1

Because of NAT, almost all users now are accessing internet via private IPs, and that's happening whether the users are behind a simple home router, or a complex proxy server.

So, and as I understand it, we have the followings:

  • In case of Bind_TCP connections, backdoors are useless to plant on victims, because we can't access directly.
  • In case of Reverse_TCP, it stays the same, we can't inject our private IP in the payload and wait a connection on a private IP.

And even if the attacker used port forwarding on his router and injected his public IP with the payload, that will make him traceable.

So in both ways, NATing is protecting us with private IPs, is that true or am I missing something?

Edit:

My network admin is convinced that NATing via proxy is enough for protection. I know that he's wrong, but I don't know how to convince him, and the NATing is used basically to protect from outside attackers, malwares from internet, dns spoofs, and any network based attacks.

Eibo
  • 2,485
  • 3
  • 19
  • 32
  • uPNP can allow bind_tcp. reverse_tcp works fine if the attacker is not behind NAT (or uses port forwarding). Many ways to avoid being traced, e.g. prepaid SIMs, public WiFi. And there are more advanced connection methods like https and dns tunneling. – paj28 Sep 07 '16 at 07:18
  • The question talks about protection but does not specify protection against what. Current attacks are delivered by mail or web and there is no need to have direct access to the system from outside because the user "invites" the attacker from inside. And once installed the malware phones home from the inside and retrieves instructions etc. – Steffen Ullrich Sep 07 '16 at 07:41
  • My network admin is convinced that NATing via proxy is enough for protection. I know that he's wrong, but I don't know how to convince him. – Eibo Sep 07 '16 at 07:44
  • @Emadeddin: again: protection **against what**? I hope that you network admin will not assume that NAT helps against malware attached to mails or against malware delivered by USB sticks. – Steffen Ullrich Sep 07 '16 at 08:57
  • outside attackers, malwares from internet, dns spoofs, basically any network based attacks. – Eibo Sep 07 '16 at 09:11
  • @Emadeddin: these details should be in the question, not in a comment. – Steffen Ullrich Sep 07 '16 at 09:18

4 Answers4

3

My network admin is convinced that NATing via proxy is enough for protection... used basically to protect from outside attackers, malwares from internet, dns spoofs, and any network based attacks.

NAT helps to restrict access to systems inside an internal network from outside the network in that it only allows data from outside if a matching connection was initiated from inside.

But that's not what today's attacks are usually are. Today the typical attacks against users inside a network use malware attached to mails or delivered when visiting web sites (i.e. malvertisement, hacked web sites, fake antivirus or plugins...). In all these cases the internal user requests the data which means that no NAT will stop it.

And once the malware gets executed the malware connects to its outside masters from to receive its commands and malicious payloads. Since these connections are initiated from the inside NAT will not block anything either.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
2

in case of Bind_TCP connections, backdoors are useless to plant on victims, because we can't access directly.

True, but they are never accessed directly. Often trojans just keep-alive a TCP connection to the control server. This connection can be used to receive commands, retrieve files etc..

In case of Reverse_TCP, it stays the same, we can't inject our private IP in the payload and wait a connection on a private IP.

We could, this then essentially becomes a tunnel.

But NAT is NOT a firewall. Many ISPs make the same mistake with their CPEs. There are numerous ways to bypass NAT. For example to holepunching, UPnP or reverse connection initialization.

Don't forget this only works with IPv4. The large address space for IPv6 obsoletes the need for a NAT, and thus allows direct access to the device from the internet. This may look like a problem (and to some extend it is) but IPv6 has its own benefits like switching addresses every so many connections.

Yorick de Wid
  • 3,346
  • 14
  • 22
0

There is a little flaw in your logic. You assume that in the second case we are protected by attacker's fear of being traced. There are at least:

  • Attackers who don't care about being discovered
  • Attackers who are not worried, because they reside in a different country
  • Malware infected devices, which act as proxies for real attackers
  • Shared hosting providers, which may not be willing to cooperate with anyone

Besides that attackers can use other techniques to establish connections with a victim behind a NAT. For example, there is an excellent writeup on how to use TOR for almost untraceable command and control connection.

alexeypetrenko
  • 81
  • 4
0

  1. An attacker can always use a backdoor which makes an outbound connection to a public host controlled by the attacker, this establishes the channel to reach into the victim's desktop. So a direct connection to the desktop is not necessary.

  2. If the attacker is using a host with a public ip-address then IP spoofing is possible.

Additionally, if the attacker is using a compromised router at an ISP, he can always wipe his tracks clean after performing the attack. Most attacks are bounced off a series of already compromised hosts so that the attacker remains un-traceable.

In both scenarios, using a NATed connection to the public internet does not protect the victim.

Sandeep S. Sandhu
  • 402
  • 3
  • 5