We conduct the first comprehensive security study on representative port forwarding services (PFS), which emerge in recent years and make the web services deployed in internal networks available on the Internet along with better usability but less complexity compared to traditional techniques (e.g., NAT traversal techniques). Our study is made possible through a set of novel methodologies, which are designed to uncover the technical mechanisms of PFS, experiment attack scenarios for PFS protocols, automatically discover and snapshot port-forwarded websites (PFWs) at scale, and classify PFWs into well-observed categories. Leveraging these methodologies, we have observed the widespread adoption of PFS with millions of PFWs distributed across tens of thousands of ISPs worldwide. Furthermore, 32.31% PFWs have been classified into website categories that serve access to critical data or infrastructure, such as, web consoles for industrial control systems, IoT controllers, code repositories, and office automation systems. And 18.57% PFWs didn't enforce any access control for external visitors. Also identified are two types of attacks inherent in the protocols of Oray (one well-adopted PFS provider), and the notable abuse of PFSes by malicious actors in activities such as malware distribution, botnet operation and phishing.

翻译：我们首次对代表性的端口转发服务（PFS）进行了全面安全研究。这类服务近年来兴起，能将部署于内网的Web服务发布至互联网，与传统技术（如NAT穿透技术）相比，具有更好的可用性且更易部署。我们通过一套创新方法论完成研究，该方法论旨在揭示PFS的技术机制、设计针对PFS协议的实验攻击场景、大规模自动发现并快照端口转发网站（PFW）、以及将PFW分类为可观测的类别。运用这些方法，我们观察到PFS已被广泛采用，全球数万个ISP中分布着数百万个PFW。进一步发现，32.31%的PFW被归类为访问关键数据或基础设施的网站类别，例如工业控制系统Web控制台、物联网控制器、代码仓库和办公自动化系统。另有18.57%的PFW未对访客实施任何访问控制。此外，我们识别出两种源于Oray（一个广泛采用的PFS提供商）协议的内在攻击类型，以及恶意行为者显著滥用PFS进行恶意软件分发、僵尸网络运营和钓鱼等活动。