLS router / gateway (I think).


    Or through some other port-forwarded service. (Instant messenger flaw,
    SOCKS, internal web proxy,...)


    > In theory I
    > guess there could have been some sort of local tunnel set up, but I
    > assume that would have required a virtual network adapter to have been
    > set up on my computer? (I saw nothing like that, and virus and spyware
    > scans have come up clean).


    Your virus/spyware scans obviously didn't pick up that you were running
    the flawed VNC service (I wouldn't expect them to do so), so they won't
    pick up any other software you run that has similar security flaws. I'd
    check them all out if I were you.

    I'd also be inclined to boot cold (if you can) and run a virus checker
    from outside your installed OS. If you're up to it, then either pop
    your disk drive into a different Windows box and scan from that known
    safe system, or else get a Linux-based "live CD" distribution and run
    something like clam AV (with all its updates, please!) against your
    installed OS. Otherwise there's no guarantee that your AV software hasn't
    been modified by some virus/trojan you've accidentally installed.


    > If it was routed through my router, how could the attacker have
    > convinced the router to initiate the communication to my internal port
    > 5900 on that particular machine??? The safety of a NAT, as I
    > understand it, is that remote hosts cannot access an internal address
    > unless there is explicit port forwarding enabled, or the session is
    > initiated by a host behind the NAT, is that not correct?


    That's correct. Further, the GV chipset that I have - which /may/ or may
    not be the same as yours - does NAT such that a rule only allows traffic
    on the 5-tuple (proto, sport, saddr, dport, daddr) to pass. (Some NAT
    devices are more liberal than that. I say they're broken. STUN users
    say they're great.)

    > I guess I'm only coming to the real point of my post now - assuming
    > that I'm on the right track, and that this communication on port 5900
    > was happily handled by my router, could it have been initiated my
    > another program on my desktop, specifically the uTorrent client?


    I thought that Bit Torrent was essentially built around a UDP based
    protocol. VNC on the other hand is TCP. So, no, I don't see how one
    could influence the other. Trojans and flawed software not withstanding.

    > I've
    > been logging sessions on my router since this morning, and I see that
    > client connections are opened by the uTorrent client (very frequently,
    > thousands per hour) with random local port numbers, that slowly seem
    > to increase / cycle.


    That's typical behaviour, yes.


    > It is possible that the uTorrent client made a
    > client connection using local port number 5900 (which was also being
    > used by the VNC server), and the computer/remote host that the
    > uTorrent client was connecting to took advantage of this situation to
    > test / probe / attack the VNC server on that port?


    This should not be possible.


    > - it it possible for a client TCP connection to be initiated by a
    > local "client" program from a port that is already being used by a
    > "server" program, like VNC server?


    It is possible for a service to bind to a port using INADDR_ANY ("listen
    for connections to this port on all local interfaces"), and for another
    process to bind more tightly to that port ("listen for connections to
    this port from this specific local interface"), but then that second
    process would receive the connection request rather than the original.

    However, also bear in mind that VNC can be used to initiate a
    server session (i.e. it pushes your screen out to a remote viewing
    client). Perhaps you - or some trojan - accidentally triggered this?

    Chris

  6. Re: How did they get past my NAT?

    On Oct 11, 8:48 am, Chris Davies wrote:


    >
    > > - I do not have the firewall enabled on the router, because I assumed
    > > the NAT basically made it safe.

    >
    > NAT will inherently block all externally originated inbound traffic with
    > the exception of those ports that you have selected for port forwarding.
    > On that understanding it makes for an adequate external facing firewall.
    > It is not a good substitude for a proper thought-out policy and
    > implementation, though.
    >


    hmm, subtle dig?



    > > - I WAS running uTorrent at the time of the attack (and had been for
    > > a few hours)
    > > Now my understanding is that "85.239.126.86" being an internet
    > > address, for the VNC session to work that address would need to be
    > > routable - the only way that that address could be routed on my
    > > network is through the ADLS router / gateway (I think).

    >
    > Or through some other port-forwarded service. (Instant messenger flaw,
    > SOCKS, internal web proxy,...)
    >


    right, but would it show up logged with the public IP address in my
    event log? That's what I'm surprised by - the VNC client / attacker
    did not look like it was coming from some local address that was being
    tunneled by some local proxy or malware - it was logged as a public
    internet address - does that not mean that it had to go through my
    regular NIC? Or are you saying that the malware would have set up its
    own routing rules in windows to forward traffic for that specific IP
    to itself instead of my regular NIC - to do that, would it not need to
    show up in some device list in windows? Sorry, my lack of knowledge
    about OS-level networking in windows is clear here.

    > > In theory I
    > > guess there could have been some sort of local tunnel set up, but I
    > > assume that would have required a virtual network adapter to have been
    > > set up on my computer? (I saw nothing like that, and virus and spyware
    > > scans have come up clean).

    >
    > Your virus/spyware scans obviously didn't pick up that you were running
    > the flawed VNC service (I wouldn't expect them to do so), so they won't
    > pick up any other software you run that has similar security flaws. I'd
    > check them all out if I were you.


    Yep, still doing. Next check is Apache, it's been a little while since
    I upgraded.

    In another thread that I inelegantly cross-posted, Leythos (other post
    above) provided lots of helpful advice on better scanning for malware,
    I'll have a go at that too:

    http://groups.google.com/group/alt.c...01dbc319cc28/#

    >
    > I'd also be inclined to boot cold (if you can) and run a virus checker
    > from outside your installed OS. If you're up to it, then either pop
    > your disk drive into a different Windows box and scan from that known
    > safe system, or else get a Linux-based "live CD" distribution and run
    > something like clam AV (with all its updates, please!) against your
    > installed OS. Otherwise there's no guarantee that your AV software hasn't
    > been modified by some virus/trojan you've accidentally installed.
    >


    Yep, will do, thanks!

    > > If it was routed through my router, how could the attacker have
    > > convinced the router to initiate the communication to my internal port
    > > 5900 on that particular machine??? The safety of a NAT, as I
    > > understand it, is that remote hosts cannot access an internal address
    > > unless there is explicit port forwarding enabled, or the session is
    > > initiated by a host behind the NAT, is that not correct?

    >
    > That's correct. Further, the GV chipset that I have - which /may/ or may
    > not be the same as yours - does NAT such that a rule only allows traffic
    > on the 5-tuple (proto, sport, saddr, dport, daddr) to pass. (Some NAT
    > devices are more liberal than that. I say they're broken. STUN users
    > say they're great.)


    Woah, now there's an interesting bit of news! Based on the diagram at
    this wikipedia article, it looks like the only types of NAT that would
    fit my assumptions, and consequently be "as safe as I expected", would
    be a "Symmetric" NAT and a "Restricted Port" NAT?

    http://en.wikipedia.org/wiki/STUN

    I'll have to get my hands on a STUN client (and access to a server) to
    see if I can test this out - if I understand correctly anything other
    than Symmetric and Restricted Port is "Bad", in that it could allow
    open windows for remote hosts to contact me on ports that I do not
    want, or for hosts that I have not reached out to to reach out to me -
    both of these were things I did not think were allowed by a normal
    NAT, outside of special "Per-Protocol" exceptions like Active FTP.

    >
    > > I guess I'm only coming to the real point of my post now - assuming
    > > that I'm on the right track, and that this communication on port 5900
    > > was happily handled by my router, could it have been initiated my
    > > another program on my desktop, specifically the uTorrent client?

    >
    > I thought that Bit Torrent was essentially built around a UDP based
    > protocol. VNC on the other hand is TCP. So, no, I don't see how one
    > could influence the other. Trojans and flawed software not withstanding.


    ok, thank for confirming. I guess I'll wait to see if Sebastian G gets
    back to me with any refutations of this "NAT-shielding-against-public-
    access-of-services" theory.

    >
    > > - it it possible for a client TCP connection to be initiated by a
    > > local "client" program from a port that is already being used by a
    > > "server" program, like VNC server?

    >
    > It is possible for a service to bind to a port using INADDR_ANY ("listen
    > for connections to this port on all local interfaces"), and for another
    > process to bind more tightly to that port ("listen for connections to
    > this port from this specific local interface"), but then that second
    > process would receive the connection request rather than the original.
    >


    Right, exactly what IIS does. I did not know that this was inherent to
    the O/S, thanks for confirming.

    > However, also bear in mind that VNC can be used to initiate a
    > server session (i.e. it pushes your screen out to a remote viewing
    > client). Perhaps you - or some trojan - accidentally triggered this?
    >


    Hmm, thanks for that, but no - my VNC server event log entries clearly
    show the connection coming in from outside, without any authentication
    step between the connection being accepted and my killing the server
    after they had successfully reached my desktop session (which is the
    signature of the VNC vulnerability, I checked it and tried it myself
    before upgrading to the patched/newer VNC version):

    Connections: accepted: 85.239.126.86::4623
    Connections: closed: 85.239.126.86::4623 (Server shutdown)

    Thanks very much for the help!
    Tao


  7. Re: How did they get past my NAT?

    On Oct 11, 6:31 am, Leythos wrote:
    > In article <1192088852.392958.21...@r29g2000hsg.googlegroups.c om>,
    > maniaqu...@gmail.com says...
    >
    >
    > A NAT is not a firewall at all, it's basic routing - Most non-technical
    > types call NAT Routers firewalls, they are not.


