Web browsers are adding more TCP ports to their block lists in an attempt to prevent exploitation of NAT Slipstream attacks.

NAT Slipstreaming is an attack which tricks the NAT router into allowing external traffic through the NAT firewall to target any internal network device by abusing protocols such as SIP or H.323 where this is allowed behaviour.

Google Chrome is joining Firefox and Safari in blocking HTTP/HTTPS access to port 554 (RTSP) in addition to those already blocked:

• 69 – TFTP
• 137 – NetBIOS Name Service
• 161 – SNMP
• 1719, 1720 – VoIP (H.323)
• 1723 – PPTP
• 5060, 5061 – SIP
• 6566 – SANE network scanner

Firefox also blocks port 10080, while Google Chrome is considering adding that port to the block list.

When developing and testing web applications, it is common for several instances of the application to be deployed on the same server – requiring them to use different TCP ports in order to differentiate the instances.  Users then can specify the port number in the URL in order to select the right system while testing.

Test and Development Web Applications that have been published internally using any of these TCP ports will not be accessible as the browser will block the HTTP/HTTPS traffic – requiring the Web Application to be republished against a different TCP port – and this block list will likely continue to grow over time reflecting the different port numbers being targeted in NAT Slipstreaming attacks.

Attempts to access any web site on one of the blocked ports generates an error. For example Google Chrome throws: ERR_UNSAFE_PORT