North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: DDOS attacks and Large ISPs doing NAT?
NAT will not help you this case; in opposition, NAT will create the SINGLE bottleneck (NAT router itself) which can not be easily upgraded (you can install 10 web servers instead of one; but you can not install 10 NAT's). NAT is a good for the outgoing calls or to allow single service be visible outside of your network. But it's useless for the broadband service - static NAT is equivalent to the simple filtering out all unused ports on your server. You can think about NAT + DNS combination (so that your IP address migrates and DDOS attack can not succeed without consulting DNS); NAT itself (as IP / port + IP translation) can not prevent DDOS because DDOS is directed to the service point (IP + protocol + port) which should be well known to allow service itself. ----- Original Message ----- From: "Mansey, Jon" <Jon_Mansey@verestar.com> To: <firstname.lastname@example.org> Sent: Thursday, May 02, 2002 10:30 AM Subject: RE: DDOS attacks and Large ISPs doing NAT? > > To merge these 2 great threads, it is the case is it not that NAT is a great > way to avoid DDOS problems. I don't even want to imagine what the > billing/credit issues would be like if your always-on phone with a real IP > is used as a zombie in a DDOS. "Hey I didn't use all that traffic last > month....etc etc" > > I still maintain, since the last time this was on Nanog, that real IP > addresses should not be entrusted to the great unwashed. > > And as for NAT breaking applications, I think its time the applications > wised up and worked around the NAT issues. Look, if your application is > important enough to you as the developer, you are going to want it to > penetrate and work for as many ppl as possible right? Office workers, home > users with gateways, GPRS/GSM/3G cell users etc etc. So you make it use > protocols that traverse NAT without breaking. Look at the streaming media > players out there, they try to use, in order, multicast (the most effcient > and best quality), UDP,TCP then HTTP. If it cant get a connection with any > of the first protocols, it falls back to http, and you get your stream. > > When you look at the economics of usability of your app, I think your going > to want to make it work through firewalls. > > Jm > > > > -----Original Message----- > > From: Jake Khuon [mailto:khuon@NEEBU.Net] > > Sent: Thursday, May 02, 2002 1:51 AM > > To: email@example.com > > Subject: Re: Large ISPs doing NAT? > > > > > > > > ### On Thu, 2 May 2002 10:42:01 +0200, "Daniska Tomas" > > <firstname.lastname@example.org> ### casually decided to expound upon > > <email@example.com> the following ### thoughts about "RE: Large > > ISPs doing NAT? ": > > > > DT> and what if one of the devices behind that phone would also be a > > DT> personal "ip gateway router" (or how you call that)... you could > > DT> recursively iterate as deep as your mail size allows you to... > > > > It's possible. Could it get ugly? Yes. Do we just want to > > shut our eyes and say "let's not go there."... well... maybe. > > I just don't think the solution is to say, "this can never > > happen... we must limit all handheld devices to sitting > > behind a NAT gateway." > > > > > > DT> hope this thread will not end in a router behind a router that > > DT> serves as a router seving as a router to another router which has > > DT> some other routers connected... > > > > God forbid! We might have a network on our hands! > > > > > > -- > > /*===================[ Jake Khuon <khuon@NEEBU.Net> > > ]======================+ > > | Packet Plumber, Network Engineers /| / [~ [~ |) | | > > --------------- | > > | for Effective Bandwidth Utilisation / |/ [_ [_ |) |_| N > > E T W O R K S | > > +============================================================= > > ============*/ > > >