0

To extend on How can a webpage scan my local, internal network from the Internet? how safe is my private network against possible threats like DoS attacks, spoofing attacks, revealing info about my private network services etc. Have there have been recent exploits?

I recently read (https://www.sans.org/reading-room/whitepapers/networkdevs/easy-steps-cisco-extended-access-list-231) that without an ACL set incoming ICMP echo request (ICMP type 8), ICMP time-exceeded (ICMP type 11) could reveal your intranet structure. Is that true?

Sir Muffington
  • 1,536
  • 2
  • 11
  • 23

1 Answers1

3

NAT as used in typical SoHo routers implicitly protects you from direct access from outside into your network. And that's about all it does.

Specifically it does not protect you against anything which is initiated from inside, like opening a mail or visiting some external web site. NAT will not protect against scanning the internal network if this scanning was initiated from inside - no matter if the script for scanning the local network was loaded when visiting an external web site. NAT will also not protect against loading some malware from outside which then can attack your network from inside or provide an attacker with a backdoor in your private network.

In other words: NAT does not help a lot in protecting the privacy of your network.

I recently read ... that without an ACL set incoming ICMP echo request (ICMP type 8), ICMP time-exceeded (ICMP type 11) could reveal your intranet structure.

In case of NAT no access initiated from outside to the inside is possible and this includes ICMP. What you've read is not about NAT.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • Somewhat dubious about this part: "visiting some external web site". While it is true that your home router will not protect you against javascript running in your browser, your browser certainly will, so I'm not sure if this statement is entirely accurate in practice. – Conor Mancone Sep 16 '19 at 20:44
  • @ConorMancone: your browser will happily execute script from some external web site if you visit the web site. This script has not much restrictions on which internal IP addresses it might probe. While there are some restrictions regarding some specific ports and it is usually impossible to read the response it is often sufficient to determine which internal hosts exist and maybe even figure out some open ports. It is also enough to mount a CSRF attack against an insecure router even if its admin interface is only reachable from inside the local network. – Steffen Ullrich Sep 16 '19 at 20:54
  • I forgot about the whole "CSRF an insecure router" - that's a popular one, and gets an attacker better access. Otherwise though, I think it's hard to do much *practical* recon from a browser. – Conor Mancone Sep 16 '19 at 23:31
  • What did I read on about then? – Sir Muffington Sep 17 '19 at 15:31
  • @SirMuffington: I have no idea what point you are trying to make with your last comment. If you ask about differences between what you've read and understood and the points in my answer then please be more specific so that I can actually help you. – Steffen Ullrich Sep 17 '19 at 16:18
  • @SteffenUllrich sorry for formulating the question in a wrong way. I meant to ask if what I've read is irrelevant to NAT, what is it relevant to then? Please refer to the link and use CTRL+F to find the quoted phrases if you are unsure about the source. – Sir Muffington Sep 18 '19 at 07:49
  • @SirMuffington; *"Please refer to the link and use CTRL+F to find the quoted phrases if you are unsure about the source. "* - there are two links in your question and there is nothing obviously quoted. Which means I have still no idea what you are talking about. – Steffen Ullrich Sep 18 '19 at 08:01
  • the full quotes would be: 1. Block incoming ICMP echo request (ICMP type 8). This will prevent ping attacks which can crash some systems. It will also prevent outsiders from mapping systems inside your network; 2. Block outgoing ICMP time-exceeded (ICMP type 11). Prevent outsiders from mapping your network. – Sir Muffington Sep 19 '19 at 10:35
  • How does blocking those ICMP requests prevent outsiders from mapping your network? – Sir Muffington Sep 19 '19 at 10:37
  • @SirMuffington: as I've already said - your 2nd link is not about NAT at all. Which means any information in this link are irrelevant in the context of your question (which is about NAT). – Steffen Ullrich Sep 19 '19 at 21:39