zlacker

Back in the days of blaster, if you were connected to a network with infected machines or had a public IP address because you were connected straight into your cable modem, you would get infected in the windows installer before it finished installing. Nowadays, everything is behind NAT and there aren't any infected Windows XP machines left on your local network, so that's not a problem anymore.

>>jmgao+(OP)
Herd immunity, huh?

>>jmgao+(OP)
For some reason whenever somebody suggests that NAT might have security benefits, there is usually some hysterical screeching about how that isn't true. Often seen in IPv6 discussions.

>>lupusr+L1
because it's unnecessary to get the same benefit. Being behind a firewall would have the same effect (and any ipv6 deployment will have this), it's just that NAT requires this. It's like saying eating a spoonfull of cinnamon has health benefits because it hydrates you when you have to drink a glass of water afterwards: you could just drink the water.

>>jmgao+(OP)
I would guesstimate about 20-30 seconds was all you needed to be connected for to pick up blaster...

>>jmgao+(OP)
>Nowadays, everything is behind NAT and there aren't any infected Windows XP machines

All end-user PCs have been behind NAT since the late 90s unless the system was a dialup straggler. Enterprise users raw-dogging the internet only have themselves to blame.

>>rcxdud+A3
I don't quite understand what you mean by "any ipv6 deployment will have this". When my ISP switched to IPv6, my internal devices were exposed to the internet and the only thing that stopped the incredible amount of bot traffic was my own on-device firewall that I explicitly turned on and configured. Luckily I don't have any smarthome stuff, not sure how I'd configure a firewall on a lightbulb. These devices didn't have a public IPv4 before that. And a bonus - the ISP didn't say anything about this possible consequence, just "we're making some changes".

NAT has more benefits - I don't want anyone to know how many devices I have at home, I don't want anyone to know which one I'm using to access their website, I don't want anyone to try guess the OS and version of my devices, etc. And now I'm scared to have a simple DLNA media server because I can't just install WireGuard on the TV. I'm probably going to buy a router and make my own NAT soon (don't have access into the ISP modem).

I felt better when the whole municipality had a single IP address. A lot of bullshit ads - means the targeting wasn't working. Now they're way too good.

>>nubine+o5
Yep. Before I knew what it was, I genuinely thought that an issue occurred when my connection established. That’s how fast it was, and it was consistently that fast.

>>snakey+D6
This is absolutely false. This only became common when wireless networking became ubiquitous, which wasn't until probably a decade later.

>>rcxdud+A3
This looks like the usual ipv6 kool aid batshit. I don't want a bunch of kids and enemy states poking at and port scanning my laptop directly, regardless of whether or not I have a firewall enabled.

And, no, I don't think it's practical for everyone and their grandma to "just set up a bastion"

>>lupusr+L1
Isn't NAT slipstreaming a "real" vector?

https://samy.pl/slipstream/

>>cqqxo4+M6
How did blaster do it so fast?

>>snakey+D6
Even discounting dial-up, this really depends on where you are in the world at the time. PPPoE and direct hookup (via the cable/ADSL modem) are still relatively common where I was at the time that Blaster was roaming around, while some countries have forced CGNAT even before CGNAT became a common word, usually for "protecting the children" like Cleanfeed (and even discounting that, event at the time you could still get IPv4 effortlessly there had been, and certainty there are still, crappy ISPs which don't really care about direct connections).

>>throwa+G6
Well, that sounds like a colossal misconfiguration on the ISP's part. A firewall blocking incoming requests has been standard part of ISP routers for a long time.

>>jmgao+c7
When I got my first broadband Internet connection my contract explicitly prohibited me from using NAT. Apparently my Internet provider was concerned I would use NAT to connect multiple computers thus “stealing” bandwidth. This concern was not completely unfounded since people sometimes would set up one connection and share it with neighboring apartments. Also having one computer per household was normal back then.

>>throwa+G6
My ADSL connection rides on some non-IP network before it hooks up to a concentrator about an hour away. Most location based services, other than Apple, seem to assume I am in Norwich, NY. So I get these ads that say “They don’t like it when seniors use this one weird trick to save money on car insurance in Norwich but they can’t stop it” and “Horny grandmas want to jump your bone right now in Norwich” and such.

Contrast that to using public WiFi in NYC where everybody knows exactly where you are.

