Isn't a NAT router supposed to filter out port scans?

A customer has a Netgear DG834G router. NAT is definitely enabled. However
his McAfee firewall is logging many contacts from various IP addresses
(including servers belonging to his ISP) on ports such as 22 (remote logon),
139 (NetBIOS session), 53 (DNS), 1433 (MS SQL Server), 445 (MS DS - what's
this?) and 135 (DCI endpoint).

I thought that NAT routers, by the very nature of the way they work, should
be preventing unsolicited incoming traffic from even reaching the PC and
hence McAfee. Certainly when I run Grisoft Probe My Ports, the traffic never
reaches Norton Firewall and is presumably blocked at my router. I've not yet
run Probe My Ports on the customer's network.

The router doesn't have any specific "forward traffic on port X to IP
address Y" rules defined.

"Martin Underwood" <a@b> wrote in message
news:434d7a07$0$29099$(E-Mail Removed)...
> A customer has a Netgear DG834G router. NAT is definitely enabled.
> However his McAfee firewall is logging many contacts from various IP
> addresses (including servers belonging to his ISP) on ports such as 22
> (remote logon), 139 (NetBIOS session), 53 (DNS), 1433 (MS SQL Server),
> 445 (MS DS - what's this?) and 135 (DCI endpoint).
>
> I thought that NAT routers, by the very nature of the way they work,
> should be preventing unsolicited incoming traffic from even reaching the
> PC and hence McAfee.

Indeed, this is inherent: which LAN address should the destination address
of the incoming packet be translated to?

[snip]
> The router doesn't have any specific "forward traffic on port X to IP
> address Y" rules defined.

Given that, I can only think of two explanations: the computer's IP address
is set as the "DMZ" on the router, or the source addresses are spoofed and
the traffic in fact originates on the LAN. The former seems more likely.

Alex

Alex Fraser wrote:
> "Martin Underwood" <a@b> wrote in message
> news:434d7a07$0$29099$(E-Mail Removed)...
>> A customer has a Netgear DG834G router. NAT is definitely enabled.
>> However his McAfee firewall is logging many contacts from various IP
>> addresses (including servers belonging to his ISP) on ports such as 22
>> (remote logon), 139 (NetBIOS session), 53 (DNS), 1433 (MS SQL Server),
>> 445 (MS DS - what's this?) and 135 (DCI endpoint).
>>
>> I thought that NAT routers, by the very nature of the way they work,
>> should be preventing unsolicited incoming traffic from even reaching the
>> PC and hence McAfee.
>
> Indeed, this is inherent: which LAN address should the destination address
> of the incoming packet be translated to?
>
> [snip]
>> The router doesn't have any specific "forward traffic on port X to IP
>> address Y" rules defined.
>
> Given that, I can only think of two explanations: the computer's IP
> address
> is set as the "DMZ" on the router, or the source addresses are spoofed and
> the traffic in fact originates on the LAN. The former seems more likely.
>
> Alex

If the computer was sending outgoing communications via trojan/virus/spyware
wouldnt that enable a related incoming communication to make its way through
the nat? What about upnp, is that enabled on the router??

Gaz

Gaz wrote in
(E-Mail Removed):

> Alex Fraser wrote:
>> "Martin Underwood" <a@b> wrote in message
>> news:434d7a07$0$29099$(E-Mail Removed)...
>>> A customer has a Netgear DG834G router. NAT is definitely enabled.
>>> However his McAfee firewall is logging many contacts from various IP
>>> addresses (including servers belonging to his ISP) on ports such as
>>> 22 (remote logon), 139 (NetBIOS session), 53 (DNS), 1433 (MS SQL
>>> Server), 445 (MS DS - what's this?) and 135 (DCI endpoint).
>>>
>>> I thought that NAT routers, by the very nature of the way they work,
>>> should be preventing unsolicited incoming traffic from even
>>> reaching the PC and hence McAfee.
>
> If the computer was sending outgoing communications via
> trojan/virus/spyware wouldnt that enable a related incoming
> communication to make its way through the nat? What about upnp, is
> that enabled on the router??

I'd not thought of solicited traffic from spyware on the computer, partly
because the PC is only about 1 month old - but it could still have become
infected, I suppose. I'll run AdAware and also a McAfee virus scan to see if
anything shows up. I'm not sure about uPnP. I wouldn't have consciously
turned it on, but it might have been turned on by default, though I'm not
sure if the Netgear DG834G supports uPnP.

I'll run GRC's Probe My Ports as well to see whether the probes get through
to McAfee or are stopped at the router's firewall.

"Martin Underwood" <(E-Mail Removed)> wrote in message
news:43521b88$0$29106$(E-Mail Removed)...
> Gaz wrote in
> (E-Mail Removed):
>>> "Martin Underwood" <a@b> wrote in message
>>> news:434d7a07$0$29099$(E-Mail Removed)...
>>>> A customer has a Netgear DG834G router. NAT is definitely enabled.
>>>> However his McAfee firewall is logging many contacts from various IP
>>>> addresses (including servers belonging to his ISP) on ports such as
>>>> 22 (remote logon), 139 (NetBIOS session), 53 (DNS), 1433 (MS SQL
>>>> Server), 445 (MS DS - what's this?) and 135 (DCI endpoint).
>>>>
>>>> I thought that NAT routers, by the very nature of the way they work,
>>>> should be preventing unsolicited incoming traffic from even
>>>> reaching the PC and hence McAfee.
>>
>> If the computer was sending outgoing communications via
>> trojan/virus/spyware wouldnt that enable a related incoming
>> communication to make its way through the nat? What about upnp, is
>> that enabled on the router??
>
> I'd not thought of solicited traffic from spyware on the computer, partly
> because the PC is only about 1 month old - but it could still have become
> infected, I suppose.

It is worth checking but if the firewall is allowing something out, the
chances are it would allow related traffic - at least anything the router
would consider to be related - back in.

> I'm not sure about uPnP. I wouldn't have consciously turned it on, but it
> might have been turned on by default, though I'm not sure if the Netgear
> DG834G supports uPnP.

I don't know if it is supported either, but if it is, it would be reasonable
for it to be enabled by default. In any case, though it would explain what
you've seen, I don't know of any malware that (ab)uses it, nor can I think
why any would want to.

> I'll run GRC's Probe My Ports as well to see whether the probes get
> through to McAfee or are stopped at the router's firewall.

That would be the first thing I'd try. The ports you mentioned in your
original post are among the most common for unsolicited connection attempts
from the Internet at large.

Alex

On 16/10/2005 Martin Underwood wrote:

> I'd not thought of solicited traffic from spyware on the computer,
> partly because the PC is only about 1 month old - but it could still
> have become infected, I suppose.


6 seconds was my record when I decided to go online to get a driver
before the firewall was running, it was 'teekids' whatever that is :-(

--
Jeff Gaines - Damerham Hampshire UK
Using XanaNews 1.17.6.5