    That I understand, but I'm always a little confused about what the
    difference Exactly is... a firewall is a device that only allows
    connections that you want to allow - a NAT is a device that allows
    outgoing connections arbitrarily, but normally (or only sometimes? see
    the STUN information Chris mentioned) prevents arbitrary incoming
    connections. Most home routers additionally claim to have a "firewall"
    function that you can turn on / off (including the WRT54G) - when do
    you decide what is and what is not a ffirewall? I really would like to
    know, it's something that's puzled me for years. Some things are
    clearly not a firewall at all, like a "Full-cone" NAT router. Some
    things are clearly a firewall first, and anything else after, like one
    of those Cisco devices. But aren't most home routers somewhere in-
    between?

    >
    > a WRT54g is not a firewall, it's a nat router. NAT blocks "unsolicited"
    > inbound traffic, that's all.


    not true. the WRT54G can block outgoing connections based on any
    number of specified parameters, and then it has all those extra fancy
    features that I don't understand

    Firewall Protection: Enable Disable
    Additional Filters
    Filter Proxy Filter Cookies
    Filter Java Applets Filter ActiveX
    Block Portscans Filter P2P Applications
    Block WAN Requests
    Block Anonymous Internet Requests
    Filter Multicast
    Filter Internet NAT Redirection
    Filter IDENT(Port 113)

    >
    > No, port forwarding is what your problem is - if you forward ports then
    > you expose your computer/network and that's how people reach your
    > computer to do things you don't want.
    >


    Only if they get past the intended security of the service in
    question, right?

    > You should learn to post in one group or to cross post so that your
    > thread is easy to work with for multiple groups that you've done this
    > in.
    >


    Yep, thanks.

    Tao



  8. Re: How did they get past my NAT?

    Really quick update - Michael Ziegler helped me find the issue on a
    thread I badly cross-posted on alt.comp.networking.connectivity:
    http://groups.google.com/group/alt.c...972156a51e0d/#

    My router (Xavi 7768r with GlobespanVirata chipset, I think I had it
    wrong above) has an Active FTP "NAT Helper" which allows any program
    with TCP-connection-creation priviledges on any of my computers to
    open an incoming port to this machine from a target site on the
    internet. Java Applets, by default, have this functionality enabled.
    You can test for this "feature" or "flaw" at the following site:
    http://bedatec.dyndns.org/ftpnat/dotest_en.html

    On the day this happened, I was browsing on at least a couple of sites
    that could well have had "harmful content", probably including a java
    applet that opened up my port to the attacking site by using the FTP
    NAT helper trick. My VNC server was a flawed version which (I tested
    that) allowed certain well-crafted incoming connections to bypass
    authentication.

    Now - at this point I have no proof that that was the course of
    events, but "Occam's razor" and all that, it is definitely the
    simplest explanation that fits all the facts. I will definitely do a
    more thorough malware check on my machine and I will implement a
    solution that allows be to forward the ports I want without the NAT
    Helper flaw, but in the meantime I will sleep much better knowing that
    chances are 95% that I at least know exactly what the problem was.

    Thanks for all your help!
    Tao




  9. Re: How did they get past my NAT?

    Sebastian G. wrote:
    > Maniaque wrote:
    >
    >
    >> - I do not have the firewall enabled on the router, because I assumed
    >> the NAT basically made it safe.

    >
    >
    > NAT doesn't make it safe.
    >
    >> If it was routed through my router, how could the attacker have
    >> convinced the router to initiate the communication to my internal port
    >> 5900 on that particular machine???

    >
    >
    > Simply ask for it? Wait until it comes up?


    huh ? what doe you mean keep sending SYN packets to a certain port and
    wait untill
    the connection is established ?
    >
    >> The safety of a NAT, as I
    >> understand it, is that remote hosts cannot access an internal address
    >> unless there is explicit port forwarding enabled, or the session is
    >> initiated by a host behind the NAT, is that not correct?

    >
    >
    > What about implicit forwarding, for example by protocol helper
    > implementations?



    are you talking about uPNP ?

    > > It is possible that the uTorrent client made a

    >
    >> client connection using local port number 5900 (which was also being
    >> used by the VNC server), and the computer/remote host that the
    >> uTorrent client was connecting to took advantage of this situation to
    >> test / probe / attack the VNC server on that port?

    >
    >
    > No.
    >
    >> I guess the questions are:
    >> - it it possible for a client TCP connection to be initiated by a
    >> local "client" program from a port that is already being used by a
    >> "server" program, like VNC server?

    >
    >
    > No, but using a protocol helper you can do this for a different port.
    >
    >> - what are the chances, statistically speaking, that this would
    >> happen? Would it be worth a hacker's time to set up servers as
    >> bittorrent participants / seeds in the hopes that some client computer
    >> makes a connection using a special port (eg VNC), which could then
    >> allow the computer's VNC server to be probed / tested for the known
    >> VNC vulnerability? It's the only explanation that I can think of, but
    >> I just can't see how it would be worth a hacker's time!

