Aaron Gould aaron1 at
Fri Apr 7 17:48:33 UTC 2017

Thanks Rich, you bring up some good points.  Yes it would seem that an
attack aimed at a target IP address would in-fact now have a greater surface
since that IP address is being used by many people.  When we
remotely-trigger-black-hole (RTBH) route an ip address (/32 host route) into
a black hole to stop an attack.... you're right, now you've completed the
ddos, not only for one customer, but hundreds or thousands that were using
that public ip address through the NAT appliance. which I've told my
NOC to not act on any of the /24's-worth of address space the we use for

Interestingly, the nature of NAT is that it doesn't allow in-bound traffic
unless a previous out-bound packet had been sent from customer-side to
internet-side and caused the NAT translation to be built.... therefore, an
outside-initiated DDoS attack would be automatically blocked by a NAT
boundary*.  This would cause the DDoS to not go as far as it did in the
non-nat scenario. with cgnat you've caused your reach of DDoS to be
shortened.  ...but of course this doesn't cause the DDoS to not occur and to
not reach the NAT boundary...the attack still arrives.  You have to continue
with other layers of security, defense and mitigation in other areas/layers
of your network.

- Aaron

* (I guess unless they were able to guess-spoof the exact ip address and
port number of an existing nat session, but then it would seem that they
would only reach that same port-address-translated session
destination...which I think would be a single ip address endpoint and port

More information about the NANOG mailing list