Thanks Rich, you bring up some good points. Yes it would seem that an attack aimed at a target IP address would in-fact now have a greater surface since that IP address is being used by many people. When we remotely-trigger-black-hole (RTBH) route an ip address (/32 host route) into a black hole to stop an attack.... you're right, now you've completed the ddos, not only for one customer, but hundreds or thousands that were using that public ip address through the NAT appliance. ...to which I've told my NOC to not act on any of the /24's-worth of address space the we use for NAT. Interestingly, the nature of NAT is that it doesn't allow in-bound traffic unless a previous out-bound packet had been sent from customer-side to internet-side and caused the NAT translation to be built.... therefore, an outside-initiated DDoS attack would be automatically blocked by a NAT boundary*. This would cause the DDoS to not go as far as it did in the non-nat scenario. ...so with cgnat you've caused your reach of DDoS to be shortened. ...but of course this doesn't cause the DDoS to not occur and to not reach the NAT boundary...the attack still arrives. You have to continue with other layers of security, defense and mitigation in other areas/layers of your network. - Aaron * (I guess unless they were able to guess-spoof the exact ip address and port number of an existing nat session, but then it would seem that they would only reach that same port-address-translated session destination...which I think would be a single ip address endpoint and port number)