I am confused about this concept if a public IP is assigned to my router and my system has private IP address, how an attacker can access my system or can use my system as a BOT. Its a common scenario when we click or download some malicious file than an attacker got controlled. Is there any other way to open the door(Router) with some thing like duplicate key ?

  • 143
  • 10
  • There are many ways to get access to a computer, letting the user click a bad link, a payload on an usb drive etc. – BadSkillz Feb 11 '15 at 13:28
  • if I understand you correctly, this might be a duplicate of [Scanning A Subnet Externaly](https://security.stackexchange.com/questions/16850/scanning-a-subnet-externaly) and [How can someone hack my PC if I am connecting to the internet through NAT](https://security.stackexchange.com/questions/11840/how-can-someone-hack-my-pc-if-i-am-connecting-to-the-internet-through-nat) – tim Feb 11 '15 at 13:35
  • Sorry @tim but I am not talking in that prospective. – Root Feb 11 '15 at 13:47
  • this question is not a security question. It demonstrates a misunderstanding of basic networking. I have asked before: please read and understand our site scope - [about] – Rory Alsop Feb 11 '15 at 16:21

2 Answers2


The router is like a automated door that would:

  • Let anyone open it from the inside
  • Require a passcode to open from the outside

There are multiple ways to bypass the normal behaviour, some are exploiting flaw in the implementation of the router, other flaw in the protocols and some in design.

Let's say you invited a friend to stay at your home, then you go to work. If he is a bad friend, calls thieves and open the door from the inside for them, thieves can come in and rob you.

Well, now you decided not to entrust anyone. A thieves can come to your door, confuse the automate to let him think he is inside so that the door opens (e.g. TCP flag manipulation).

The thieves can also go to a bar you're usually in, pay you a couple of beers and get the passcode to enter from yourself.

The thief can also go to the door with a list of passcodes and try them one by one until the door opens.

If you open a port for a service, let's say you are a medical doctor with a secretary. People may come in and go to the secretary, but not come in and go to your house. A thieve can come in, disrupt/dupe the secretary and go in your house while she's not looking.

Back on more computer thematic. Once inside, an attacker can exploit a vulnerability of your computer to install a bot on your machine. Then your machine will try to access the internet, which it is allowed to do anyway.

Per se, NAT masquerading is not a security measure, because it has initially been design to allow multiple computers to access the internet using a single public IP address. The more we progress, the better the router are able to block malicious request coming from the outside. But they are always cases where it's not easy to distinguish legal traffic from forged one.

  • 13,033
  • 3
  • 47
  • 69
  • According to your answer an attacker has to become a part of my network ? like multiple user connected to a router an attacker has to become a part of my network to use me as a BOT ??? – Root Feb 11 '15 at 14:20
  • They can't use **YOU** as a bot. Only your computer. Being part of your network is a way to attack more easily a local computer, since local network are usually less strict in term of security. From inside the LAN, they would have to use an exploit to get access to your machine and perform operation on it. They can target your machine directly from the outside by exploiting already existing communication between internet and your machine. – M'vy Feb 11 '15 at 14:25
  • Lolz by *ME* I mean my *Computer*. As far as I think someone can only connect to my network when we are living in the same area geographically i-e my wifi signals. But How can some one join my network or connect to my network when we are living at different places geographically? – Root Feb 11 '15 at 15:11

So, if we put this question in a real world situation, it would be: "How can attackers get in my house if the door is kept locked?" Answer: It's harder for them to get in, but the extra challenge is just getting in.

Your router will happily pass traffic to and from your computer, because that's all it does. That's its purpose. This means that if you download a virus (cutepuppies.jpg.exe) or if you click on a page with malicious Javascript, like the BeEF project, you've invited them in. And then they can use your computer for whatever they want!

Putting your computer behind a router and locking your doors at night reduce the chances of a drive-by attack, but if you invite someone in either on purpose or accidentally, those protections are useless.

(Note, the above link is not malicious. It just shows a tool that can be used for penetration through the browser.)

  • 4,737
  • 2
  • 23
  • 39
  • Okay that's a common scenario by clicking or downloading some malicious file. Is there any other way to open the door some thing like duplicate key ? Like in most of the organization IT team restrict their employs to access such site or file by proxy server and some other techniques but still their Systems got compromised why ? – Root Feb 11 '15 at 13:41
  • They still get compromised because their employees are easily fooled by scam emails, or they have insiders helping them. It comes down to the human element -- what are the people in your organization like? – Ohnana Mar 02 '15 at 13:19