computers behind routers/modems

[gunit0072003]

arthurking ,

I dont blame you for getting confused with all feedback you got.
It seems like everyone including myself went off tangent a bit.

Let me try and keep it simple..
A few thing you need to understand:

1) If your router is blocking all ports (all ports closed on your router)
it does not mean your router is blocking connections to your PC..
It only means your router is blocking connections to itself..

2) Look at following diagram:
And see the difference between PAT and NAT
(I didnt include default gateway of PC,cause its irrelevant to discussion)

[inside]-----------------------------------[outside]

||pc||------------------------||Router||--------------------------|||Internet|||

a.b.c.d -------------------------------------e.f.g.h
(private address)------------------------(public address)

This is what happens with NAT:
When your Pc goes out w/src a.b.c.d the src changes by router to e.f.g.h
and when requests come in from the Internet to dst e.f.g.h,
the router forwards to a.b.c.d.. (static translation always exists on router,
whether you initiate connections from inside or not))

This is what happens with PAT:
When your Pc goes out w/src a.b.c.d the src also changes by router to e.f.g.h,
however it does so dynamically on as need by basis..meaning the router does a translation
only and only when the PC initiates a connection..when pc terminates connection
the router terminates the translation.

This is very important to understand because now if someone tries to initiate a connection from internet to e.f.g.h, requests go directly to your router and only your router...cause you did not initiate a connection from the inside for a translationtable to exist..

In summary:
If your router is doing a PAT, no one can scan your PC directly cause
a) you router does not have a translation table to forward requests to your PC and
b) you are most likely using a private address that is non-routable on internet

If your router is doing a NAT:
a) all requests destined to the public address( scans/hacks/trusted..etc) always
get forwarded to your PC.

Also remember , closing ports on your router has nothing what so ever to do
with closing ports or protecting your PC, it does not mean you are performing
any filtering onyour router, it only means your router is blocking connections to
itself....


Hope this helps, and I promised myself this will be my last response on this subject,,lol

good luck
cheers

[souleman]

http://www.cisco.com/en/US/tech/tk64...800e523b.shtml

Thats a pretty good comparison between NAT and PAT.

and btw...

f your router is doing a NAT:
a) all requests destined to the public address( scans/hacks/trusted..etc) always
get forwarded to your PC.

that depends on the setup of your NAT. A NAT can have 10,000 machines behind 1 NAT router and that router is not going to forward the packets to every machine behind the router. As a matter of fact, unless you specifically tell the router to send the packets on, the router will drop connections that are iniated from outside the network.

[arthurking]

gunit, that's starting to make sense the way you've described it, and that's why I got a software firewall running on mypc's too.

souleman, that's what the router is saying its doing, when I view the logs.

I've read that if I have ports open on a PC, that I can set the router to forward connections to that port number to a virtual machine that doesn't really exist. So if I have 2 pc's at address's a.b.c.d and a.b.c.e, I can set the router to forward port 113 to a non-existent pc @ a.b.d.z, and this will drop the connection because no pc at that address exists on my network. This had something to to with ident running on linux which I sorted using a firewall anyhow.

OK thanks for all the info.

[MidNyte]

wow, the responses you guys gave is great! I have not posted here is a while and its nice to see some intelligent conversation. I am still a little confused as to how intruders break through firewalls or routers to attack internal machines but now i have some info to check up on to help me learn. I just want to say thanks.

MidNyte

[Maestr0]

This is such a large topic I will only say a few things,first off some protocols are portless and therefore cannot be blocked by ports, also your IP can be found out even if you are using NAT/PAT its just tricky, sometimes the oringinal packet is just "wrapped" (often times the source app will leave no-no's in here) in a new packet and payload inspection can reveal internal architecture. Because NAT/PAT uses original source IP and Port to create routing tables this can make identifing how many hosts are behind the NAT/PATer if traffic can be sniffed at the router (once again this only applies to protocols with ports, for portless prototcols PAT/NAT can be messy)There is also DNS information to be considered as well as router quality and vulnerabilities. Also routers not configured to drop incoming packets from reserved address space are vulnerable to spoofing which can sometimes yield results although it is fairly difficult. Also the MAC address is mapped to an IP using ARP and other tables which can be posioned or manipulated to "steal" or obtain an IP on the internal network(man in tha middle attacks use this frequently) and many devices also allow MAC address cloning (aka they will set themeselves to any MAC you like, so you CANNOT gaurantee uniqueness) So, just because you are filtering TCP/UDP does not mean other methods or protcols cannot be used for information gathering and although it is a good start it is far from foolproof or un-hackable.

