Connections to HTTP, HTTPS or FTP servers on ports 69, 137, 161, 1719, 1720, 1723 or 6566 will fail. This is a mitigation for the NAT Slipstream 2.0 attack: https://www.armis.com/resources/iot-security-blog/nat-slipstreaming-v2-0-new-attack-variant-can-expose-all-internal-network-devices-to-the-internet/. It helps developers by keeping the web platform safe for users.

Motivation

The NAT Slipstream 2.0 attack is a kind of cross-protocol request forgery which permits malicious internet servers to attack computers on a private network behind a NAT device. The attack depends on being able to send traffic on port 1720 (H.323). To prevent future attacks, this change also blocks several other ports which are known to be inspected by NAT devices and may be subject to similar exploitation.

Specification

Editor's draft

Status in Chromium

Internals>Network


Enabled by default in:

  • Chrome for desktop release 87
  • Chrome for Android release 87

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Owner

Comments

HTTP servers using one of the listed ports will be inaccessible. They will have to be modified to run on different ports, and all referring urls updated. Legitimate use of these ports for HTTP servers is rare. This change has already shipped in a point release 87.0.4280.117. At the time the security issue was not disclosed, so the intent to ship is being sent after shipping.

Last updated on 2021-01-28