NAT Slipstream: What it is and How to Protect Your Organization

NAT Slipstreaming

Cyber-criminals are always evolving their attack methods to beat even the strongest security measures. Privacy and security researcher, Samy Kamkar, recently demonstrated a new way for bad actors to strike, reporting the findings last weekend. In the latest technique, called NAT Slipstreaming, attackers can altogether bypass an organization’s firewall and remotely access their TCP/UDP service.  

Organizations should pay close attention to this new method of attack and take immediate action to protect themselves.  

What is NAT Slipstream and How Does it Work?

First, it’s important to understand what NAT Slipstream is and how it works. Network Address Translation (NAT) is the process where a network device or firewall translates an IP address into another while the data is in transit. This limits the number of public IP addresses an organization uses in their network, which is often advantageous from a security standpoint. 

However, it also leaves organizations vulnerable to NAT Slipstreaming. During this technique, attackers take advantage of TCP and IP packet segmentation once a user visits a webpage with malicious JavaScript code. When altering the information in the IP header of packets (like in traditional NAT), attackers performing NAT Slipstream use the packet boundaries to create a TCP/UDP packet with Session Initiation Protocol (SIP). The combination of packet segmentations and SIP requests allow the attacker to gain access to the MTU size, data packet size, TCP and IP header sizes. The script then constructs an outbound HTTP request, which gets parsed by the Application Layer Gateway (ALG) and opens a port to the victim’s computer that the attacker can control.  

This tricks the NAT into opening an inbound connection to the client’s device via the internal IP address – creating an opportunity to submit an attack JavaScript back to the victim. The attacker can now open any TCP or UPD port remotely, connect to it directly, and expose previously protected information. Kamkar explains, “Once the client gets the packet sizes and internal IP address, it constructs a specially crafted web form that pads the POST data up until we believe the packet will become fragmented, at which point our SIP REGISTER containing internal IP address is appended," Kamkar noted. "The form is submitted via Javascript with no consent from the victim... The router will now forward any port the attacker chooses back to the internal victim, all from simply browsing to a website." 

You can read the full description of the NAT Slipstreaming attack here 

How Can You Protect Against it?

Organizations can protect themselves against remote NAT Slipstreaming by disabling ALG. If your organization requires ALG or wants to ensure you are protected against other zero-day exploits, it is important to properly leverage Layer7 application inspection, SSL decryption, and your PKI environment to greatly reduce the size of your attack landscape. 

Vandis can help secure your organization against attacks including the NAT Slipstream by providing guidance on best practice for PKI implementations, SSL Decryption, and Layer7 Application-based policies. To get started with a free, no-obligation conversation, reach out to or 516-281-2200.