Slipstream Nat Attacks Can Be Dangerous for Browsers

Slipstream Nat Attacks

Cybercriminals do not rest, they are always looking for new targets by exploiting security breaches. In this case, new attacks that affect Internet browsers could compromise our security. Samy Kamkar has discovered the Slipstream NAT attacks that affect our browsers, and we already explained how they worked in this article. The developers of the most popular browsers are already preparing to block this new attack technique, and today in this article we are going to explain how they will do it.

How Slipstream NAT Attacks Work

The discoverer of the attack has been the security researcher Samy Kamkar and the attack method has been called NAT Slipstreaming . Slipstream NAT attacks require victims to visit an attacker’s malicious website or a site with maliciously crafted ads. Samy Kamkar has provided a demonstration scheme of this attack to show how it works.

Slipstream NAT attacks exploit the user’s browser, along with the Application Level Gateway (ALG) connection tracking mechanism built into NAT, routers, and firewalls, by chaining the extraction of an internal IP through a time or WebRTC, automated remote MTU detection and IP fragmentation. Also, since it is the NAT or firewall that opens the destination port, this bypasses any browser-based port restrictions.

Slipstream NAT attacks take advantage of arbitrary control of the data portion of some TCP and UDP packets without including HTTP or other headers. In this case, the attack is based on a new packet injection technique that affects both modern and older browsers. It should also be added that this is a modernized version of Samy Kamkar’s NAT Pinning technique from 2010 that was presented at DEFCON 18 + Black Hat 2010. In addition, new techniques for local IP address discovery have been included.

Regarding the attack, it should be noted that they require that the NAT or the firewall support ALG (Application Level Gateways), which are mandatory for protocols that can use multiple ports (control channel + data channel) such as SIP and H323 (VoIP protocols ), FTP, IRC DCC, etc.

Other research and proof of concept

Samy Kamkar made other discoveries that are not used in this attack. However, they could potentially be used to carry out other types of attacks. In this sense, he found out:

  • IP fragmentation allows full control of all data in the IP data section. This results in full control of a UDP header, including the source and destination ports in the overflowed packet.
  • If a port has already been seized, the listened port increments until the port overflows to 0.
  • STUN does not have authentication implemented in any modern browser.

You can also download the proof of concept for the Slipstream NAT attacks from here .

Browsers prepare to block this attack

Those responsible for web browsers to stop Slipstream NAT attacks plan to block TCP ports 5060 and 5061 used in this attack by adding them to the restricted list.

According to Adam Rice who is the developer of Chromium, it is intended to block HTTP and HTTPS connections to SIP ports 5060 and 5061. Thus, this will cause the connections to the servers using the ports mentioned above to fail. Thanks to these changes, the connections to servers on those ports such as http://web.com:5060/ or https://web.com:5061/ would no longer work. In addition, they would improve security measures, as tests that trigger a server on an arbitrary port are expected to be more difficult to use than they are right now.

Finally, the browsers Firefox, Safari, Chromium and Chrome are working to have the Slipstream NAT attacks solved as soon as possible, but it is not yet known when they will do so, on November 4 the solution to the problem was incorporated into the bug tracker of Chromium, so it will still take a few weeks to see it in the final stable version.