    >
    >
    > Assuming that the timeout for the NAT table entries is five minutes, it
    > could be a completely different source.
    >
    >> I'm very much counting on the
    >> fact that only specific selected ports should be accessible from
    >> outside.

    >
    >
    > Then implement this concept.
    >
    >> In theory, if any port on the desktop can be exposed, then my
    >> windows filesharing setup is just one of the things that would be
    >> vulnerable to brute-force attack.

    >
    >
    > Or DoS attacks.
    >
    >> Is there anything else I can do to
    >> investigate this or help prevent future issues? Does anyone have any
    >> experience with the Xavi router or GlobespanVirata chipset that could
    >> help me get it set up to prevent this from happening again?

    >
    >
    > Maybe, but unless you know the implementation....


  10. Re: How did they get past my NAT?

    goarilla wrote:


    >> Simply ask for it? Wait until it comes up?

    >
    > huh ? what doe you mean keep sending SYN packets to a certain port and
    > wait until the connection is established ?



    Exactly. Of course, the cause of such a forwarding rule appearing in the NAT
    state table might be highly unrelated.

    >> What about implicit forwarding, for example by protocol helper
    >> implementations?

    >
    > are you talking about uPNP ?



    No, this would be rather straight-forward. I'm talking about application
    layer protocol engines that inspect the traffic and setup proper rules. For
    example, if the implementation sees traffic like "PORT 192,168,0,1,47,11",
    it might believe that it's part of an Active FTP session setup and might add
    an appropriate rule for the reply.
    Or if it sees an TCP connection to some server on port 4661 (eDonkey P2P
    protocol), it might decide to permanently forward 4662/TCP and 4665/UDP to
    that client, without even checking for the actual protocol.
    Even worse, what about connections to 1119/TCP? Very likely that it's a
    computer game using Battle.net Online service, so better forward
    5000-10000/TCP to that client... oh, and there the VNC server goes.

  11. Re: How did they get past my NAT?

    Maniaque wrote:


    >> A NAT is not a firewall at all, it's basic routing - Most non-technical
    >> types call NAT Routers firewalls, they are not.

    >
    > That I understand, but I'm always a little confused about what the
    > difference Exactly is... a firewall is a device that only allows
    > connections that you want to allow - a NAT is a device that allows
    > outgoing connections arbitrarily, but normally (or only sometimes? see
    > the STUN information Chris mentioned) prevents arbitrary incoming
    > connections.



    NAT/NAPT is a mechanism to provide connectivity. Preventing incoming
    connections might be a particularly useless side effect, depending on the
    implementation. It has nothing to do with security.

    > Most home routers additionally claim to have a "firewall"
    > function that you can turn on / off (including the WRT54G)



    Yes, but this is not related to NAT.

  12. Re: How did they get past my NAT?

    Leythos wrote:
    > In article <1192120303.414117.236860@g4g2000hsf.googlegroups.c om>,
    > maniaque27@gmail.com says...
    >> not true. the WRT54G can block outgoing connections based on any
    >> number of specified parameters, and then it has all those extra fancy
    >> features that I don't understand

    >
    > it's a NAT device that can block outbound ports - it has no clue what
    > those ports are and doesn't know the difference between HTTP and SMTP
    > except that they use different ports.
    >


    just some questions with as goal to learn more

    so you call a firewall something with complex heuristics ?
    really does iptables provide more than filtering between protocol, port
    and state information, and do people actually use it. Because in essence
    iirc
    a nat router does the same it opens up a connection if somebody on the
    inside requests it
    and after that allows the connection untill it's broken down (FIN or RST)
    do i have a point here or not ?

  13. Re: How did they get past my NAT?

    Leythos wrote:
    > In article <1192128212.845454.45420@22g2000hsm.googlegroups.co m>,
    > maniaque27@gmail.com says...
    >> My router (Xavi 7768r with GlobespanVirata chipset, I think I had it
    >> wrong above) has an Active FTP "NAT Helper" which allows any program
    >> with TCP-connection-creation priviledges on any of my computers to
    >> open an incoming port to this machine from a target site on the
    >> internet.

    >
    > Another reason to never trust the ISP/Vendor supplied hardware.
    >
    > Always get your own NAT/Firewall appliance and then you control
    > everything and manage it.
    >

    i wholeheartly agree with you on this one

    the problem is ... some ISP's filter on specific device (MAC), some
    ISP's lent you the router for
    personal usage and some ISP's dissallow other so called 'not supported'
    router and put a
    clause in little lettres on your contract.

    here in belgium it's actually pretty worse in this field. even worse the
    biggest ISP here belgacom
    disallows secured pop (ssl/tls) or imap to non business users, which
    still costs +40 EURO/month.

