Port Forwarding on Network Make Network Insecure

[SuperShermanTanker]

I was wondering does port forwarding on the network make the network insecure and also if it does make it insecure how do I set things up to make it secure

[Godlygamer23]

Thread moved to Networking.

[Limecat86]

It makes your IP open to DoS/DDoS attacks. But it's very unlikely that kind of attack will happen unless you really piss someone off...

What are you planning to host anyway?

[SuperShermanTanker]

13 minutes ago, Limecat86 said:

It makes your IP open to DoS/DDoS attacks. But it's very unlikely that kind of attack will happen unless you really piss someone off...

What are you planning to host anyway?

A private Minecraft server

[Limecat86]

If it's private/whitelisted then there is not really something to be afraid of.

[brwainer]

Port forwarding in itself doesn't make your network any less secure. What can make your network less secure is if the service you are opening to the world has a security issue. This is most common with web servers where you might have a scripted page that can be exploited in some way, etc. When you are only forwarding for something like minecraft, just keep your minecraft server reasonably up to date and you'll be fine.

[Hamosch]

Another security concern when port forwarding is when there is no listening service on the port, ie. your server is down, now you've got a open port but nothing that listens or takes care of incoming requests. This can be exploited.

 

But as long as open ports have a services listening to them, that like @brwainer said are reasonably up to date, it is nothing to worry about.

[LiMz]

Like @Hamosch said. It's not so much the port forwarding. but what's on the end of the forwarded port that is the concern. Famous ports get sniffed by bots all the time like port 22 (SSH) and 80/8080 (HTTP). Another good practice is to have the outward facing port to be an uncommon one eg. 15443 and have your router point that to the correct port inside your network. 

[Lurick]

2 hours ago, LiMz said:

Like @Hamosch said. It's not so much the port forwarding. but what's on the end of the forwarded port that is the concern. Famous ports get sniffed by bots all the time like port 22 (SSH) and 80/8080 (HTTP). Another good practice is to have the outward facing port to be an uncommon one eg. 15443 and have your router point that to the correct port inside your network. 

This. Pick a random but high-ish end port number and so long as you keep a whitelist of people you allow on the server or who even know about the server then you're chances of getting DDOSed or attacked in another fashion are pretty low.

[Vali]

Uhmm... I have a two questions:

 - What difference makes having a forwarded port in DDOS?

 - Forwarding a port doest not "open" it. How can it be exploitable if there is nothing to listen there?

[Hamosch]

8 hours ago, Vali said:

Uhmm... I have a two questions:

 - What difference makes having a forwarded port in DDOS?

 - Forwarding a port doest not "open" it. How can it be exploitable if there is nothing to listen there?

Your router will forward packets into your LAN without any outgoing requests, that's the security issue. Forwarding into your LAN happens all the time but the difference is that without an open port a connection has to be initiated from the inside, it can't be initiated from the outside.

I was a little to fast to say that the security issue is when the server is offline, the issue is when the IP address exists and the router can forward to it.

Lets take a worst case where your secure server is offline for some reason and the router has given the the servers IP to some other insecure device via DHCP. Now that device is exposed to the internet on that port.

 

(http://superuser.com/questions/284051/what-is-port-forwarding-and-what-is-it-used-for)

Quote

A note on security

One of the nice things about NAT is that it provides some effort-free, built-in security. A lot of people wander the internet looking for machines that are vulnerable... and they do this by attempting to open connections with various ports. These are incoming connections, so, as discussed above, the router will drop them. This means that in a NAT configuration, only the router itself is vulnerable to attacks involving incoming connections. This is a good thing, because the router is much simpler (and thus less likely to be vulnerable) than a computer running a full operating system with a lot of software. You should keep in mind, then, that by DMZing a computer inside your network (setting it as the DMZ destination) you lose that layer of security for that computer: it is now completely open to incoming connections from the internet, so you need to secure it as if it was directly connected. Of course, any time you forward a port, the computer at the receiving end becomes vulnerable on that specific port. So make sure you run up-to-date software that is well configured.

 

[brwainer]

9 hours ago, Vali said:

Uhmm... I have a two questions:

 - What difference makes having a forwarded port in DDOS?

 - Forwarding a port doest not "open" it. How can it be exploitable if there is nothing to listen there?

@Hamosch answered your second question so I'll answer the first:

 

In a DDOS attack, you have many many attacking devices sending data to a single victim device. There are basically three places where a DDOS can take effect:

1. The internet connection of the victim - if the incoming data is greater than the victim's internet speed, then the victim is basically offline. This is the first and most likely place for the DDOS to take effect.

2. The router of the victim - most routers have weak processors that can only do a few hundred Mb/s of NAT. Even some 1900AC routers can't actually do NAT for a gigabit internet connection. So if the incoming traffic overloads the router, it will have the same effects as if the internet connection was overloaded. For most users with a router that isn't 10 years old, this is not likely to happen as the router can probably route faster than the incoming internet speed.

3. A computer on the LAN that has a port forwarded to it - this will only be part of the DDOS if all of the incoming data is directed at the port on the router that is forwarded to the computer. Also, if the internet speed and router haven't reached their limit from the DDOS traffic, then the DDOS would only be affecting this one computer. Seeing as most computers are literally hundreds of times more powerful than the average router (by processor IPC and clock), it is highly unlikely that a DDOS that is already limited by the internet speed and router will be enough to take down the conputer.

 

TL;DR: port forwarding isn't really going to have any effect positive or negative to a DDOS attack.

[Vali]

I understand how forwarding, NAT and DDOS works and that's why I asked:

 

On 3/5/2016 at 10:34 AM, Hamosch said:

Another security concern when port forwarding is when there is no listening service on the port, ie. your server is down, now you've got a open port but nothing that listens or takes care of incoming requests. This can be exploited.

If the request if TCP, it reaches the router, then it is forwarded to an IP:port where no program is active (no socket binded and listening there, maybe not even a host in that IP). If there is no one who can send a SYN/ACK packet therefore the connection is not stablished and packets are dropped or a destination unreachable ICMP is sent to the sender.

 

If you forward a port to a dynamic IP or you assign dynamic IPs in the same range where your servers are, then security is not the only problem you have. Remember, always use manual/fixed IP when you forward ports (they can and will change with time) and never mix DHCP and manual ranges in the same network (or you will end with duplicate IPs).

 

Anyways, I was asking if there was some kind of attack that can exploit an orphan port forwarding in a way similar to this (minutes 1 to 14):

 

12 hours ago, brwainer said:

TL;DR: port forwarding isn't really going to have any effect positive or negative to a DDOS attack.

 

That's my point. I asked because of this affirmation:

 

On 3/5/2016 at 4:26 AM, Limecat86 said:

It makes your IP open to DoS/DDoS attacks. But it's very unlikely that kind of attack will happen unless you really piss someone off...

What are you planning to host anyway?