RE: DDOS attacks and Large ISPs doing NAT?

To merge these 2 great threads, it is the case is it not that NAT is a great way to avoid DDOS problems. I don't even want to imagine what the billing/credit issues would be like if your always-on phone with a real IP is used as a zombie in a DDOS. "Hey I didn't use all that traffic last month....etc etc" I still maintain, since the last time this was on Nanog, that real IP addresses should not be entrusted to the great unwashed. And as for NAT breaking applications, I think its time the applications wised up and worked around the NAT issues. Look, if your application is important enough to you as the developer, you are going to want it to penetrate and work for as many ppl as possible right? Office workers, home users with gateways, GPRS/GSM/3G cell users etc etc. So you make it use protocols that traverse NAT without breaking. Look at the streaming media players out there, they try to use, in order, multicast (the most effcient and best quality), UDP,TCP then HTTP. If it cant get a connection with any of the first protocols, it falls back to http, and you get your stream. When you look at the economics of usability of your app, I think your going to want to make it work through firewalls. Jm
-----Original Message----- From: Jake Khuon [mailto:khuon@NEEBU.Net] Sent: Thursday, May 02, 2002 1:51 AM To: nanog@merit.edu Subject: Re: Large ISPs doing NAT?
### On Thu, 2 May 2002 10:42:01 +0200, "Daniska Tomas" <tomas@tronet.com> ### casually decided to expound upon <nanog@merit.edu> the following ### thoughts about "RE: Large ISPs doing NAT? ":
DT> and what if one of the devices behind that phone would also be a DT> personal "ip gateway router" (or how you call that)... you could DT> recursively iterate as deep as your mail size allows you to...
It's possible. Could it get ugly? Yes. Do we just want to shut our eyes and say "let's not go there."... well... maybe. I just don't think the solution is to say, "this can never happen... we must limit all handheld devices to sitting behind a NAT gateway."
DT> hope this thread will not end in a router behind a router that DT> serves as a router seving as a router to another router which has DT> some other routers connected...
God forbid! We might have a network on our hands!
-- /*===================[ Jake Khuon <khuon@NEEBU.Net> ]======================+ | Packet Plumber, Network Engineers /| / [~ [~ |) | | --------------- | | for Effective Bandwidth Utilisation / |/ [_ [_ |) |_| N E T W O R K S | +============================================================= ============*/

Yo Jon! On Thu, 2 May 2002, Mansey, Jon wrote:
To merge these 2 great threads, it is the case is it not that NAT is a great way to avoid DDOS problems. I don't even want to imagine what the billing/credit issues would be like if your always-on phone with a real IP is used as a zombie in a DDOS. "Hey I didn't use all that traffic last month....etc etc"
Who says a NATed host can not be a zombie? Get the NATed host to read an email virus. The virus then coonects to an IRC channel that tells the zombie when to spew. Each phone would not spew much, but imagine you got 100M phones to do your DDoS for you... RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 gem@rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676