  14. Re: How did they get past my NAT?

    Maniaque wrote:
    > On Oct 11, 8:48 am, Chris Davies wrote:
    >
    >
    >>> - I do not have the firewall enabled on the router, because I assumed
    >>> the NAT basically made it safe.

    >> NAT will inherently block all externally originated inbound traffic with
    >> the exception of those ports that you have selected for port forwarding.
    >> On that understanding it makes for an adequate external facing firewall.
    >> It is not a good substitude for a proper thought-out policy and
    >> implementation, though.
    >>

    >
    > hmm, subtle dig?
    >
    >
    >
    >>> - I WAS running uTorrent at the time of the attack (and had been for
    >>> a few hours)
    >>> Now my understanding is that "85.239.126.86" being an internet
    >>> address, for the VNC session to work that address would need to be
    >>> routable - the only way that that address could be routed on my
    >>> network is through the ADLS router / gateway (I think).

    >> Or through some other port-forwarded service. (Instant messenger flaw,
    >> SOCKS, internal web proxy,...)
    >>

    >
    > right, but would it show up logged with the public IP address in my
    > event log? That's what I'm surprised by - the VNC client / attacker
    > did not look like it was coming from some local address that was being
    > tunneled by some local proxy or malware - it was logged as a public
    > internet address - does that not mean that it had to go through my
    > regular NIC? Or are you saying that the malware would have set up its
    > own routing rules in windows to forward traffic for that specific IP
    > to itself instead of my regular NIC - to do that, would it not need to
    > show up in some device list in windows? Sorry, my lack of knowledge
    > about OS-level networking in windows is clear here.
    >
    >>> In theory I
    >>> guess there could have been some sort of local tunnel set up, but I
    >>> assume that would have required a virtual network adapter to have been
    >>> set up on my computer? (I saw nothing like that, and virus and spyware
    >>> scans have come up clean).

    >> Your virus/spyware scans obviously didn't pick up that you were running
    >> the flawed VNC service (I wouldn't expect them to do so), so they won't
    >> pick up any other software you run that has similar security flaws. I'd
    >> check them all out if I were you.

    >
    > Yep, still doing. Next check is Apache, it's been a little while since
    > I upgraded.


    there is your problem you haven't upgraded in a while and you let people
    into your website ? (port 80 is forwarded at your NAT to your WAMP box )

    do you mean i haven't upgraded windows in a while or apache
    or both ?

    > In another thread that I inelegantly cross-posted, Leythos (other post
    > above) provided lots of helpful advice on better scanning for malware,
    > I'll have a go at that too:
    >
    > http://groups.google.com/group/alt.c...01dbc319cc28/#
    >
    >> I'd also be inclined to boot cold (if you can) and run a virus checker
    >> from outside your installed OS. If you're up to it, then either pop
    >> your disk drive into a different Windows box and scan from that known
    >> safe system, or else get a Linux-based "live CD" distribution and run
    >> something like clam AV (with all its updates, please!) against your
    >> installed OS. Otherwise there's no guarantee that your AV software hasn't
    >> been modified by some virus/trojan you've accidentally installed.
    >>

    >
    > Yep, will do, thanks!
    >
    >>> If it was routed through my router, how could the attacker have
    >>> convinced the router to initiate the communication to my internal port
    >>> 5900 on that particular machine??? The safety of a NAT, as I
    >>> understand it, is that remote hosts cannot access an internal address
    >>> unless there is explicit port forwarding enabled, or the session is
    >>> initiated by a host behind the NAT, is that not correct?

    >> That's correct. Further, the GV chipset that I have - which /may/ or may
    >> not be the same as yours - does NAT such that a rule only allows traffic
    >> on the 5-tuple (proto, sport, saddr, dport, daddr) to pass. (Some NAT
    >> devices are more liberal than that. I say they're broken. STUN users
    >> say they're great.)

    >
    > Woah, now there's an interesting bit of news! Based on the diagram at
    > this wikipedia article, it looks like the only types of NAT that would
    > fit my assumptions, and consequently be "as safe as I expected", would
    > be a "Symmetric" NAT and a "Restricted Port" NAT?
    >
    > http://en.wikipedia.org/wiki/STUN
    >
    > I'll have to get my hands on a STUN client (and access to a server) to
    > see if I can test this out - if I understand correctly anything other
    > than Symmetric and Restricted Port is "Bad", in that it could allow
    > open windows for remote hosts to contact me on ports that I do not
    > want, or for hosts that I have not reached out to to reach out to me -
    > both of these were things I did not think were allowed by a normal
    > NAT, outside of special "Per-Protocol" exceptions like Active FTP.
    >
    >>> I guess I'm only coming to the real point of my post now - assuming
    >>> that I'm on the right track, and that this communication on port 5900
    >>> was happily handled by my router, could it have been initiated my
    >>> another program on my desktop, specifically the uTorrent client?

