North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DDOS attacks and Large ISPs doing NAT?

  • From: Alexei Roudnev
  • Date: Thu May 02 14:11:05 2002

NAT will not help you this case; in opposition, NAT will create the SINGLE
bottleneck (NAT router itself) which can not be easily upgraded (you can install
10 web servers instead of one; but you can not install 10 NAT's).

NAT is a good for the outgoing calls or to allow single service be visible outside
of your network. But it's useless for the broadband service - static NAT is
equivalent to the simple filtering out all unused ports on your server.

You can think about NAT + DNS combination (so that your IP address migrates and
DDOS attack can not succeed without consulting DNS); NAT itself (as IP / port + IP
translation) can not prevent DDOS because DDOS is directed to the service point
(IP + protocol + port) which should be well known to allow service itself.


----- Original Message -----
From: "Mansey, Jon" <Jon_Mansey@verestar.com>
To: <nanog@merit.edu>
Sent: Thursday, May 02, 2002 10:30 AM
Subject: RE: DDOS attacks and Large ISPs doing NAT?


>
> To merge these 2 great threads, it is the case is it not that NAT is a great
> way to avoid DDOS problems. I don't even want to imagine what the
> billing/credit issues would be like if your always-on phone with a real IP
> is used as a zombie in a DDOS. "Hey I didn't use all that traffic last
> month....etc etc"
>
> I still maintain, since the last time this was on Nanog, that real IP
> addresses should not be entrusted to the great unwashed.
>
> And as for NAT breaking applications, I think its time the applications
> wised up and worked around the NAT issues. Look, if your application is
> important enough to you as the developer, you are going to want it to
> penetrate and work for as many ppl as possible right? Office workers, home
> users with gateways, GPRS/GSM/3G cell users etc etc. So you make it use
> protocols that traverse NAT without breaking. Look at the streaming media
> players out there, they try to use, in order, multicast (the most effcient
> and best quality), UDP,TCP then HTTP. If it cant get a connection with any
> of the first protocols, it falls back to http, and you get your stream.
>
> When you look at the economics of usability of your app, I think your going
> to want to make it work through firewalls.
>
> Jm
>
>
> > -----Original Message-----
> > From: Jake Khuon [mailto:khuon@NEEBU.Net]
> > Sent: Thursday, May 02, 2002 1:51 AM
> > To: nanog@merit.edu
> > Subject: Re: Large ISPs doing NAT?
> >
> >
> >
> > ### On Thu, 2 May 2002 10:42:01 +0200, "Daniska Tomas"
> > <tomas@tronet.com> ### casually decided to expound upon
> > <nanog@merit.edu> the following ### thoughts about "RE: Large
> > ISPs doing NAT? ":
> >
> > DT> and what if one of the devices behind that phone would also be a
> > DT> personal "ip gateway router" (or how you call that)... you could
> > DT> recursively iterate as deep as your mail size allows you to...
> >
> > It's possible.  Could it get ugly?  Yes.  Do we just want to
> > shut our eyes and say "let's not go there."... well... maybe.
> >  I just don't think the solution is to say, "this can never
> > happen... we must limit all handheld devices to sitting
> > behind a NAT gateway."
> >
> >
> > DT> hope this thread will not end in a router behind a router that
> > DT> serves as a router seving as a router to another router which has
> > DT> some other routers connected...
> >
> > God forbid!  We might have a network on our hands!
> >
> >
> > --
> > /*===================[ Jake Khuon <khuon@NEEBU.Net>
> > ]======================+
> >  | Packet Plumber, Network Engineers     /| / [~ [~ |) | |
> > --------------- |
> >  | for Effective Bandwidth Utilisation  / |/  [_ [_ |) |_| N
> > E T W O R K S |
> > +=============================================================
> > ============*/
> >
>