jon, 1000x ack and for all: i think this MOTD is something very close to the isp nat thread :) "There are only 10 types of people in this world: those who understand binary, and those who don't." (Credits to Theodore Tzevelekis/Cisco) deejay -- Tomas Daniska systems engineer Tronet Computer Networks Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first.
-----Original Message----- From: Mansey, Jon [mailto:Jon_Mansey@verestar.com] Sent: 2. mája 2002 19:31 To: nanog@merit.edu Subject: RE: DDOS attacks and Large ISPs doing NAT?
To merge these 2 great threads, it is the case is it not that NAT is a great way to avoid DDOS problems. I don't even want to imagine what the billing/credit issues would be like if your always-on phone with a real IP is used as a zombie in a DDOS. "Hey I didn't use all that traffic last month....etc etc"
I still maintain, since the last time this was on Nanog, that real IP addresses should not be entrusted to the great unwashed.
And as for NAT breaking applications, I think its time the applications wised up and worked around the NAT issues. Look, if your application is important enough to you as the developer, you are going to want it to penetrate and work for as many ppl as possible right? Office workers, home users with gateways, GPRS/GSM/3G cell users etc etc. So you make it use protocols that traverse NAT without breaking. Look at the streaming media players out there, they try to use, in order, multicast (the most effcient and best quality), UDP,TCP then HTTP. If it cant get a connection with any of the first protocols, it falls back to http, and you get your stream.
When you look at the economics of usability of your app, I think your going to want to make it work through firewalls.
Jm