Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

NAT_presentation_Snoopers by wuzhengqin


Network Address Translation

                   Presented by   Snoopers
                             Eduardo Segura
                                Shenal Shroff
                          Shinichi Nishiyama
                                    Suyou He
                                 Thu Nguyen

Why NAT?
How does it work?
Possible attacks
NAT Pros and Cons
Why NAT?

Early ’90s: Signs of IPv4 addresses

      “The two most compelling problems facing the IP
      Internet are IP address depletion and scaling in routing.
      The address reuse solution is to place Network Address
      Translators (NAT) at the borders of stub domains.”
                                                   K. Egevang, P. Francis
                              RFC 1631: The IP Network Address Translator
                                                               May, 1994

A mapping: many-to-one
Many internal addresses -> one external
How does NAT work?
 NAT is used to map IP addresses between
 non-routable private and public addresses.
It allows registered public IP addresses to
 be shared by several hosts on private
How does NAT work? - Outgoing

Internal host sends packet
NAT box stores:
  Source IP
  Source port
  Destination IP
  Destination port
Then modifies addresses in packet
And sends it
How does NAT work? – Incoming

External host sends packet
NAT box searches stored info
The search uses source IP : source port
Modifies destination addresses in packet
Sends it to internal host
 NAT types: Mapping configuration -1

 Static NAT: One-to-
  one mapping
  between internal and
  external addresses

 Dynamic NAT: Mapping
  internal to external from
  group of external
NAT types: Mapping configuration –2
 Overloading NAT: Mapping
  multiple internal addresses
  to single external address
  with different port #s (known
  also as PAT).

 Overlapping NAT: Same
  range of addresses are
  used in two different
NAT Types - 2
 Behaviors with respect to UDP-based bindings
 The difference lies in how they process
  responses from external hosts
 Today, NAT boxes use a mix, dynamically
  switching between types
“Security” features
NAT hides internal addresses from
But it was NOT designed for security
Any security is just a side-effect:
  If packet’s source address not in table {
          drop it; }
And this depends on the type of NAT!
  Ex: “Full cone NAT” allows external packets to
   go right through, if configured.
Possible attacks to NAT

Assume no non-related attacks:
  No user-initiated malware
  No buffer overflows or other hacks
Then it is possible to use:
  Source spoofing
  Host counting
  Passive fingerprinting
  Internal network mapping
Attack to NAT: Source Spoofing

An attacker can “inject” packets into the
To do this, he uses a fake source IP
Sometimes, all you need is one packet!
    SQL slammer fits in one UDP packet
As long as the source address is in the
 NAT’s table, it’ll get through
Attack to NAT: Host Counting

Uses IP header “id” field
Most implementations just put a counter
NAT boxes don’t change it
Study gaps in these numbers to determine
 # of hosts
Attack to NAT: Fingerprinting

Every TCP/IP implementation is different
Many issues are left open in RFCs
Hence, every TCP/IP stack is unique
Different values for: TTL, SEQ, flags, etc.
By carefully studying these differences, it
 is possible to identify the OS!
Attack to NAT: Network Mapping

Technique uses “ICMP TTL Exceeded”
Attacker injects packets with low TTL
Internal routers generate TTL exceeded
Attacker uses these messages to carefully
 map the internal network!
NAT pros and cons
NAT provides a short-term solution to the
 shortage of IPv4 addresses
But it is NOT a firewall.
     Clever attackers can obtain information anyway
In addition, it breaks other protocols
     - IP addr. info in payload
     - Incompatibility between IPsec AH and NAT
Can become a management nightmare
Hides source of attack, if internal
 Dynamic NAT is natural firewall between private
  network and public networks/Internet. NAT is
  not a firewall.
 NAT is for reusing IP addresses. Hosts in private
  network can share limited public IP addresses.
 NAT breaks end-to-end connectivity model.
  Solution: ALG
 NAT is not secure. NAT will leak information
 Jeff Tyson, How Network Address Translation Works
 RFC 1631 - The IP Network Address Translator (NAT)
 RFC1918 - Address Allocation for Private Internets
 Lisa Phife, The Trouble with NAT
 Geoff Huston, Anatomy: A Look Inside Network Address Translators
 RFC 3022 - Traditional IP Network Address Translator
 RFC 3489 - STUN - Simple Traversal of UDP Through NATs
And that’s it!

To top