>>tflol+f7
I mean, they'd need to figure out your IP address beforehand, something that's a lot harder with ipv6. You've also got a much better chance of punching a packet through a NAT than an ipv6 firewall (and it's now expected behaviour for a lot of applications, as NAT makes it too difficult to just make connections directly).

>>snakey+D6
I'm afraid this is factually wrong, my computer had a public IP until the early 2010s as around these days modems were just models and not routers too.

And with IPv6 all my devices could be publicly addressed but I've enabled a firewall to block incoming traffic at the router level.

>>lupusr+L1
I think the usual security objection is that if the NAT router receives a packet from the outside, with its destination set to a local address, the router will just let it through, in the absence of a firewall.

But as far as I can tell, that's only relevant for an attacker who can MITM the connection between the local router and the next ISP router, since clearly the ISP wouldn't know who to forward the local address to. I'd think it isn't within the threat model of the "typical internet user" who'd be running such a poorly-configured network.

>>rcxdud+Da
Wouldn't IPv6 firewalls configured for typical users (i.e., denying unrecognized incoming connections) pose a similar barrier to making direct connections reliably on the application level? Not every user will be willing or able to open a hole in their firewall for every shiny new application that wants one.

>>rcxdud+ka
On the other hand... What exactly is the benefit of IPv6 then? I thought the point was to make all my devices addressable on the public internet. How is it useful if the ISP firewall blocks my servers?

And yes, incompetent ISPs are the norm.

>>PaulHo+xa
I'm on DOCSIS to the Home / Fiber to the Building, but there seems to be some kind of overlay network and as a result, my PC that's hooked into the modem is on the public internet.

Before IPv6 it was a classic internal LAN with IPs like 192.168.0.1.

>>rcxdud+Da
They wouldn't need to figure out anything. The "kids and enemy states" are just hosing address ranges. I don't agree with the above commenter that NAT offers any meaningful security in this regard (now they're just hosing your consumer router instead which is probably less secure than the average updates-installed Defender-enabled Windows box). But you're both making points about security through obscurity in different ways.

>>rainon+Rg
> now they're just hosing your consumer router

There is a dramatic difference in effort between ( owning a device ) and ( owning a router, configuring network access to the device, then owning the device ).

Also psychologically: If I was a rock hard piece of shit and I knew I was at the doorstep of a personal device, I would treat it much more aggressively than a router. I suppose maybe that's just me and not the kids and enemy states.

>>tflol+Ci
I mean, I don't know why you would when the router potentially gives you a foothold across many devices instead of one and the router is likely running multiple services. Yes, that is just you; the threat model I'm describing is widespread automated attacks, not individual or particularly motivated.

>>rainon+lk
You're saying there's less incentive for widespread automated attacks on personal devices?

edit: Changing the subject to insulting me is a bad way to conclude. You're creating an illusion the debate is concluded in your favor instead of responding to points. I don't think any of my points had a sound argument against them.

>>throwa+Fg
The biggest benefit is exponentially higher complexity, assuring continued job growth for network engineers.

>>tflol+Nk
No brother, I'm not, but I'm starting to feel that what I am saying might be beyond the likelihood of comprehension. Look, I'm a big fan of NAT. Huge. It's not a security control. Neither is v6. It sure is cool though.

>>ddalex+c8
Because there were so many infected machines probing through the entire IPv4 space then.

>>throwa+Fg
The point is not needing a NAT translation table and running out of ports on your router. My provider also delivers an IPv6 configuration with all ports closed. I can enable incoming traffic for the devices that need it.

>>bzzzt+7q
Running out of ports how? Someone is hosting 65536 public services in their home network? Why not just pay for an additional public ipv4 then?

I can't configure anything technical about my internet. Any change is paid, and often simply not possible.

>>tetris+c1
More that NAT forces your network gear to filter inbound connections from the outside internet by default. This works with one device behind one router as a billion devices behind a billion routers.

>>throwa+G6
> I don't want anyone to know how many devices I have at home

Even if your ipv6 host or border firewall allows pings through, it's not practical to scan an entire /64. There's just too many addresses in it, and your devices will frequently change them.

> I don't want anyone to know which one I'm using to access their website, I don't want anyone to try guess the OS and version of my devices, etc.

They already do this through fingerprinting that operates with higher-layer protocols.

