Chrome blocks multiple TCP ports to prevent NAT Slipstreaming attacks

Google recently blocked 7 TCP ports in the Chrome browser. If users visit websites that use these ports, they will not be able to access these websites. The purpose of this move is mainly to prevent NAT Slipstreaming 2.0 vulnerabilities.

In order to cope with the exhaustion of public IP addresses and improve network security, almost all routers and firewalls provide a function called Network Address Translation (NAT). This function enables those devices under the private network IP address to still connect to the Internet.

This function allows the router to track the requests of internal devices to the Internet and send these requests with the router’s public IP address. When the remote computer responds to the request, it will automatically send the response back to the internal device that issued the original request.

Last month, security researchers Sammy Kamkar, Ben Seri, and Gregory Vishnipolsky disclosed a new type of NAT Slipstreaming vulnerability. This new NAT Slipstreaming vulnerability allows websites to host malicious scripts that send specially designed responses to bypass the NAT firewall of website visitors and be able to access any TCP/UDP port on the user’s internal network.

When this vulnerability was first disclosed, Google stated that they would block HTTP and HTTPS access to the two TCP ports 5060 and 5061 to prevent this vulnerability in Chrome 87.

Recently, Google announced again that the Chrome browser will block HTTP, HTTPS, and FTP access to 69, 137, 161, 1719, 1720, 1723, and 6566 TCP ports.

The NAT Slipstream 2.0 attack is a cross-protocol request forgery that allows Internet servers with malicious scripts to attack computers on private networks under NAT devices. This attack depends on being able to send traffic on port 1720 (H.323).

Google explained in the feature description on its Chrome status page: “To prevent future attacks, this change also blocks several other ports which are known to be inspected by NAT devices and may be subject to similar exploitation.”

When users try to use these ports to connect to a website, the Chrome browser will display a message stating that the website cannot be accessed and give an ERR_UNSAFE_PORT error message.

If a developer hosts the website on these ports, they should switch to other ports so that users can continue to visit the website without being affected by this Chrome feature.

Firefox, Edge, and Safari will successively add corresponding protection measures for the NAT Slipstreaming 2.0 vulnerability. It is not clear which ports in Safari and Firefox will be blocked, but since Edge browser and Chrome use the same kernel, they may also block the same ports.