[Full-Disclosure] Re: NAT router inbound network traffic subversion

> Can anyone prove me wrong? Can someone push a rogue packet behind a router 
> with no client interaction???

I don't claim to be an expert on this, and I'm actually kind of surprised no 
one has mentioned this yet to you but yes, it is always possible. There is such 
a thing as "idlescanning" that does something kind of like this. It works very 
well on NAT routers to expand the inhabitants on the other side. The players 
are A, Z, and T; attacker, zombie, and target, respectively. There's a chart on 
the nmap page about it.

http://www.insecure.org/nmap/idlescan.html

hping is another tool that might work to accomplish what you are describing. 
The complication here is that you cannot simply craft packets to arbitrarily 
send to those on the other side of a NAT router. But you can determine how many 
clients are behind a NAT and spoof packets from them to the router and the 
router will craft packets in response. If you could get the router to respond a 
particular way, you could possibly use that to your advantage in a DoS or other 
malicious way. But the applications that would be succeptible to this must have 
been coded very poorly. Still, supposing a personal firewall automatically 
blocks an IP if it sends a flood of requests, you could use this to make the 
firewall block it's own router. This would result in a DoS for the user running 
the firewall, and it didn't involve any interaction on their part.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html