What’s Coming At You Without NAT?

So far, I've mostly been looking at Network Address Translation (NAT) as a good counter measure on mobile devices to block unsolicited incoming communication so the modem doesn't have to wake up all the time. Another benefit of NAT is of course also to keep the bad guys away from your devices on the network layer. But actually how much unsolicited traffic is there that reduces battery life in mobile devices and puts your device or local network at risk? As I didn't have any specific numbers on that I decided to try it out to see what happens.

I ran my tests with a Linux PC connected to the Internet and running Wireshark in various ways. In one setup, I used my DSL line. On the router I assigned the Linux PC as a DMZ host, i.e. all unknown incoming packets were forwarded to it. Needless to say that the PC had all current security patches applied and only had the services running that were really require. In another setup I used a 3G dongle and an APN without NAT. The rest of the world didn't really care if the link was fixed or wireless the incoming unsolicited traffic was pretty much the same. Therefore, I don't distinguish between the two in the following.

And here is what happened:

Incoming Traffic Frequency: There was incoming traffic not generated by any of my running applications every 5-10 minutes, i.e. around 10 connection requests per hour, or 10 additional and unnecessary modem wakeup calls.

Type of Incoming Traffic:

Some of the incoming traffic could easily be identified as P2P file sharing connection requests, most likely triggered by a P2P client running on a device that had the IP address I was assigned previously. No harm done here.

Most connection requests had a less harmless nature, definitely sent to see if services are running that could potentially be exploited. Here are some interesting highlights detected during my 6 hour experiment:

  • Frequent connection requests to telnet, ssh and http ports. I ran the tests with several different dynamic IP addresses assigned and always got those requests from many different sources. Definitely probes to see if old and outdated services were running that could be exploited.
  • Unsolicited SIP requests: I saw those from a number of different originations, so people are running SIP scanners out there to see if VoIP servers are running on systems out there.
  • Active VNC attack: I had one instance where the VNC port was probed. As I had a VNC server running on that system the other end started the handshake dialoge and logged off once he had my server version string. I checked with a real VNC client and even when I don't type in the password the communication goes much further than what I saw in this even. There are some VNC server flavours out there that are vulnerable so that was most likely an active attack to scan for those out there.
  • Microsofts Remote Desktop Port: I also saw a number of RDP connection requests, so even before the recent criticial security patch for a remote code execution vulnerability, automated scans were running against this port.
  • Microsoft SQL database weakness probe
  • Unsolicited DNS responses: Every now and then I got DNS response packets which were not triggered by internal DNS queries. The responses contained URLs for xxx sites. I haven't quite understood the background behind that
  • Port Scans: General port scans not from P2P services to well known port numbers, e.g. 110 POP3, etc. 

I ran the test with several different IP addresses on different days to ensure I didn't have an IP address that was used by someone else before and thus triggering certain things. The result in each case was the same so all things described above pretty much must be from automated scripts just running up and down the IP address space looking for targets. Also interesting are the countries of origin of those requests. It's pretty much an international phenomenon, requests were coming from everywhere, including the US, European Countries, Russia, China, Australia, etc. etc.

Not a peaceful world out there…