Thanks for testing this. A number of other readers wrote me
confirming your result with linux ipchains. I'm not sure what
when it encounters a collision, but in general I think this is a
strategy. You'd have to have many thousands of simultaneous UDP
transactions in order for randomly selected source ports to be
frequently enough for it to present a substantial problem.
On the other hand, I've also been contacted by readers who
other devices besides the one imipack mentioned share it's
appears to be room for some research here into what collision
strategies are employed by different NAT devices, what happens to
devices under high load, and what the security implications are.
Fortunately, Linux appears to do a good job with this right now,
provides an example approach that NAT vendors can look to.
I'll post more if I have time to dig into this in further
"Riad S. Wahby"
<rsw () jfet org>
07/10/2008 11:06 Thomas
Cross/Atlanta/IBM () IBMUS
disclosure () lists grok org uk
Re: DNS and NAT (was: DNS
Thomas Cross <tcross () us ibm com> wrote:
We've also been wondering whether NAT devices ought to
UDP source ports, although no NAT vendor that wea**re aware
this to date.
Some quick testing implies that ipchains MASQUERADE-based NAT
suffer this problem because it preserves the source port.
My test setup is as follows: call the computer inside the NAT
the computer outside Bob. Alice contacts Bob via Trent, a linux-
router, in my case a DLink DSL-2540B DSL modem / router combo. On
Alice, I run the following:
( for j in $(seq 1 100); do i=$RANDOM; /bin/echo -n "$i "; echo $i
| nc -q
0 -vv -p $i -u <Bob> 5555; sleep 1; done ) &> foo.Alice
On Bob, I run
( while true; do nc -vv -l -u -p 5555 -q 0 </dev/null; done ) &>
At the end, I compare the actual source port in foo.Alice to the
apparent source port in foo.Bob. In my setup, they are always
Obviously it is impossible to guarantee that this will always be
case; in order to identify dangerous corner cases one would have
consult the ipchains code, but given the relative frailty of the
randomized source port / randomized sequence number solution, for
small number of computers behind a NAT (e.g., home users) I claim
a second-order danger at best.
In a large production environment where there is a huge amount of
traffic being generated one would do well to consider a solution
Thomas's suggestion that the servers be moved outside the