undefined | Better HN

0 pointsbert643y ago0 comments

Slammer (and other worms) propagated heavily despite NAT. If anything NAT made it worse, because once a single internal host got infected the worm now has a predictable and well known address space to scan for other devices it can infect.

NAT created a false sense of security, while also breaking a lot of other things. It is quite easy for the defaults to be wrong, you can end up with all kinds of unexpected scenarios which make internal hosts reachable - eg outbound traffic could open up inbound traffic on the same port from any source not just the one initially communicated with, UPNP can result in ports being opened, NAT slipstream attacks are another possibility, not to mention the fact that "not routable" and "there is no route" are two different things - someone who is on an adjacent network to your wan interface (ie other customers of the same isp) can easily direct traffic to your internal address space.

What reduced external attacks was not NAT, it was improved defaults - such as windows including a software firewall which blocks inbound connections by default, and unix based systems no longer shipping with large number of services (telnet, rpc, finger etc) enabled by default.

Consumer routers with IPv6 support don't allow unsolicited inbound traffic by default. Good luck scanning an IPv6 block in any case.

Slammer and other worms scanned sequential legacy IP addresses, including the well known and predictable RFC1918 space. This method simply couldn't work with IPv6 because the address space is too large, you would be flooding out huge amounts of traffic for years on end before you happened to hit upon an active device.

IPv6 is better, not worse.

0 comments

tinus_hn3y ago

Once an unreachable host magically got infected, it scanned the entire IP address space but hey, it was worse because some hosts were in a predefined part.

NAT is bad because somehow magically a machine with an unroutable address can become routable. Because magically UPnP forwards every protocol in existence, not only a select group of programs that explicitly support it. And of course a connection opening up a theoretical hole to a specified host is just as bad (actually worse!) as opening it up to the whole internet.

Yet all routers have the right defaults and nobody ever makes a mistake. Oh and there’s so many addresses it’s so obscure it’s secure, and noone would guess to scan one’s own subnet in the absence of NAT.

These arguments are really grasping for straws, mostly nonsensical and the rest describes attacks so impractical they are pretty much impossible to carry out and are so much harder than simply sending a thousand emails with a link to an executable that pretty much nobody ever bothers.

Note I never said that IPv6 is worse, I said that NAT has relevant advantages and mostly irrelevant disadvantages. I really don’t care ftp doesn’t work with NAT.

j / k navigate · click thread line to collapse