I always thought NAT was some kind of a security feature and I still think it is, because if it didn't existed the internet, respectively the clients behind NATs, would be even more insecure, since for example port 445 would be directly open to everyone scanning clients etc.
But there seem to be some attacks, in which all the attacker needs to know is the WAN IP address.
Which?
There are some good lists of security issues here already. However I have not seen anyone mention NAT Pinning yet.
Quoted from Samy Kamkar's site on how NAT pinning work:
- Attacker lures victim to a URL by convincing them that there are pictures of cute kittens on the page.
- Victim clicks on URL and opens the page.
- The page has a hidden form connecting to http://attacker.com:6667 (IRC port).
- The client (victim) submits the form without knowing. An HTTP connection is created to the (fake) IRC server.
- The fake IRC server, run by the attacker, simply listens, unlike me according to former girlfriends.
- The form also has a hidden value that sends: "PRIVMSG samy :\1DCC CHAT samy [ip in decimal] [port]\1\n"
- Your router, doing you a favor, sees an "IRC connection" (even though your client is speaking in HTTP) and an attempt at a "DCC chat". DCC chats require opening a local port on the client for the remote chatter to connect back to you.
- Since the router is blocking all inbound connections, it decides to forward any traffic to the port in the "DCC chat" back to you to allow NAT traversal for the friendly attacker to connect back and "chat" with you. However, the attacker specified the port to be, for example, port 21 (FTP). The router port forwards 21 back to the victim's internal system. The attacker now has a clear route to connect to the victim on port 21 and launch an attack, downloading the victim's highly classified cute kitten pictures.
Assuming your home router is configured to deny all inbound connections, the easiest attacks to gain remote access to the LAN leverage the LAN itself.
Open WiFi: If the LAN is accessible via unsecured WiFi, and the router has a default password, it's trivial to log into the router and enable some inbound ports. Obviously requires physical proximity.
"Drive by pharming" -- trick a user on the LAN into running code (java applet) that logs into the router (again assuming default or easily crackable password) and enables some inbound ports.
If the attacker can MITM your web connection, he could modify pages while you surf to inject the pharming attack listed in #2 to open ports on your router.
For certain vulnerable routers: with access to your LAN -- even if you have a secure admin password configured -- an attacker can use creative hostnames when registering DHCP to poison your DNS cache or possibly inject XSS into the router's admin interface.
Again, for certain vulnerable routers: with access to your LAN an attacker may be able to sniff your authentication session to get the router password.
CSRF attacks: you visit a malicious web page that attempts CSRF to your router's admin area. (For certain vulnerable routers with the default password set, or if you are already authenticated to the router in that browser session.)
CSRF combined with authentication bypass vulnerability. Some routers have bugs in the web admin interface that process unauthenticated requests.
See this paper (web archive) for details on some of the attacks in the list above.
There may be attacks against the router's NAT that cause DoS but not remote access to the LAN. I haven't listed any of these.
NAT on home routers typically allow all outbound connections initiated by the user from the LAN. NAT is typically paired with UPnP to allow users/hosts/services to open required ports outbound as required.
Typically, there is no restriction on initiating outbound connections to make the connection as user-friendly as possible.
If you consider the following factors common to home router deployments:
An attack which exploits the way NAT works on home routers, rather than a direct attack on NAT itself, is simply a (spear)phishing attack against a user on the LAN.
Example: A packed PDF which the user is likely to click on, and subsequently executes code to call home, will be able to initiate a connection outbound allowing the attacker to utilise the reverse channel to further exploit the LAN host, as required.
Note: This comes from my experience with home routers (Billion, Linksys) running default firmware. If a home user deploys a Cisco 877 or Linksys running custom firmware, additional security controls could be applied.
If NAT is all you are using, it doesn't provide much security at all.
For example, if you have a server running on port 445 and it is NAT'ed to the Internet, an attacker doesn't really even need to know it is NAT'ed - the NAT'ing will allow them to connect to it on whatever IP and port are displayed to the Internet.
This doesn't even count as an attack on NAT - NAT is irrelevant here.
The piece that will give you security is the access control/firewalling functionality of a router. That is what will stop attackers on the Internet scanning your clients.
EDIT - it has been pointed out that home router NAT'ing does provide one-direction NAT by default, which effectively does give you a deny-all access control rule like a firewall.
Advice:
If you don't use default passwords, (have passwords with 2-upper case, 2-lower case, 4-numbers, and 4-symbols, that password will never be hacked). Then if you set the router to deny all incoming transmissions, be responsible in your internet use, and don't open suspicious e-mails you're pretty safe.