    >> I thought that Bit Torrent was essentially built around a UDP based
    >> protocol. VNC on the other hand is TCP. So, no, I don't see how one
    >> could influence the other. Trojans and flawed software not withstanding.

    >
    > ok, thank for confirming. I guess I'll wait to see if Sebastian G gets
    > back to me with any refutations of this "NAT-shielding-against-public-
    > access-of-services" theory.
    >
    >>> - it it possible for a client TCP connection to be initiated by a
    >>> local "client" program from a port that is already being used by a
    >>> "server" program, like VNC server?

    >> It is possible for a service to bind to a port using INADDR_ANY ("listen
    >> for connections to this port on all local interfaces"), and for another
    >> process to bind more tightly to that port ("listen for connections to
    >> this port from this specific local interface"), but then that second
    >> process would receive the connection request rather than the original.
    >>

    >
    > Right, exactly what IIS does. I did not know that this was inherent to
    > the O/S, thanks for confirming.
    >
    >> However, also bear in mind that VNC can be used to initiate a
    >> server session (i.e. it pushes your screen out to a remote viewing
    >> client). Perhaps you - or some trojan - accidentally triggered this?
    >>

    >
    > Hmm, thanks for that, but no - my VNC server event log entries clearly
    > show the connection coming in from outside, without any authentication
    > step between the connection being accepted and my killing the server
    > after they had successfully reached my desktop session (which is the
    > signature of the VNC vulnerability, I checked it and tried it myself
    > before upgrading to the patched/newer VNC version):
    >
    > Connections: accepted: 85.239.126.86::4623
    > Connections: closed: 85.239.126.86::4623 (Server shutdown)
    >
    > Thanks very much for the help!
    > Tao
    >


  15. Re: How did they get past my NAT?

    Leythos wrote:
    > In article <470e921a$0$29265$ba620e4c@news.skynet.be>, goarilla <"kevin
    > DOT paulus AT skynet DOT be"> says...
    >> Leythos wrote:
    >>> In article <1192120303.414117.236860@g4g2000hsf.googlegroups.c om>,
    >>> maniaque27@gmail.com says...
    >>>> not true. the WRT54G can block outgoing connections based on any
    >>>> number of specified parameters, and then it has all those extra fancy
    >>>> features that I don't understand
    >>> it's a NAT device that can block outbound ports - it has no clue what
    >>> those ports are and doesn't know the difference between HTTP and SMTP
    >>> except that they use different ports.
    >>>

    >> just some questions with as goal to learn more
    >>
    >> so you call a firewall something with complex heuristics ?
    >> really does iptables provide more than filtering between protocol, port
    >> and state information, and do people actually use it. Because in essence
    >> iirc
    >> a nat router does the same it opens up a connection if somebody on the
    >> inside requests it
    >> and after that allows the connection untill it's broken down (FIN or RST)
    >> do i have a point here or not ?

    >
    > Does the device, in the standard/default mode, block traffic in both
    > directions?


    no ok you got me here, it only does this for INBOUND traffic but i myself
    don't block outbound traffic on my box (slackware) as well
    because i consider myself knowledgeable enough to be trusted

    > Does the device know the difference between HTTP and SMTP or only TCP 80
    > and TCP 25?
    >
    > Does the device understand being attacked and auto-block sources of
    > attacks or unauthorized traffic?
    >
    > Does the device use NAT or can it be setup with rules without using NAT?
    > If it forces NAT then I don't consider it a firewall unless it can do
    > all the others - since MOST of the devices that force NAT are
    > residential device (yea, not all inclusive, but you should get the idea
    > without us going off the deep end).
    >
    >
    >

    do you consider netfilter to be a firewall (well in essence it's a
    statefull packet filter)
    because iirc there is no smtp or http netfilter module
    and it does its filtering mostly on the data link and transport
    protocol's headers
    like most firewalls do. it would be very costly performance wise to
    implement
    application protocol filters into firewalls and i've yet to see one that
    does
    also implementing complex heuristics because let's face it the higher
    you go up in
    the tcp/ip stack the more complex the headers and payload become, the
    more bugs you'll get
    in the code that does the heuristics --> the more flaws there are to be
    exploited!

  16. Re: How did they get past my NAT?

    Sebastian G. wrote:
    > goarilla wrote:
    >
    >
    >>> Simply ask for it? Wait until it comes up?

    >>
    >> huh ? what doe you mean keep sending SYN packets to a certain port and
    >> wait until the connection is established ?