> And now I'm scared to have a simple DLNA media server because I can't just install WireGuard on the TV.

This is very simple to implement. Ensure it's listening on the link-local address. That's the IP that starts with fe80. These are unrouteable by spec.

>>RulerO+aQ
> They already do this through fingerprinting that operates with higher-layer protocols.

It's very hard to distinguish my iPhone and Mac from the other dozens/hundreds people have in my building just through fingerprinting. Very easy if they have separate IP addresses.

Ad link local - cool, I'll look into that, thanks.

>>tflol+f7
Yeah, I think it is very explicitly a bad thing for all devices to be directly exposed to the entire internet- firewall or no. NAT is a pain, sure, but it does have the benefit of forcing you to have a network isolated from the internet, and only allow external access when explicitly configured to do so.

I have exactly one machine which needs to be accessible from outside the local network. The rest of them should never be. Do I want to spend extra time ensuring that each and every single device on my network is secure, or do I want to do the inverse and assume all devices are secure and only spend effort to make the one machine exposed?

I can't imagine anyone who would actually want or need their WiFi toaster to be publicly routable, WiFi cameras, every computer. There's absolutely no reason for it. Instead of relying on network isolation, we expect users to just implicitly rely on who knows how many different firewall implementations. Hopefully your router configures it by default.

>>throwa+5V
It's actually very easy just through fingerprinting. You might be surprised.

It doesn't matter if everyone in your building has an iPhone and a Mac as well -- there are things about virtually every single one of them that make them unique.

>>lupusr+L1
> For some reason whenever somebody suggests that NAT might have security benefits, there is usually some hysterical screeching about how that isn't true.

It is not the address translation mechanism that does the protecting but rather the state tracking.

Until very recently I was with an ISP with IPv6, and things like my home printer had IPv6 addresses—but just because they were globally addressable did not mean that they were globally reachable.

>>throwa+G6
> When my ISP switched to IPv6, my internal devices were exposed to the internet and the only thing that stopped the incredible amount of bot traffic was my own on-device firewall that I explicitly turned on and configured.

When my (previous) ISP switched on IPv6 none of my internal devices could be connected to because my Asus did stateful packet inspection and only allowed in replies to connections that were previously initiated.

> NAT has more benefits - I don't want anyone to know how many devices I have at home, I don't want anyone to know which one I'm using to access their website

Given that temporary IPv6 addresses tend to rotate every 24 hours it will kind of hard to track individual devices by IP in a 2^64 address space.

You could rotate addresses 10 million times per second, using each only once, and it would take over 5000 years to exhaust a single /64.

> I felt better when the whole municipality had a single IP address. A lot of bullshit ads - means the targeting wasn't working. Now they're way too good.

I now have to use a ISP-supplied router (for GPON), but when I still had my Asus on the DSL/IPv6 ISP I could tell it to reboot every night and I would get a new IPv4 address and a new IPv6 prefix every day.

>>rainon+Rg
> The "kids and enemy states" are just hosing address ranges.

If you could scan one million addresses every second it would take about 500,000 years to scan just one /64. Not sure how practical that would be.

When I was still with an ISP that did IPv6 my Asus would block any incoming connection attempt unless it was a reply (SPI firewall), though it may have (IIRC) allowed pings in by default.

>>63stac+W7
NAT slipstreaming only works if your router allows protocols like SIP, FTP, WebRTC, and other such protocols that NAT breaks, luckily.

Unfortunately, I'm pretty sure that's all routers I've ever seen. You can protect yourself if you're willing to break web applications and applications built on web technology. Just disable all of the SIP ALGs in your router and you'll have the security of IPv6 on IPv4!

>>tflol+f7
This is also spec for IPv4, it was intended to be as publically routable as IPv6 is. NAT is just a consequence of everyone realizing circa early 90s (iirc) IPv4 addresses would run out at the rate the network was growing. Yes NAT acts as an inbound default-deny firewall but that isn't it's purpose.

You have a router, it has a firewall, that is meant to be used to control access to the network, you don't have to assign rules to every device you can assign default interface rules that apply to any connection.

Just because you get a publically routable address doesn't mean the internet defines physics and hops over your router and firewall.

Also as an aside - perimeter security is a very outdated way of looking at security, yes the perimeter is still important but if it is your first and only line of defense you are gonna be in for a bad time, defense in depth as it is called where you look at your systems and networks as layers to an onion is the more modern standard and NAT as a security mechanism has never been standard in either because it isn't.

