We conduct the first comprehensive security study on representative port forwarding services (PFS), which emerge in recent years and make the web services deployed in internal networks available on the Internet along with better usability but less complexity compared to traditional techniques (e.g., NAT traversal techniques). Our study is made possible through a set of novel methodologies, which are designed to uncover the technical mechanisms of PFS, experiment attack scenarios for PFS protocols, automatically discover and snapshot port-forwarded websites (PFWs) at scale, and classify PFWs into well-observed categories. Leveraging these methodologies, we have observed the widespread adoption of PFS with millions of PFWs distributed across tens of thousands of ISPs worldwide. Furthermore, 32.31% PFWs have been classified into website categories that serve access to critical data or infrastructure, such as, web consoles for industrial control systems, IoT controllers, code repositories, and office automation systems. And 18.57% PFWs didn't enforce any access control for external visitors. Also identified are two types of attacks inherent in the protocols of Oray (one well-adopted PFS provider), and the notable abuse of PFSes by malicious actors in activities such as malware distribution, botnet operation and phishing.

翻译：我们对近年来涌现的典型端口转发服务（PFS）开展了首次系统性安全研究。这类服务能够将部署在内网中的Web服务发布到互联网上，相比传统技术（如NAT穿透技术）具有更好的易用性和更低的复杂度。本研究通过设计一系列创新方法论，揭示了PFS的技术机理、实验了针对PFS协议的攻击场景、实现了大规模自动化发现与快照捕捉端口转发网站（PFW），并将PFW归类为可清晰区分的类别。运用这些方法，我们观察到PFS已被广泛采用，全球数万个ISP中分布着数百万个PFW。此外，32.31%的PFW被归类为可访问关键数据或基础设施的网站类别，例如工业控制系统Web控制台、物联网控制器、代码仓库和办公自动化系统；18.57%的PFW未对外部访客实施任何访问控制。研究还发现了Oray（广泛使用的PFS提供商）协议中存在的两类固有攻击，以及恶意行为者对PFS的显著滥用行为，包括恶意软件分发、僵尸网络操作和网络钓鱼等。