    >
    >
    > Exactly. Of course, the cause of such a forwarding rule appearing in the
    > NAT state table might be highly unrelated.
    >
    >>> What about implicit forwarding, for example by protocol helper
    >>> implementations?

    >>
    >> are you talking about uPNP ?

    >
    >
    > No, this would be rather straight-forward. I'm talking about application
    > layer protocol engines that inspect the traffic and setup proper rules.
    > For example, if the implementation sees traffic like "PORT
    > 192,168,0,1,47,11", it might believe that it's part of an Active FTP
    > session setup and might add an appropriate rule for the reply.
    > Or if it sees an TCP connection to some server on port 4661 (eDonkey P2P
    > protocol), it might decide to permanently forward 4662/TCP and 4665/UDP
    > to that client, without even checking for the actual protocol.
    > Even worse, what about connections to 1119/TCP? Very likely that it's a
    > computer game using Battle.net Online service, so better forward
    > 5000-10000/TCP to that client... oh, and there the VNC server goes.

    that would be a ****ty NAT router/gateway !

  17. Re: How did they get past my NAT?

    On Oct 11, 5:02 pm, "Sebastian G." wrote:
    >
    > No, this would be rather straight-forward. I'm talking about application
    > layer protocol engines that inspect the traffic and setup proper rules. For
    > example, if the implementation sees traffic like "PORT 192,168,0,1,47,11",
    > it might believe that it's part of an Active FTP session setup and might add
    > an appropriate rule for the reply.
    > Or if it sees an TCP connection to some server on port 4661 (eDonkey P2P
    > protocol), it might decide to permanently forward 4662/TCP and 4665/UDP to
    > that client, without even checking for the actual protocol.
    > Even worse, what about connections to 1119/TCP? Very likely that it's a
    > computer game using Battle.net Online service, so better forward
    > 5000-10000/TCP to that client... oh, and there the VNC server goes.



    > NAT/NAPT is a mechanism to provide connectivity. Preventing incoming
    > connections might be a particularly useless side effect, depending on the
    > implementation. It has nothing to do with security.



    OK, so I guess my source of confusion is with regards to "Intended
    Purpose" vs "Effect". A completely basic Symmetrical NAT effectively
    does the same basic thing a basic firewall will often be used to do -
    prevent unintended inbound traffic, allow outbound traffic, optionally
    allow inbound traffic on specified ports to a specified server.
    However, the "Intended Purpose" of a NAT is actually to allow multiple
    machines behind a network to coexist using one public IP address,
    besides the most basic symmetric NAT features, any additional features
    (heuristic detection of traffic intention, protocol helpers, "full-
    cone" or "restricted cone" functionality, etc) will take you further
    and further from the "safety" I assumed. By contrast, while the most
    basic firewall in the most common configuration may basically be doing
    the same thing as the most basic NAT I described, the more
    sophisticated the firewall gets, the better it gets at enhancing said
    "safety", eg allowing the Active FTP Data connection only on the
    condition that the traffic from the remote server is made up of valid
    FTP data... does this sound like a reasonable summary of the
    distinction? This basically means that ANY home router that implements
    anything other than the most basic symmetric NAT with no extra
    features, should also contain a firewall, turned on by default, to
    limit the exposure to the internet, because every additional "helper"
    feature in the NAT makes the network behind it a little more public /
    exposed.

    Thanks for the clarification - I'm still ridiculously happy to have
    found the actual (or significantly most likely) cause of the other
    day's debacle and be able to address it easily

    Thanks,
    Tao



  18. Re: How did they get past my NAT?

    Leythos writes:

    > In article <470e921a$0$29265$ba620e4c@news.skynet.be>, goarilla <"kevin
    > DOT paulus AT skynet DOT be"> says...
    > > Leythos wrote:
    > > > In article <1192120303.414117.236860@g4g2000hsf.googlegroups.c om>,
    > > > maniaque27@gmail.com says...
    > > >> not true. the WRT54G can block outgoing connections based on any
    > > >> number of specified parameters, and then it has all those extra fancy
    > > >> features that I don't understand
    > > >
    > > > it's a NAT device that can block outbound ports - it has no clue what
    > > > those ports are and doesn't know the difference between HTTP and SMTP
    > > > except that they use different ports.
    > > >

    > >
    > > just some questions with as goal to learn more
    > >
    > > so you call a firewall something with complex heuristics ?
    > > really does iptables provide more than filtering between protocol, port
    > > and state information, and do people actually use it. Because in essence
    > > iirc
    > > a nat router does the same it opens up a connection if somebody on the
    > > inside requests it
    > > and after that allows the connection untill it's broken down (FIN or RST)
    > > do i have a point here or not ?

    >
    > Does the device, in the standard/default mode, block traffic in both
    > directions?


    A cat5 cable cut in half does. Is it a firewall?

    > Does the device know the difference between HTTP and SMTP or only
    > TCP 80 and TCP 25?


