RE: DDOS attacks and Large ISPs doing NAT?
That would come under the heading of a virus or trojan I believe. And sure there is no reason a NAT'd cell phone couldnt participate in this type of attack. The DDOS discussion is specifically referring to a "live" syn or syn/ack attack from hosts that respond to connection requests. A NAT'd cell phone wont, cant ever, respond to an unsolicited connection request. jm
-----Original Message----- From: Gary E. Miller [mailto:gem@rellim.com] Sent: Thursday, May 02, 2002 11:00 AM To: Mansey, Jon Cc: nanog@merit.edu Subject: RE: DDOS attacks and Large ISPs doing NAT?
Yo Jon!
On Thu, 2 May 2002, Mansey, Jon wrote:
To merge these 2 great threads, it is the case is it not that NAT is a great way to avoid DDOS problems. I don't even want to imagine what the billing/credit issues would be like if your always-on phone with a real IP is used as a zombie in a DDOS. "Hey I didn't use all that traffic last month....etc etc"
Who says a NATed host can not be a zombie? Get the NATed host to read an email virus. The virus then coonects to an IRC channel that tells the zombie when to spew.
Each phone would not spew much, but imagine you got 100M phones to do your DDoS for you...
RGDS GARY -------------------------------------------------------------- ------------- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 gem@rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676
Yo Jon! On Thu, 2 May 2002, Mansey, Jon wrote:
That would come under the heading of a virus or trojan I believe. And sure there is no reason a NAT'd cell phone couldnt participate in this type of attack.
It may be a virus or a trojan, but it is still acting as a zombie amd it can still use up all your bandwdith. That was your original contention. If you are arguing that NAT protects the phone itself from DDoS that is also not true. Just send it a bazillion pages, NAT does not help there. NAT is just security by obscurity. A speed dump in the road to a commited hacker. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 gem@rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676
On Thu, 02 May 2002 11:06:33 PDT, "Mansey, Jon" said:
The DDOS discussion is specifically referring to a "live" syn or syn/ack attack from hosts that respond to connection requests. A NAT'd cell phone wont, cant ever, respond to an unsolicited connection request.
*RING*!! *RING*!! Oh, I'm sorry, that was the clue phone ringing - it couldn't be your phone, since it wouldn't answer an unsolicited connection request.... You were saying? (To fill in the blanks - get a trojan loaded into the cellphone/PDA combo, and then send it a page telling it who/what to attack). -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
A NAT'd cell phone wont, cant ever, respond to an unsolicited connection request.
A NAT is not a firewall. A firewall is not a NAT. Some vendors bundle firewall functionality with NAT functionality, just as some vendors bundle SNA with IP. Please stop perpetuating the myth that a NAT is a security device. Bradley
On Thu, 2 May 2002 15:40:57 -0400 Bradley Dunn <bradley@dunn.org> wrote:
Some vendors bundle firewall functionality with NAT functionality, just as some vendors bundle SNA with IP.
some vendors actually sell NAT devices that say "firewall" on the outside of the box. richard -- Richard Welty rwelty@averillpark.net Averill Park Networking 518-573-7592 Unix, Linux, IP Network Engineering, Security
A NAT'd cell phone wont, cant ever, respond to an unsolicited connection request.
A NAT is not a firewall.
A firewall is not a NAT.
Some vendors bundle firewall functionality with NAT functionality, just as some vendors bundle SNA with IP.
Please stop perpetuating the myth that a NAT is a security device.
It is not a myth; NAT (PNAT, to be correct) just allow internal users to have SECURE access to the outer world without a reverce access (it is 50 - 60% of the firewall functionality). So, NAT is equal to the firewall for the outgoing calls. Of course, static NAT does not provide any firewall functionality, and NAT do nothing to protect inbound services, so to pprotect such services (if any exist) you need _real_ firewall. To protect internal network, there is not a best way than to have a NAT (of course, firewall with NAT is better, and all modern devices provide botjh functionality, but if I select what's better - NAT device without firewall or firewall without the NAT, and I'll have only outbound calls, I'll choose a NAT).
participants (6)
-
Alexei Roudnev -
Bradley Dunn -
Gary E. Miller -
Mansey, Jon -
Richard Welty -
Valdis.Kletnieks@vt.edu