Overview
A recently identified attack known as NAT Slipstreaming can potentially bypass browser protections to compromise an end-user device and then utilize Network Address Translation (NAT) on a firewall or router to allow remote probing of ports and services on the victim’s system behind the firewall or router.
While this attack does not involve a firewall vulnerability and does not require a patch, there are some best-practices we recommend to reduce potential exposure to these types of attack, in particular, patching your browser software.
Details
The attack is triggered by visiting a compromised website containing malicious JavaScript that has been crafted to exploit this attack on the user’s device. It extracts the victim’s IP address, and then attempts to overflow the firewall and cause packet segmentation while deploying a SIP packet that triggers Application Level Gateway (ALG) connection tracking resulting in the opening of TCP/UDP ports defined in the packet. This enables the attacker to bypass NAT and attempt to connect to any of the defined ports on the victim’s system such as FTP, RDP, etc.
Recommendations
There are several recommended best-practices to protect against NAT Slipstreaming at various points in the attack chain:
Web protection
Since the attack is initiated from a compromised or malicious website, ensure that your Sophos Firewall or UTM product has web protection enabled to block malicious websites attempting to use this attack or others. Sophos web protection is very effective at identifying and blocking malicious websites to effectively stop these types of attacks at the source.
Browser protection
Major browser vendors have implemented protection to block port connections used in this attack in upcoming releases. Be sure to promptly apply any available patches as they are made available. Details:
Disabling unnecessary services
If SIP (VoIP) is not being used, there is an option to disable the SIP module in the firewall which blocks an essential step in the attack. Instructions:
- XG Firewall: https://support.sophos.com/support/s/article/KB-000035917?language=en_US
- Cyberoam: https://support.sophos.com/support/s/article/KB-000037598?language=en_US
- Sophos UTM: https://support.sophos.com/support/s/article/KB-000034975?language=en_US
If SIP (VoIP) support is required, we suggest denying traffic on TCP/UDP port 5060/5061 outbound which is utilized by this attack.
IPS protection
Sophos has recently published new IPS signatures for XG Firewall and Cyberoam to detect and block this attack method. For customers using SIP it is recommended that IPS protections be applied to your WAN traffic that include these new signatures (SIDs 2304467 and 2304468).
Protecting network services on client devices
All network services on client devices such as RDP, SSH, FTP and others should be reviewed regularly and eliminated unless absolutely essential to reduce the surface area of attack. Any services that are essential should be protected with IPS and strong passwords that are changed regularly and managed through a suitable password manager.
Summary
Follow typical security best-practices to protect your network from these types of attacks:
- Protect your web traffic with web protection technology at the firewall and on the endpoint for mobile users
- Keep operating systems and browsers up to date with the latest patches
- Review and eliminate any unnecessary network services running on client machines and your firewall and ensure ports and protocols that are not required are disabled
- Ensure any network services that are required are protected with strong passwords or MFA where possible
- Ensure all WAN traffic is suitably protected by IPS to identify and block exploits