When designing products or protocols, there’s often a trade-off to be made. Often, it’s in favor of convenience instead of security, like with WPS pairing for Wi-Fi devices or UPnP, which lets devices open their own ports to the internet through a firewall. But did you know there’s another network protocol that’s similar to UPnP in scope that you should probably turn off in your router?
It’s called NAT-PMP, or Network Address Translation Port Mapping Protocol, which lets a device on your home network ask the router to forward NAT traffic from an external source to it. Unlike UPnP, NAT-PMP takes some configuration to get working correctly and securely, but even then it’s still a potential security risk. If none of your devices use NAT-PMP, you should probably turn it off in your router, or you can disable it on a per-device basis if you have a few devices that use it. It’s often Apple devices or apps that use Apple’s Bonjour service that use NAT-PMP, so that’s a good place to start looking.
Related
5 reasons it’s time for Apple to make its own router again
The AirPort ended in 2018, but it’s ripe for a comeback.
4
It’s insecure
It might make your router manufacturer’s life easier, but it’s a nightmare for you
Like UPnP, NAT-PMP was designed to be lightweight, simple, and used where the clients on the network are reasonably trusted. If you can see where this is going, you will be dismayed to find that you’re right, because that means it has no meaningful security capabilities built in to the protocol. The RFC for the protocol says to use IPsec to encrypt all your network traffic if you care about security, so it’s assumed to be insecure from the get-go. You can implement NAT-PMP in ways that restrict which networks, interfaces, or clients can use the protocol, which doesn’t make it any more secure but does narrow down the search if, and or when, something does go wrong.
If the gateway device running NAT-PMP is misconfigured, it could allow several serious security issues, including:
- Malicious NAT-PMP mapping manipulation: If no access control lists limit what clients can forward, attackers can intercept TCP and UDP traffic from internal clients sent to the NAT-PMP device, or external TCP and UDP traffic, access to services behind the NAT device, or DDoS attacks against the router.
- Interception of internal network traffic: This goes further than simply intercepting internal traffic bound for the NAT-PMP device, because it can also enable DNS-based attacks against internal devices and redirect their HTTP or HTTPS requests to external malicious hosts.
- Interception of external traffic: In some cases, external attackers can intercept data coming from the internet to the NAT-PMP device.
- Accessing internal NAT clients
- DDoS against the NAT-PMP device
- Disclosure of information about the network architecture: This gives attackers a roadmap to navigate and see other vulnerable devices.
While many of these issues were caused because of issues with miniupnp, which has taken steps to mitigate them, they’re still potential issues for anyone using NAT-PMP. In 2014, there were around 1.2 million affected devices attached to the internet, according to Rapid 7, which scanned the public internet to see how many devices had NAT-PMP enabled and were vulnerable to the various flaws we just mentioned.
Related
6 router settings that power users should change
You might not think to change these settings but you’ll be glad you did.
3
It’s no longer needed
Modern devices have moved to other ways of handling port forwarding
NAT-PMP is more secure by design than UPnP, but it’s still not needed these days. It was replaced by PCP (Port Control Protocol) in 2013, which added IPv6 support, more constraints on how the mappings can be created, and a way to extend the PCP protocol to include authentication and access methods missing from earlier protocols that do a similar function. I’m not quite sure what uses PCP other than enterprise network appliances, but in any case, you’d be running it with authentication methods, so the attack surface is greatly reduced.
Related
6 ways to make use of port mapping on your home network
Being able to map ports is an invaluable networking skill.
2
It’s safer to control which devices can open ports
Time to learn a little bit about port forwarding to save your home network from issues
While NAT-PMP can be a useful tool for convenience, many internet users don’t like the thought of anything opening ports into their home network without them knowing about it. I’m also firmly in the same camp and prefer my internet usage to be as zero-trust as possible. I like to know which programs and devices are opening ports to the outside, and to have control over what they’re doing. NAT-PMP sidesteps this, and consumer-level routers aren’t often able to use the strong firewall rules necessary for allowing only certain devices to use the protocol.
That situation changes somewhat if you’re using a prosumer router or one you’ve built running pfSense or OPNsense. These routers can all set a default deny rule, and additional whitelisting, so that only authorized devices can use the NAT-PMP protocol. That way you can have explicitly defined port forwards for most devices, and the few devices that use NAT-PMP and are trusted can use the protocol. It’s still better to turn it off completely, and see how many of your devices show they’re experiencing issues. You might not even notice that it’s not running.
Related
What is port forwarding? Why do I need to do it?
If you want to host applications on your home internet, you’ll probably need to port forward. Here’s what that means and why.
1
Malware can use it to make botnets
Yeah, we don’t like our home network being used for crime either
Any service that can create connections to the Internet from your internal network without authentication or approval is bad for security, even if it never gets used for nefarious purposes. You wouldn’t have something in your house that would open the front door, back door, and several windows if a stranger asked, so why would you do the same thing for your network? UPnP and NAT-PMP have both been leveraged time and time again for malware distribution, botnets, DDoS, and other types of digital attacks.
The huge DNS attack in 2016 that pretty much took the entire U.S. offline for half a day used databases of default passwords and easily exploitable bugs in protocols like UPnP and NAT-PMP to commandeer IoT and other devices inside home networks to carry out the enormous DDoS attack against the DNS provider, Dyn. The setup convenience of these protocols is paid for by insecure networks, and the trade-off is not worth it.
Related
Beware — there’s an advanced malware targeting macOS users and stealing sensitive data
Your Mac may not be as secure as you think
You probably don’t need NAT-PMP enabled anymore, so it’s safer to turn it off
While plenty of routers still employ NAT-PMP as an option, the list of devices that use it nowadays is fairly short. It is used by Apple’s Bonjour service for discoverability and easy setup between Apple products, but disabling NAT-PMP in your router won’t affect the multicast services that Bonjour uses when on your home network. If you find you have issues with some devices after turning NAT-PMP off, try contacting the respective customer service teams to see if they have a manual option. If not, decide if you want to enable NAT-PMP for those devices or if you want to replace them with more secure options. And chances are your consumer router doesn’t even have NAT-PMP as an option, in which case you’re already ahead of the game.
#reasons #disable #NATPMP #router
source: https://www.xda-developers.com/you-should-disable-nat-pmp-on-your-router-right-now/
