Martin Leben wrote:
F�r att undvika missf�rst�nd: Det heter UPnP (Universal Plug and Play). Det �r dessutom inte en extern part som beg�r �ppning av portar, utan en klient p� insidan. Exempelvis MSN-klienten p� den
egna datorn. (Vilket inte g�r det mycket b�ttre. Bara lite...)
Tack Martin f�r ditt klarg�rande! Du kanske k�nner till skillnaden mellan symetrisk respektive asymetrisk brandv�gg ocks�?
Det som avses �r str�ngt talat inte brandv�gg, utan NAT (Network Address
Translation). [1] bjuder p� en del intressant l�sning om man vill gr�va djupare. D�r s�gs:
5. NAT Variations
It is assumed that the reader is familiar with NATs. It has been observed that NAT treatment of UDP varies among implementations. The four treatments observed in implementations are:
Full Cone: A full cone NAT is one where all requests from the
same internal IP address and port are mapped to the same
external IP address and port. Furthermore, any external
host can send a packet to the internal host, by sending a
packet to the mapped external address. Restricted Cone: A restricted cone NAT is one where all
requests from the same internal IP address and port are
mapped to the same external IP address and port. Unlike
a full cone NAT, an external host (with IP address X) can
send a packet to the internal host only if the internal
host had previously sent a packet to IP address X. Port Restricted Cone: A port restricted cone NAT is like a
restricted cone NAT, but the restriction includes port
numbers. Specifically, an external host can send a
packet, with source IP address X and source port P, to
the internal host only if the internal host had
previously sent a packet to IP address X and port P. Symmetric: A symmetric NAT is one where all requests from
the same internal IP address and port, to a specific
destination IP address and port, are mapped to the same
external IP address and port. If the same host sends a
packet with the same source address and port, but to a
different destination, a different mapping is used.
Furthermore, only the external host that receives a
packet can send a UDP packet back to the internal host.Vilken av dom tre (asymmetriska?) kon-typerna som Rixtelecom avser vet jag inte.
Den symmetriska NAT-en �r nog den som �r vanligast. P� svenska funkar den s� h�r:
Antag att en v�rd p� insidan �ppnar en f�rbindelse fr�n (lokal-ip, lokal-port) till (fj�rr-ip, fj�rr-port). Den f�rbindelsen kommer d� att passera genom (nat-ip, nat-port) och �vers�ttas. Dessa adress- och port-par l�ggs in i en tabell. Inkommande paket kontrolleras mot denna tabell, s� att endast paket fr�n (fj�rr-ip, fj�rr-port) adresserade till (nat-ip, nat-port) sl�pps in och �vers�tts till (lokal-ip, lokal-port).
I korthet:
- Asymmetrisk NAT till�ter inkommande UDP trafik.
- Symmetrisk NAT till�ter inte inkommande UDP trafik. (Fast det g�r att lura den ocks�...)
Undrar n�r den f�rsta masken kommer som anv�nder UPnP f�r att g�ra sig n�bar utifr�n utan att sj�lv beh�va initiera kontakt... Eller finns det redan s�dana?
OK, om det nu �r MSN-klienten som beg�r �ppningen av portarna, vad �r
skillnaden mellan detta och SIP-klientens agerande med sin Registrar
n�r den �r bakom NAT och saknar STUN-server? Jag trodde att det var SIP-klienten som �ppnar och h�ller en session �ppen, vilket l�ter som
din beskrivning av UPnP?
Hmmm... Det kanske inte �r s� stor skillad, trots allt...
F� �r v�l detta vad var och vartannat spionprogram just sysslar med?
Skillnaden mellan SIP-klienten respektive MSM-klienten och spionprogrammet �r att vi anv�ndare �r omedvetna om vad som sker. Spionprogram som dessutom anv�nder v�ldefinierade portar blir inte heller s� enkelt uppt�kta av "personliga brandv�ggar", utan trafiken
kan f�refalla legitim. N�r v�l ett koppel �r uppr�ttat g�r det
utm�rkt att v�nda trafiken och styra/�vervaka den infekterade datorn
p� avst�nd. De beh�ver inte ens anv�nda UPnP, det r�cker med en
vanlig session. Eller �r det scenariet att spionprogrammet �ppnar
brandv�ggen med UPnP f�r en traditionell attack p� k�nda s�rbarheter,
du t�nker p�? Om nu UPnP �r beroende av ett program p� insidan s� �r
v�l f�rsta steget uppn�tt n�r det fr�mmande programmet v�l �r
placerat d�r?
Aj.... Det g�r ont att f� sm�ll p� fingrarna! ;-)
/Martin Leben
[1] http://www.faqs.org/rfcs/rfc3489.html RFC 3489 - STUN - Simple Traversal of User Datagram Protocol (UDP)Through Network Address Translators (NATs)
-- Remove dashes and numbers (if any) to get my real email address. I subscribe to the mailing lists i write to. Please don't CC me on replies.
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
