Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | |||
Survey Data Mining: Home | FAQ | Archive | Glossary |
|
The Report |
What is NAT? |
IP V4 Network Address Translation (NAT) has become an increasingly common function in the Internet for a variety of reasons. NATs are used to interconnect a private network consisting of unregistered IP addresses with a global IP network using limited number of registered IP addresses. NATs are also used to avoid address renumbering in a private network when topology outside the private network changes for variety of reasons. And, there are many other applications of NAT operation.
In other words, in the context of the web servers a browser visits, the IP address we visit, may appear to be one thing, while the server that is actually providing the data may be residing on a completely different IP address, with a device in between (often a firewall) translating traffic to allow communications to work.
When NAT is employed, administrators will typically use one of 3 ranges of IP addresses, known as private, or non-routable addresses. These ranges are designated for private use, and as such cannot be reached directly from the internet. A separate device, such as a firewall, can be configured to send traffic incoming to a specific port (e.g. http port 80) to an internal private address, making it appear as if the webserver is operating on a public address.
The 3 blocks of private addresses, as specified in RFC1918, and reserved by IANA (Internet Assigned Numbers Authority) are:
10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
How We (Or anyone else) Can Detect NAT Usage |
For example, the following session shows captures a request to a typical web server:
$ telnet www.securityspace.com 80 Trying 216.201.108.18... Connected to www.securityspace.com. Escape character is '^]'. GET /sample.html HTTP/1.0Having issued the request to retrieve the page sample.html, the server responds with the HTTP header and an HTML page.
HTTP/1.1 200 OK Date: Fri, 04 May 2001 20:08:11 GMT Server: Apache/1.3.12 (Unix) Connection: close Content-Type: text/html <HTML> <HEAD></HEAD> <BODY>Sample Page</BODY> </HTML> Connection closed by foreign host. $
Now let's consider the exact same response received from a poorly configured IIS server:
HTTP/1.1 200 OK Server: Microsoft-IIS/4.0 Content-Location: http://10.1.1.1/sample.html Date: Wed, 11 Apr 2001 07:22:38 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Tue, 09 Jan 2001 21:41:34 GMT ETag: "b43f97ef847ac01:4096" Content-Length: 55 <HTML> <HEAD></HEAD> <BODY>Sample Page</BODY> </HTML> Connection closed by foreign host. $
The above example shows that the IIS server is returning a header field called Content-Location, and that this field is showing the location of the document being requested from the webserver's perspective. In this case, it happens to reveal that the web server resides on a private class A address of 10.1.1.1, providing pretty good proof that there is a NAT device between the webserver and the internet at large, and that the device is probably a firewall of some sort.
Is This Really a Problem? |
A general rule of thumb is that you never give out information if you can avoid doing so, unless it is necessary.
How Do We Fix This? |
A different procedure applies to IIS version 4.0 and IIS version 5.0. In addition, a work-around exists involving renaming static web pages to end with .asp and to then configure a custom HTTP Header that specifies a Content-Location tag explicitly.
The Statistics |
Description | Count | Percent |
Number of IIS servers examined | 775,443 | 100.00% |
Number of IIS Servers that revealed the IP address via the Content-Location tag | 370,315 | 47.76% |
Number of IIS Servers that revealed an IP in the Content-Location tag different from the IP accepting the connection | 67,495 | 8.70% |
Number of IIS Servers that revealed a private non-routable IP in the Content-Location tag | 61,302 | 7.91% |
Number of IIS Servers that use the Class A 10.*.*.* private network | 21,374 | 2.76% |
Number of IIS Servers that use the Class B 172.16-31.*.* private network | 8,863 | 1.14% |
Number of IIS Servers that use the Class C 192.168.*.* private network | 31,065 | 4.01% |