Port Forwarding Services Are Forwarding Security Risks
- URL: http://arxiv.org/abs/2403.16060v2
- Date: Wed, 10 Apr 2024 03:53:46 GMT
- Title: Port Forwarding Services Are Forwarding Security Risks
- Authors: Haoyuan Wang, Yue Xue, Xuan Feng, Chao Zhou, Xianghang Mi,
- Abstract summary: Port forwarding services (PFS) make web services deployed in internal networks available on the Internet along with better usability.
Our study is made possible through a set of novel methodologies, which are designed to uncover the technical mechanisms of PFS.
We have observed the widespread adoption of PFS with millions of PFWs distributed across tens of thousands of ISPs worldwide.
- Score: 8.215468758011172
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: We conduct the first comprehensive security study on representative port forwarding services (PFS), which emerge in recent years and make the web services deployed in internal networks available on the Internet along with better usability but less complexity compared to traditional techniques (e.g., NAT traversal techniques). Our study is made possible through a set of novel methodologies, which are designed to uncover the technical mechanisms of PFS, experiment attack scenarios for PFS protocols, automatically discover and snapshot port-forwarded websites (PFWs) at scale, and classify PFWs into well-observed categories. Leveraging these methodologies, we have observed the widespread adoption of PFS with millions of PFWs distributed across tens of thousands of ISPs worldwide. Furthermore, 32.31% PFWs have been classified into website categories that serve access to critical data or infrastructure, such as, web consoles for industrial control systems, IoT controllers, code repositories, and office automation systems. And 18.57% PFWs didn't enforce any access control for external visitors. Also identified are two types of attacks inherent in the protocols of Oray (one well-adopted PFS provider), and the notable abuse of PFSes by malicious actors in activities such as malware distribution, botnet operation and phishing.
Related papers
- MCP Guardian: A Security-First Layer for Safeguarding MCP-Based AI System [0.0]
We present MCP Guardian, a framework that strengthens MCP-based communication with authentication, rate-limiting, logging, tracing, and Web Application Firewall (WAF) scanning.
Our approach fosters secure, scalable data access for AI assistants, underscoring the importance of a defense-in-depth approach.
arXiv Detail & Related papers (2025-04-17T08:49:10Z) - In-House Evaluation Is Not Enough: Towards Robust Third-Party Flaw Disclosure for General-Purpose AI [93.33036653316591]
We call for three interventions to advance system safety.
First, we propose using standardized AI flaw reports and rules of engagement for researchers.
Second, we propose GPAI system providers adopt broadly-scoped flaw disclosure programs.
Third, we advocate for the development of improved infrastructure to coordinate distribution of flaw reports.
arXiv Detail & Related papers (2025-03-21T05:09:46Z) - Anomaly-Flow: A Multi-domain Federated Generative Adversarial Network for Distributed Denial-of-Service Detection [2.5072568692549964]
Distributed denial-of-service (DDoS) attacks remain a critical threat to Internet services.
Current solutions struggle with multi-domain environments where attacks must be detected across heterogeneous networks.
This paper introduces Anomaly-Flow, a novel framework that combines Federated Learning (FL) with Generative Adversarial Networks (GANs) for privacy-preserving, multi-domain DDoS detection.
arXiv Detail & Related papers (2025-03-18T18:13:51Z) - Exploiting Cross-Layer Vulnerabilities: Off-Path Attacks on the TCP/IP Protocol Suite [26.96330717492493]
We investigate cross-layer interactions within the TCP/IP protocol suite caused by ICMP error messages.
We uncover several significant vulnerabilities, including information leakage, desynchronization, semantic gaps, and identity spoofing.
These vulnerabilities can be exploited by off-path attackers to manipulate network traffic stealthily, affecting over 20% of popular websites and more than 89% of public Wi-Fi networks.
arXiv Detail & Related papers (2024-11-15T02:41:53Z) - Reverse Engineered MiniFS File System [1.2891210250935148]
This paper addresses the vulnerabilities inherent in Wi-Fi APs using proprietary file systems like MiniFS found in TP-Link's AC1900 WiFi router.
Through reverse engineering, we unravel the structure and operation of MiniFS, marking a significant advancement in our understanding of this previously opaque file system.
arXiv Detail & Related papers (2024-07-06T12:49:37Z) - Peer2PIR: Private Queries for IPFS [4.88160756739524]
The InterPlanetary File System (IPFS) is a peer-to-peer network for storing data in a distributed file system, hosting over 190,000 peers spanning 152 countries.