NAT will not help you this case; in opposition, NAT will create the SINGLE bottleneck (NAT router itself) which can not be easily upgraded (you can install 10 web servers instead of one; but you can not install 10 NAT's). NAT is a good for the outgoing calls or to allow single service be visible outside of your network. But it's useless for the broadband service - static NAT is equivalent to the simple filtering out all unused ports on your server. You can think about NAT + DNS combination (so that your IP address migrates and DDOS attack can not succeed without consulting DNS); NAT itself (as IP / port + IP translation) can not prevent DDOS because DDOS is directed to the service point (IP + protocol + port) which should be well known to allow service itself. ----- Original Message ----- From: "Mansey, Jon" <Jon_Mansey@verestar.com> To: <nanog@merit.edu> Sent: Thursday, May 02, 2002 10:30 AM Subject: RE: DDOS attacks and Large ISPs doing NAT?
To merge these 2 great threads, it is the case is it not that NAT is a great way to avoid DDOS problems. I don't even want to imagine what the billing/credit issues would be like if your always-on phone with a real IP is used as a zombie in a DDOS. "Hey I didn't use all that traffic last month....etc etc"
I still maintain, since the last time this was on Nanog, that real IP addresses should not be entrusted to the great unwashed.
And as for NAT breaking applications, I think its time the applications wised up and worked around the NAT issues. Look, if your application is important enough to you as the developer, you are going to want it to penetrate and work for as many ppl as possible right? Office workers, home users with gateways, GPRS/GSM/3G cell users etc etc. So you make it use protocols that traverse NAT without breaking. Look at the streaming media players out there, they try to use, in order, multicast (the most effcient and best quality), UDP,TCP then HTTP. If it cant get a connection with any of the first protocols, it falls back to http, and you get your stream.
When you look at the economics of usability of your app, I think your going to want to make it work through firewalls.
Jm
-----Original Message----- From: Jake Khuon [mailto:khuon@NEEBU.Net] Sent: Thursday, May 02, 2002 1:51 AM To: nanog@merit.edu Subject: Re: Large ISPs doing NAT?
### On Thu, 2 May 2002 10:42:01 +0200, "Daniska Tomas" <tomas@tronet.com> ### casually decided to expound upon <nanog@merit.edu> the following ### thoughts about "RE: Large ISPs doing NAT? ":
DT> and what if one of the devices behind that phone would also be a DT> personal "ip gateway router" (or how you call that)... you could DT> recursively iterate as deep as your mail size allows you to...
It's possible. Could it get ugly? Yes. Do we just want to shut our eyes and say "let's not go there."... well... maybe. I just don't think the solution is to say, "this can never happen... we must limit all handheld devices to sitting behind a NAT gateway."
DT> hope this thread will not end in a router behind a router that DT> serves as a router seving as a router to another router which has DT> some other routers connected...
God forbid! We might have a network on our hands!
-- /*===================[ Jake Khuon <khuon@NEEBU.Net> ]======================+ | Packet Plumber, Network Engineers /| / [~ [~ |) | | --------------- | | for Effective Bandwidth Utilisation / |/ [_ [_ |) |_| N E T W O R K S | +============================================================= ============*/

--On Thursday, May 2, 2002 10:30 -0700 "Mansey, Jon" <Jon_Mansey@verestar.com> wrote:
To merge these 2 great threads, it is the case is it not that NAT is a great way to avoid DDOS problems. I don't even want to imagine what the billing/credit issues would be like if your always-on phone with a real IP is used as a zombie in a DDOS. "Hey I didn't use all that traffic last month....etc etc"
And NAT helps you stop zombie software being installed on the always-on device (phone) precisely how? What's to say that an infected system (or vandal's system) isn't going to be connected inside the NATed space?
I still maintain, since the last time this was on Nanog, that real IP addresses should not be entrusted to the great unwashed.
The problem isn't that they're unwashed, the problem is that they're being pushed software that has bugs and holes that can be exploited (oh look, the "bash Microsoft" thread...)
And as for NAT breaking applications, I think its time the applications wised up and worked around the NAT issues.
And what about those applications (protocols) that already exist and break when NAT exists? Or applications that simply don't scale well when NAT exists?
Look, if your application is important enough to you as the developer, you are going to want it to penetrate and work for as many ppl as possible right? Office workers, home users with gateways, GPRS/GSM/3G cell users etc etc. So you make it use protocols that traverse NAT without breaking. Look at the streaming media players out there, they try to use, in order, multicast (the most effcient and best quality), UDP,TCP then HTTP. If it cant get a connection with any of the first protocols, it falls back to http, and you get your stream.
Right, and as you move toward HTTP you end up with a stream that becomes more and more expensive to deliver (and receive) and it frequently becomes harder and harder (and takes longer) to develop that application.
When you look at the economics of usability of your app, I think your going to want to make it work through firewalls.
Depends where the firewall is being run as to whether you want it to break the application or not, but if it's possible for all great apps to run through firewalls how long is it going to be before "nasty" apps do that well?
participants (4)
-
Alexei Roudnev
-
Gary E. Miller
-
Ian Cooper
-
Mansey, Jon