Is Symmetric NAT Scary?

    The task of directly connecting the machines behind NAT is as old as the world, and I think that many have heard about UDP Hole Punching. When I was just starting to be interested in the question, I established myself in the opinion that it is impossible to break through symmetric nat and it is not even worth trying. However, most recently I came across an article in which it was stated that a symmetric nut is not a sentence.

    Let's figure it out.

    NAT Types


    Traditionally, in many articles on the Internet, all NATs are divided into four types:
    • Full-cone NAT;
    • Address-restricted cone NAT;
    • Port-restricted cone NAT;
    • Symmetric NAT

    This is actually not true. More precisely, not quite right. Any NAT has two main characteristics:

    1) an incoming packet filter;
    2) port mapping rule.

    The first characteristic is just described in most articles and means which incoming packets to transmit to the machine behind NAT: everything (no filter - Full cone), from a specific address (address-restricted) or from a specific address and port (port-restricted).

    The second characteristic is inherent only to symmetric NAT, since the first three types try to make reflection one to one. For example, if the client sends a packet from the internal address 192.168.10.24:62145, then the packet will go from the router from the address 1.2.3.4:62145. Moreover, regardless of the recipient address.

    Symmetric NAT


    And now in more detail about symmetric NAT. Immediately make a reservation that the filters for incoming packets can also be any (no filter, address-restricted or port-restricted). And the only difference between this type of NAT and the previous ones is precisely in the choice of the outgoing port on the router, it will almost certainly differ from the original port on the client. Returning to the previous example, the reflection can be like this: 192.168.10.24:62145 -> 1.2.3.4:1274.

    The same port is selected randomly (or not by chance, but in turn, but this is not important, since we cannot influence its choice from the outside). But there are certain rules, they are similar to the filter of incoming packets:

    • The port can always remain the same, regardless of the receiver (cone);
    • The port can remain the same for a specific recipient address (address);
    • A port can remain the same only for a specific address and port of the receiver (port);


    At the same time, there are also rules for choosing the next port:
    It can be some kind of delta (+ 1 / -1 or + 10 / -10), or even every time at all.
    In addition, I saw one NAT in which each subsequent port was separated from the previous one by a random number, but always a multiple of 4096.

    Instead of a conclusion


    So, it is clear that knowing the rule of port allocation and delta, you can guess which port the outgoing packet will go from, and accordingly break through the very symmetric NAT. Of course, if you select a port by accident, this trick will not work.

    Well, we got to the essence and purpose of the article. To the answer to the question

    “Is it possible to determine the rule of port allocation and delta, being behind NAT?

    It will help us in this STUN, of course. Our task is to make four requests to different addresses and ports using one socket (one local port) and evaluate the results:
    We can understand how outgoing ports are allocated (address or port) and try to calculate the same delta.

    And then I urge the habrasociety to help me with statistics. On the Internet, a simple stun client was found, a bit dopped with a sledgehammer and this is what happened:

    Source

    Linux users know very well how to compile this.
    Like this
    gcc -lpthread -o stun stun.c


    Under Windows it compiles perfectly with the studio, here is the binary , if the studio is not at hand.

    Forgive me stun.counterpath.net for the habr effect :)

    Here are my results, but I don’t have a symmetric NAT and it’s not interesting:

    Results
    tests: 1010
    NAT present: 1
    first preserved port: 1
    preserves port: 0
    type: Port restricted NAT
    mapped ports: 55907 55907 55907 55907


    Thank you all for your help!

    udp: Please leave your results in the comments, even if NAT is not symmetrical. Indeed, in any case, it is important to know the pinout by type.

    Also popular now: