Hi, I would suggest that you test fragmented traffic as well to your NAT device. Fragment packets (that are not the first packet) don't have the L4 info so the NAT device will have to keep them in memory until the first fragment comes in w/ the L4 info. This can cause a DoS condition if the NAT device doesn't adequately prune fragmented packets from the memory when there is a flood of these type of packets. On 2/7/19, 11:47 AM, "Aaron Gould" <aaron1@gvtc.com> wrote: Rich, et al, Circling back on some older threads... I'm doing this because I've been growing my cgnat environments and needing to remind myself of somethings, etc... If an attack is targeted at 1 ip address, you would think that if would/could affect all the napt-44 (nat overloaded/pat'd) ip's that hide behind it... but isn't that *IF* that traffic actually got through the nat boundary and flowed to the intended target(s) ? Unsolicited outside---->inside traffic I believe results in a deny of traffic... and I'm seeing that the nat actually builds those flows as drop flows.... I generated some traffic at a nat destination and I see all my traffic is "Drop"... now I wonder if this is a fast path like in asic (pfe) hardware being dropped... if so, it would seem that the nat boundary is yet a really nice way to quickly drop unsolicited inbound traffic from perhaps bad sources. My source where I was generating traffic... Hollywood-ip (only works in the movies) 256.256.191.133 (bad guy) Nat destination where I sending traffic to... 256.256.130.4 (victim/target) Now of course the resources/network outside the nat is bogged down, but the inside nat domain seems to be unaffected in this case from what I can tell. And again, I'm wondering if that "Drop" flow is lightweight/fast processing for the ms-mpc-128g juniper gear ? {master} agould@960> show services sessions destination-prefix 256.256.130.4/32 | grep 256.256.191.133 | refresh 1 ---(refreshed at 2019-02-07 12:36:45 CST)--- ---(refreshed at 2019-02-07 12:36:46 CST)--- ---(refreshed at 2019-02-07 12:36:47 CST)--- ---(refreshed at 2019-02-07 12:36:48 CST)--- ---(refreshed at 2019-02-07 12:36:49 CST)--- ---(refreshed at 2019-02-07 12:36:50 CST)--- ---(refreshed at 2019-02-07 12:36:51 CST)--- ---(refreshed at 2019-02-07 12:36:52 CST)--- TCP 256.256.191.133:54519 -> 256.256.130.4:443 Drop O 1 ICMP 256.256.191.133 -> 256.256.130.4 Drop O 1 ---(refreshed at 2019-02-07 12:36:53 CST)--- TCP 256.256.191.133:54519 -> 256.256.130.4:443 Drop O 1 ICMP 256.256.191.133 -> 256.256.130.4 Drop O 1 ---(refreshed at 2019-02-07 12:36:54 CST)--- TCP 256.256.191.133:54519 -> 256.256.130.4:443 Drop O 1 ICMP 256.256.191.133 -> 256.256.130.4 Drop O 1 ---(refreshed at 2019-02-07 12:36:55 CST)--- TCP 256.256.191.133:54519 -> 256.256.130.4:443 Drop O 1 ICMP 256.256.191.133 -> 256.256.130.4 Drop O 1 ---(refreshed at 2019-02-07 12:36:56 CST)--- ---(refreshed at 2019-02-07 12:36:57 CST)--- ---(refreshed at 2019-02-07 12:36:58 CST)--- UDP 256.256.191.133:12998 -> 256.256.130.4:80 Drop O 1 UDP 256.256.191.133:24444 -> 256.256.130.4:80 Drop O 1 ---(refreshed at 2019-02-07 12:36:59 CST)--- UDP 256.256.191.133:12998 -> 256.256.130.4:80 Drop O 1 UDP 256.256.191.133:24444 -> 256.256.130.4:80 Drop O 1 ---(refreshed at 2019-02-07 12:37:00 CST)--- UDP 256.256.191.133:12998 -> 256.256.130.4:80 Drop O 1 UDP 256.256.191.133:24444 -> 256.256.130.4:80 Drop O 1 ---(refreshed at 2019-02-07 12:37:01 CST)--- UDP 256.256.191.133:12998 -> 256.256.130.4:80 Drop O 1 UDP 256.256.191.133:24444 -> 256.256.130.4:80 Drop O 1 - Aaron -----Original Message----- From: Compton, Rich A [mailto:Rich.Compton@charter.com] Sent: Thursday, April 6, 2017 3:49 PM To: Aaron Gould; 'Ahmed Munaf'; 'Nanog@Nanog' Subject: Re: CGNAT Hi Aaron, thanks for the info. I¹m curious what you or others do about DDoS attacks to CGNAT devices. It seems that a single attack could affect the thousands of customers that use those devices. Also, do you have issues detecting attacks vs. legitimate traffic when you have so much traffic destined to a small group of IPs? Rich Compton | Principal Eng | 314.596.2828 14810 Grasslands Dr, Englewood, CO 80112 E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.