-Maestr0

[gunit0072003]

I know I promised not to say too much more on subject however, since I dont have a life I wanted to comment a bit on Maestros response,,,Here goes,,Sorry for the long response, I wanted to break it up a bit and be specific..


YOUR COMMENT:
“This is such a large topic I will only say a few things, first off some protocols are portless and therefore cannot be blocked by ports”

MY RESPONSE:
You are right, not all application use TCP or UDP (protocols 6 and 17) and are associated with a port number. Some applications use other protocol numbers and work on layer 3 of OSI model.
(an example is Cisco’s proprietary IGRP (interior gateway routing protocol/protocol 9), but there are others that are part of the TCP/IP suite..

Let us examine the IP header
Courtesy of RFC 790: (www.ietf.org) This RFC "might have been updated" but the point is same..

ASSIGNED INTERNET PROTOCOL NUMBERS

In IP there is a field called the Protocol field which is an 8 bit field that corresponds to a particular application. The 8 bit gives us 256 different possible protocol numbers that may correspond to an application.

Assigned Internet Protocol Numbers

0 and 255 are reserved,
2,8,21-62,66-68,70,72-75 and 80-254 are unassigned..
1 is ICMP
3 is Gateway-to-Gateway
4 is CMCC Gateway Monitoring Message
5 is ST
6 is TCP
7 is UCL
9 is Secure
10 is BBN RCC Monitoring
11 is NVP
12 is PUP
13 is Pluribus
14 is Telenet
15 is XNET
16 is Chaos
17 is UDP
18 is Multiplexing
19 is DCN
20 is TAC Monitoring
63 is any local network
64 is SATNET and Backroom EXPAK
65 is MIT Subnet Support
69 is SATNET Monitoring
71 is Internet Packet Core Utility
76 is Backroom SATNET Monitoring
78 is WIDEBAND Monitoring
79 is WIDEBAND EXPAK

If any of those protocols/applications other than ICMP, TCP and UDP are turned on TCP/IP stack of Linksys router, then yes there lies a vulnerabilty….


YOUR COMMENT:
“also your IP can be found out even if you are using NAT/PAT its just tricky, sometimes the oringinal packet is just "wrapped" in a new packet and payload inspection can reveal internal architecture”

MY RESPONSE:
If you are referring to the internal private IP that is natted or patted is somehow encapsulated in the data field, then your statement is incorrect. There is no such thing. Translation table remains in the router..You might be referring to VPN here where original IP header is encapsulated and tunneled through, not NAT or PAT,,,


YOUR COMMENT:
“Because NAT/PAT uses original source IP and Port to create routing tables this can make identifing how many hosts are behind the NAT/PATer if traffic can be sniffed at the router (once again this only applies to protocols with ports, for portless prototcols PAT/NAT can be messy)”

MY RESPONSE:
Routing tables have nothing to do with NAT or PAT and have nothing to do with Port numbers.. Routing tables are created by the router through the process of acknowledging its interfaces are in an up state and through running some type of routing protocol (either static or dynamic).


YOUR COMMENT:
“There is also DNS information to be considered as well as router quality and vulnerabilities.”

MY RESPONSE:
You lost me on this one ??????????


YOUR COMMENT:
“Also routers not configured to drop incoming packets from reserved address space are vulnerable to spoofing which can sometimes yield results although it is fairly difficult”

MY RESPONSE:
Yes you are right, this can happen. Vendors of “real” routers can stop this by turning off what they refer to as “IP source route”

YOUR COMMENT:
“Also the MAC address is mapped to an IP using ARP and other tables which can be posioned or manipulated to "steal" or obtain an IP on the internal network(man in tha middle attacks use this frequently)”

MY RESPONSE:
I don’t follow you here either,,,Data link connections are established locally…Any MAC on internal LAN stays within internal LAN. MAC of internal user will never be seen behind a router.