Our work highlights and addresses novel challenges inherent to integrating PIR into distributed systems.
We present our new, private protocols and demonstrate they incur reasonably low communication and computation overheads.
arXiv Detail & Related papers (2024-05-27T16:09:25Z) - EmInspector: Combating Backdoor Attacks in Federated Self-Supervised Learning Through Embedding Inspection [53.25863925815954]
Federated self-supervised learning (FSSL) has emerged as a promising paradigm that enables the exploitation of clients' vast amounts of unlabeled data.
While FSSL offers advantages, its susceptibility to backdoor attacks has not been investigated.
We propose the Embedding Inspector (EmInspector) that detects malicious clients by inspecting the embedding space of local models.
arXiv Detail & Related papers (2024-05-21T06:14:49Z) - Large-Scale Security Analysis of Real-World Backend Deployments Speaking IoT-Focused Protocols [4.843690497661255]
We focus on the security of backends speaking IoT protocols, that is, the backbone of the IoT ecosystem.
We gather a dataset of over 337,000 provider data to investigate three major security threats: information, weak authentication, and denial of service.
We find that 9.44% backends expose information, 30.38% CoAP-speaking backends are vulnerable to denial of service attacks, and 99.84% of backends use insecure transport protocols.
arXiv Detail & Related papers (2024-05-15T19:04:30Z) - Securing the Open RAN Infrastructure: Exploring Vulnerabilities in Kubernetes Deployments [60.51751612363882]
We investigate the security implications of and software-based Open Radio Access Network (RAN) systems.
We highlight the presence of potential vulnerabilities and misconfigurations in the infrastructure supporting the Near Real-Time RAN Controller (RIC) cluster.
arXiv Detail & Related papers (2024-05-03T07:18:45Z) - A Survey and Comparative Analysis of Security Properties of CAN Authentication Protocols [92.81385447582882]
The Controller Area Network (CAN) bus leaves in-vehicle communications inherently non-secure.
This paper reviews and compares the 15 most prominent authentication protocols for the CAN bus.
We evaluate protocols based on essential operational criteria that contribute to ease of implementation.
arXiv Detail & Related papers (2024-01-19T14:52:04Z) - HasTEE+ : Confidential Cloud Computing and Analytics with Haskell [50.994023665559496]
Confidential computing enables the protection of confidential code and data in a co-tenanted cloud deployment using specialized hardware isolation units called Trusted Execution Environments (TEEs)
TEEs offer low-level C/C++-based toolchains that are susceptible to inherent memory safety vulnerabilities and lack language constructs to monitor explicit and implicit information-flow leaks.
We address the above with HasTEE+, a domain-specific language (cla) embedded in Haskell that enables programming TEEs in a high-level language with strong type-safety.
arXiv Detail & Related papers (2024-01-17T00:56:23Z) - A Holistic Approach for Trustworthy Distributed Systems with WebAssembly and TEEs [2.0198678236144474]
This paper introduces a novel approach using WebAssembly to address these issues.
We present the design of a portable and fully attested publish/subscribe system as a holistic approach.
Our experimental results showcase most overheads, revealing a 1.55x decrease in message throughput when using a trusted broker.
arXiv Detail & Related papers (2023-12-01T16:37:48Z) - Exploring Security Practices in Infrastructure as Code: An Empirical
Study [54.669404064111795]
Cloud computing has become popular thanks to the widespread use of Infrastructure as Code (IaC) tools.
scripting process does not automatically prevent practitioners from introducing misconfigurations, vulnerabilities, or privacy risks.
Ensuring security relies on practitioners understanding and the adoption of explicit policies, guidelines, or best practices.
arXiv Detail & Related papers (2023-08-07T23:43:32Z) - NAS-FAS: Static-Dynamic Central Difference Network Search for Face
Anti-Spoofing [94.89405915373857]
Face anti-spoofing (FAS) plays a vital role in securing face recognition systems.
Existing methods rely on expert-designed networks, which may lead to a sub-optimal solution for task FAS.
Here we propose the first FAS method based on neural search (NAS), called FAS-FAS, to discover the well-suited task-aware networks.
arXiv Detail & Related papers (2020-11-03T23:34:40Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.