Port-based protection gets pwned

A neat and clever hack has undermined long held assumptions about the network security protections offered by properly configured routers and firewalls.

The technique, dubbed ‘NAT Slipstreaming’, allows an attacker to remotely access any TCP/UDP service bound to a victim machine, bypassing a victim’s network address translation (NAT) or firewall security controls in the process – providing a victim is first tricked into visiting a site under the would-be hacker’s control.

Network address translation remaps an IP address space for traffic passing through a networking device. The technique proved very useful in conserving address space and thereby forestalling IPv4 address exhaustion, but it also has some security benefits that NAT Slipstreaming runs all over.

This JavaScript-based attack, developed by security researcher Samy Kamkar, only works if the targeted NAT/firewall support Application Level Gateways (ALG), a technology needed to support protocols that require multiple ports (control channel and data channel) to work such as VoIP protocols such as SIP and H323, file transfer protocol (FTP), and more.

Caught in the Slipstream

The NAT Slipstream attack – a new packet injection technique that works across all major modern browsers – takes advantage of arbitrary control of the data portion of some TCP and UDP packets without reference to HTTP or other headers, Kamkar explains in detailed technical blog post:

NAT Slipstreaming exploits the user's browser in conjunction with the Application Level Gateway (ALG) connection tracking mechanism built into NATs, routers, and firewalls by chaining internal IP extraction via timing attack or WebRTC, automated remote MTU and IP fragmentation discovery, TCP packet size massaging, TURN authentication misuse, precise packet boundary control, and protocol confusion through browser abuse.

As it’s the NAT or firewall that opens the destination port, this bypasses any browser-based port restrictions.

Put more simply, NAT Slipstreaming exploits a a flaw in how some routers implement ALG that allows NAT to be bypassed.

Kamkar told The Daily Swig that fixing the security shortcomings laid bare by his research may be a challenge.

“Routers can disable ALG but this makes them less convenient (VoIP phones stop working). The SIP ALG can be improved, but SIP was just one example, [and] other ALGs expose this,” Kamkar said during an exchange on Twitter.

“Browsers can block port 5060, but I don't think that's the end of it. This area is a bit of whack-a-mole,” he added.

Even the “vulnerabilities” at play are tricky to define and perhaps better described as “security shortcomings”.

Kamkar explained: “Everything is working to spec; it's simply the combination of various protocols and features that can have complex interactions when chained together.”


RELATED HTTP/3: Everything you always wanted to know about the next-generation web protocol