YOUR COMMENT:
“and many devices also allow MAC address cloning (aka they will set themeselves to any MAC you like, so you CANNOT gaurantee uniqueness)”

MY RESPONSE:
I don’t see how cloning a MAC is relevant to discussion of identifying internal PC’s Ip address..especially since internal PCs MAC stays internal and is not revealed to external/outside LAN…


Cheers..

[Maestr0]

gunit007,

I had not intended originally to go into detail but rather mention a few possibilities in response to the original question, however since you have brought up some good points I will respond:

YOUR COMMENT:
“also your IP can be found out even if you are using NAT/PAT its just tricky, sometimes the oringinal packet is just "wrapped" in a new packet and payload inspection can reveal internal architecture”

MY RESPONSE:
If you are referring to the internal private IP that is natted or patted is somehow encapsulated in the data field, then your statement is incorrect. There is no such thing. Translation table remains in the router..You might be referring to VPN here where original IP header is encapsulated and tunneled through, not NAT or PAT,,,

- On the contrary the statement is entirely correct. Sometimes a particular protocol is encapsulated in order to function properly with NAT. One example of this is UDP encapsulation for IKE/IPsec, granted this traffic is encrypted but that is not my point, other software has used similar approaches to cope with problems with NAT.
see http://www.ietf.org/internet-drafts/...-encaps-06.txt
You will also note in my statement this information leak can also be in the form of data about the orginating host leaked by the source application and will be in the payload,also the number of hosts is possible to guess by analyzing the traffic.
see http://www.sflow.org/detectNAT/
http://www.research.att.com/~smb/papers/fnat.pdf

YOUR COMMENT
“Because NAT/PAT uses original source IP and Port to create routing tables this can make identifing how many hosts are behind the NAT/PATer if traffic can be sniffed at the router (once again this only applies to protocols with ports, for portless prototcols PAT/NAT can be messy)”

MY RESPONSE:
Routing tables have nothing to do with NAT or PAT and have nothing to do with Port numbers.. Routing tables are created by the router through the process of acknowledging its interfaces are in an up state and through running some type of routing protocol (either static or dynamic).

- Once again the statement is correct although I can possibly see that I misused routing table instead of port mapping table (I will point out you refer to it as a translation table so... I believe we're even on that one. ) but as I said it wasnt meant to be a technical essay but I concede that point. As far as the notion that it does not have to do with port numbers, well I'm not sure how you think NAT works without tables or ports because thats exactly how it works.
see http://www.internet-sharing.com/nat_...perations.html

YOUR COMMENT:
“There is also DNS information to be considered as well as router quality and vulnerabilities.”

- The point is your hosts are not particularly hidden if your DNS server (often located outside a router or firewall) allows me to do a zone transfer or have free reign on the entries, a compromised DNS server will lead to a compromised network. As to the second half improper handling of crafted packets by routers or routers which fail open etc,etc,etc. Owned routers also lead to owned networks.

YOUR COMMENT:
“Also the MAC address is mapped to an IP using ARP and other tables which can be posioned or manipulated to "steal" or obtain an IP on the internal network(man in tha middle attacks use this frequently)”

MY RESPONSE:
I don’t follow you here either,,,Data link connections are established locally…Any MAC on internal LAN stays within internal LAN. MAC of internal user will never be seen behind a router.

-Although it requires a machine with a interface on the LAN, the amount of trouble which can be caused here is immense.Since most 802.11 devices act as MAC bridges I think this is a very real threat, also a compromised DNS machine or anything in a DMZ would do nicely to abuse ARP.
see http://www.watchguard.com/infocenter...ial/135324.asp
see http://www.securityfocus.com/bid/3460/discussion/


and lastly, no I admit MAC cloning is not particularly related only that I saw someone comment on them being unique, I merely stated you cannot rely on that.

-Maestr0

[gunit0072003]

Maestr0,

THE PAPERS
http://www.sflow.org/detectNAT/ and http://www.research.att.com/~smb/papers/fnat.pdf]
talk nothing about determining the IP of the natted or patted address. It merely talks about determining wether a router is performing NAT or PAT and determining the number of hosts that may be natted or patted.
(unless I’ve missed something, if I did I apologize)

However with all due respect, what is your point here, we do not need a white paper to tell us that the average Internet user is natting or patting his/her IP. That’s a given….I didn’t think this was relevant to topic of discussion. (maybe I was worng?)
--------------------------------------------------------------------------------------------------------------------------------------
THE PAPER:
http://www.ietf.org/internet-drafts/...-encaps-06.txt talks about UDP Encapsulation of IPsec Packets.

