NAT Slipstreaming v2.0 Bypasses NAT/Firewalls via the Browser
NAT Slipstreaming v2.0 abuses ALG connection tracking to let attackers remotely open any TCP/UDP port behind a victim's NAT via the browser.
NAT Slipstreaming is a browser-based attack that grants a remote attacker access to any TCP/UDP service running behind a victim's NAT, triggered simply by visiting a malicious website. It abuses the Application Level Gateway (ALG) connection-tracking mechanism that NATs and firewalls implement to support multi-port protocols like SIP and H.323.
The attack chains internal IP discovery (via WebRTC or timing attacks), automated MTU and IP-fragmentation boundary detection, TCP packet-size massaging, and TURN authentication field abuse to make the browser inject raw SIP or H.323 protocol packets stripped of HTTP headers. Version 2 introduces TCP-based STUN connections for H.323 call-forwarding, evading both the original v1 patches and browser port restrictions, and can redirect port-forwarding to any other host on the victim's network, not just the victim machine itself.
For engineers, this demonstrates that browser port blocklists and NAT boundaries are insufficient security controls on their own; devices with ALG support need additional hardening, or ALG functionality should be disabled where not strictly required.