How do we protect against this pinholing attack?

[ADFHogan]

New NAT/Firewall Bypass Attack Lets Hackers Access Any TCP/UDP Service

NAT Slipstreaming: A New NAT/Firewall Bypass Attack Lets Hackers Access Any TCP/UDP Service.

thehackernews.com

"Called NAT Slipstreaming, the method involves sending the target a link to a malicious site (or a legitimate site loaded with malicious ads) that, when visited, ultimately triggers the gateway to open any TCP/UDP port on the victim, thereby circumventing browser-based port restrictions."

Sounds like the ability to disable all unneeded ALGs might help mitigate, and ultimately a kernel update will be required?

 

[mike37]

Interesting!

I sure don't understand the ramifications or degree of seriousness of this.

- Perhaps use one of the IDS/IPS apps to flag (initially block) any atypical communications?

- Snort/Suricata will likely develop specific signatures for common exploits using this (e.g. remote attempts at breaking into 192.168.x.1).

- Another argument for isolating IOT devices? I'd guess some of those cameras depend upon ALGs to function and couldn't be easily blocked from spying on you, but perhaps through isolation you could keep one from becoming an attack platform of other LAN clients?

- Maybe a tweak or new extension in Firefox?

Geeze!!!

 

[ColinTaylor]

Sounds like the ability to disable all unneeded ALGs might help mitigate, and ultimately a kernel update will be required?

Doesn't sound like it's kernel related. ALGs can be disabled for Asus routers at WAN - NAT Passthrough.

Other than that, wait for more than 48 hours after this was published to look for a mitigation and keep your AV up to date so your browser doesn't go to malicious websites.

 

[coxhaus]

I am unsure of the complete effect. I hope if you are running Windows 10 with 2004 so you can use the browser APPs under security to stop junk being written to your PC and with only allowing APPs to be downloaded from Microsoft with security DNS that one of them catches this. It sounds like the port is being opened by the PC. Consumer firewalls don't automatically block out bound traffic. Enterprise firewalls do. You have to open all the ports you want out bound. I assume it is considered too difficult for home users to open outbound ports. Maybe we could add out bound firewall rules for SIP traffic to block this. I block out bound on my router for Cable Haunt.

I guess we will see what happens in the future with this.

 

[ADFHogan]

I originally posted this under the AsusWRT Merlin forum rather than "General Network Security" and someone's moved it.

In the case of an AsusWRT Merlin powered router, the ALGs are in at least part powered by Linux netfilter modules - so it is kernel related. Yes, you can disable some of them through the preferences, though not all (unless setting the FTP one to 0 turns it off? unclear..). I have turned off the ALGs that I'm not using.

In terms of mitigations - "bad websites" are hard to define - the javascript doing this, whilst it has malicious intent (to open up ports in a firewall to arbitrary LAN hosts), isn't malicious itself per se (it's just reading data from a website and posting back to it). I don't think everyone's going to have the ability to run full IDS on each and every endpoint, and in the case of the specific router family I had originally posted under (AsusWRT powered devices) I'm not sure if it could be done without a kernel update, and if there are further mitigations to apply.

I wholeheartedly agree IoT should be off in its isolated VLAN and wish it was easier to maintain functionality whilst doing this (I'm looking at you - "smart" home speaker!)