Im not going to touch that…I’ve stated before if you are doing VPN/some type of encryption then ofcourse this is the case..

We were talking about strictly using NAT or PAT. Give me an example of an application that someone can be using over the Internet and that encapsulates his RFC1918/internal private address in data field through PAT or NAT.
---------------------------------------------------------------------------------------------------------------------------------------
WITH REGARDS TO YOUR COMMENT:
” Once again the statement is correct although I can possibly see that I misused routing table instead of port mapping table (I will point out you refer to it as a translation table so... I believe we're even on that one. ) but as I said it wasnt meant to be a technical essay but I concede that point. As far as the notion that it does not have to do with port numbers, well I'm not sure how you think NAT works without tables or ports because thats exactly how it works.
see http://www.internet-sharing.com/nat....ations.html”

MY RESPONSE TO YOU IS THIS:
Let us for a moment forget about using the Terms PAT and NAT and review together what the router can do for concealing addresses.

1. A router can statically perform a one to one translation where a certain number of public addresses are
statically assigned to a same number of private addresses (predefined) .
2. A router can dynamically perform a one to one translation (1st come 1st serve) where the total number of
available public addresses equals the total number of private addresses.
3. A router can perform many to one translation and this is done dynamically of course using 1 public address
along with random port numbers.
4. A router can do the same as stated in 2) however should the total number of private addresses exceed the total
number of available public addresses, then the router will perform the translation using random port numbers
along with the last available public address.

Although what we call the different methods doesn’t matter as everyone seems to have their own definition, I will however share mines.
1) I refer to as static NAT
2) I refer to as dynamic NAT
3) I refer to as PAT (aka NAT over-loading)
4) I refer to as static NAT with over-loading feature

Now with all that said, the only thing that can be exposed to outside/external LAN after translation occurs are the random port numbers when performing PAT or NAT overloading. This again just provides what your first paper outlined. (Internal address is still concealed)
---------------------------------------------------------------------------------------------------------------------------------------

WITH REGARDS TO YOUR COMMENT:
“The point is your hosts are not particularly hidden if your DNS server (often located outside a router or firewall) allows me to do a zone transfer or have free reign on the entries, a compromised DNS server will lead to a compromised network. As to the second half improper handling of crafted packets by routers or routers which fail open etc,etc,etc. Owned routers also lead to owned networks”

MY RESPONSE TO YOU IS THIS:
You are right, if you compromise the ISPs DNS server, then of course there exists vulnerabilities just as if you compromise an ISPs router you can have similar vulnerabilities..

---------------------------------------------------------------------------------------------------------------------------------------
WITH REGARDS TO YOUR COMMENT:

“lthough it requires a machine with a interface on the LAN, the amount of trouble which can be caused here is immense.Since most 802.11 devices act as MAC bridges I think this is a very real threat, also a compromised DNS machine or anything in a DMZ would do nicely to abuse ARP.
see http://www.watchguard.com/infocente...rial/135324.asp
see http://www.securityfocus.com/bid/3460/discussion/”


MY RESPONSE TO YOU IS THIS:
As you stated, it requires a machine with a interface on the LAN.


Cheers.

P.S
I hope no one including yourself, maestro takes any of this feedback in a negative way.. I do appreciate all the feed back I get myself (positive or negative) My only objective is really to just gain knowledge. Greeenies/positive pts/negative pts/newbie status/senior status/etc…Its all great, but Its just the knowledge I’m interested in. I appreciate constructive criticisms as well as being able to dish it out. I think it only betters us all as long as its done in good taste.

[Maestr0]

"hope no one including yourself, maestro takes any of this feedback in a negative way.. I do appreciate all the feed back I get myself (positive or negative) My only objective is really to just gain knowledge. Greeenies/positive pts/negative pts/newbie status/senior status/etc…Its all great, but Its just the knowledge I’m interested in. I appreciate constructive criticisms as well as being able to dish it out. I think it only betters us all as long as its done in good taste."

I agree 100%, I would not have responded if I had not thought your post to be fairly written and contain a number of good points.

-Maestr0