    Firewalls in the traditional definition never did, were they not
    firewalls? Application-level protocol recognition is only recently on
    the scene, yet we've had things people called "firewalls" existing for
    quite a while before that. I'd hate to think I didn't get the memo
    about someone changing the definition of "firewall" with the
    International Standards Organization.

    > Does the device understand being attacked and auto-block sources of
    > attacks or unauthorized traffic?


    So when did the definition of "firewall" start requiring it to also
    fit the definition of "network intrusion prevention device" or
    "network intrusion detection device?"

    Just curious.

    > Does the device use NAT or can it be setup with rules without using NAT?
    > If it forces NAT then I don't consider it a firewall unless it can do
    > all the others - since MOST of the devices that force NAT are
    > residential device (yea, not all inclusive, but you should get the idea
    > without us going off the deep end).


    Ah, okay here's where we come down to brass tacks--with the use of the
    word "I."

    Seme folks seem to have their own definition of a firewall that
    doesn't match that accepted by over the course of a lot of networking
    history inlcluding the present. This view categorically rejects those
    devices which don't fit a personally crafted unique definition of
    "firewalls."

    Unfortunately, it's pedantic and pointless. But then again, so it
    much of the banter by the more abusive posters here. To protect their
    identity, we won't mention Leythos and Sebastian by name.

    Now, that's not to say there isn't something to learn about the range
    of functionality one might want to consider in their border protection
    in the narrow definition such folks try to paint, but being so prickly
    about what to call a "firewall" and what to call a "NAT router" is
    just a freakin waste of time. Better to say "corporate grade border
    security appliance" which has built into the obvious fact that
    functionality and features of corporate grade hardware exceed that of
    $70 Linksys gear popular among home and small office users.

    And let's not forget that there was a time not very long ago where the
    fucntionality packed into your garden variety wrt54g (particularly one
    packing the fucntionality of third party firmware) took a HELL of alot
    of much more expensive hardware and was certainly considered a
    "firewall." And still is for that matter.

    Those with what I'll call this "modern purist" view may be shocked to
    see the breadth of defintions for our friend the firewall that are in
    existence that cast a much bigger net than his own:
    http://www.google.com/search?q=define%3Afirewall

    We now return you to your regularly scheduled semantic argument.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/

  19. Re: How did they get past my NAT?

    Maniaque wrote:
    >> > - I do not have the firewall enabled on the router, because I assumed
    >> > the NAT basically made it safe.


    > On Oct 11, 8:48 am, Chris Davies wrote:
    >> NAT will inherently block all externally originated inbound traffic with
    >> the exception of those ports that you have selected for port forwarding.
    >> On that understanding it makes for an adequate external facing firewall.
    >> It is not a good substitude for a proper thought-out policy and
    >> implementation, though.
    >>


    > hmm, subtle dig?


    Not at you.


    > right, but would it show up logged with the public IP address in my
    > event log? That's what I'm surprised by - the VNC client / attacker
    > did not look like it was coming from some local address that was being
    > tunneled by some local proxy or malware - it was logged as a public
    > internet address - does that not mean that it had to go through my
    > regular NIC? Or are you saying that the malware would have set up its
    > own routing rules in windows to forward traffic for that specific IP
    > to itself instead of my regular NIC - to do that, would it not need to
    > show up in some device list in windows? Sorry, my lack of knowledge
    > about OS-level networking in windows is clear here.


    Don't know.


    > Woah, now there's an interesting bit of news! Based on the diagram at
    > this wikipedia article, it looks like the only types of NAT that would
    > fit my assumptions, and consequently be "as safe as I expected", would
    > be a "Symmetric" NAT and a "Restricted Port" NAT?


    > http://en.wikipedia.org/wiki/STUN


    My GV-based box does Symmetric NAT, with port preservation whenever
    possible.

    Chris

  20. Re: How did they get past my NAT?

    On Wed, 10 Oct 2007 10:41:21 +0000, Maniaque wrote:

    > [this is a repost, I also sent to alt.computer.security]
    > ------>SNIP<----------------------
    >
    > My question is how the attacker got to my VNC port!
    >
    > Here's all the background I can muster:
    > ------------>SNIP<-------------
    > - I have certain very specific ports forwarded to my desktop for
    > remote access, peer-to-peer connectivity, etc. \
    >
    >------------->SNIP<-----------------
    > Thanks,
    > Tao


    My personal guess:
    The "visitor" came over one of the open ports.
    Especialy "remote access" sounds "inviting"!
    Peer-to-peer is another possibility.

    I would open those ports only when needed.
    (And only for that time)
    (And only for one IP-Address)

    Just my 2 cents

    Rudy


+ Reply to Thread
Page 1 of 4 1 2 3 ... LastLast