>>throwa+Fg
Without bidirectional NAT, hole-punching works. Two sides of a p2p connection can coordinate with an intermediary to learn each other's addresses. They send each other a packet, which gets dropped by the other side. Their firewall sees the outgoing packet though, and opens the port. The next time they send each other packets, they will be allowed through. The intermediary is only needed to do the initial handshake instead of for all packets.

With NAT, it doesn't work because the ports get remapped, and the intermediary doesn't know how they will get remapped on the p2p connection, so they can't coordinate to send on the correct ports to open the firewall.

Or UPnP can work. By default, your router drops incoming packets on all ports. If you want to e.g. run a game server, then on startup, it hits a standard API to tell the router to forward that one port. On shutdown, it can tell it to close the port (you could potentially also have the router require keepalives to keep the forward alive. I'm not familiar with the details of UPnP and related protocols).

Without a public IP, you need intermediate servers to relay all traffic to you, which centralizes the web. With p2p working, you can e.g. have high quality video calls with friends/family instead of dealing with the garbage quality tech companies allow. Or I can share with my mom photos of her grandkids with effectively unlimited storage; for 2 years of 2 TB Google storage, I can buy 20 TB of disks.

>>throwa+rs
Running out of ports is usually a misunderstanding, but a device doing stateful NAT will have a limit on how many states it can manage, and it's usually not fun when it goes over the limit.

>>Infamo+ua
I live in an apartment block where each flat is likely spending £30-60 per month on broadband. Even accounting for the odd power user, I reckon we could get away with sharing a 1-2 Gbps connection and benefit from the collective cost savings. Legal accountability aside, I kinda like the idea of a neighbourhood network commune.

>>throwa+G6
Pro tip: buy a computer for and make it into a router .. There are some great cheap fanless machines out there (servethehome has reviews)...

You could also just use an old pc...

For software opnsense, pfsense, openbsd, freebsd, Linux (openwrt could be used too if you want embedded)

It is a pain to start ... But satisfying when it works :)

>>Infamo+ua
Circa 2003 when we got the first WiFi access point set up (with no password), we started noticing people with laptops appearing next to our homes. It took us a few seconds to realize they found a free WiFi and walked around to find a spot with better signal.

>>alex_d+1b
>my computer had a public IP until the early 2010s as around these days modems were just models and not routers too.

You realize that wasn't the norm though right?

>>utensi+Y51
Are you sure about that 'never'? that no device will ever try to use p2p fonnections?

Even then id still rather ensure every device is appropriately firewalled. 'not worrying about it's sounds like a hardened shell with a juicy center. What happens when a device does get compromised and tries to spread to your local network?

>>throw0+0e1
SPI firewall looks interesting, appreciate the education.

>>throw0+0e1
Yeah that is an absolutely bonkers amount of time so you're probably right in that the approach of low-effort wide net-casting attackers would have to change. I'm curious to know how Shodan etc. deal with this.

>>rainon+yN1
Shodan ran an NTP pool time server on IPv6 and harvested the addresses of machines that checked in to get the time. Pretty clever.

>>lupusr+L1
Because it's really important to know the difference between NAT and a firewall if you are into networks. And IPv6 discussions generally involve such people. In this case it's nothing to do with NAT and everything to do with being behind a firewall.

>>Suppaf+oI1
It was. Our 56k modem was a PCI card. Later we had ISDN and ADSL modems (I still use the latter to this day). I only got a router (a Linksys device) to attach multiple computers to the internet. It was a few years before ISPs started bundling routers and WiFi APs.

>>globul+l12
I hadn’t made that connection about 56k and public IPs until now. I just used it at the time before I had any of the knowledge I did now. Interesting!

>>throw0+Fc1
Firewalls are a thing!

>>thebru+272
I didn't think about it before I got the router. I found it a bit annoying because I had to think about things like port forwarding. Previously everything just worked without any configuration (like P2P file sharing or running a game server). I'm not sure I really understood it even then, though. Just followed instructions parrot fashion.

>>globul+5m2
Yep, same for me. I was just a teenager wanting to play games and then suddenly I had to know about port forwarding.

>>crazyg+d81
https://www.amiunique.org/ is scary and eye opening