Re: DDOS attacks and Large ISPs doing NAT?
A NAT'd cell phone wont, cant ever, respond to an unsolicited connection request. A NAT is not a firewall. A firewall is not a NAT. Some vendors bundle firewall functionality with NAT functionality, just as some vendors bundle SNA with IP. Please stop perpetuating the myth that a NAT is a security device. It is not a myth; NAT (PNAT, to be correct) just allow internal users to have SECURE access to the outer world without a reverce access (it is 50 - 60% of the firewall functionality). So, NAT is equal to the firewall for the outgoing calls. Of course, static NAT does not provide any firewall functionality, and NAT do nothing to protect inbound services, so to pprotect such services (if any exist) you need _real_ firewall. To protect internal network, there is not a best way than to have a NAT (of course, firewall with NAT is better, and all modern devices provide botjh functionality, but if I select what's better - NAT device without firewall or firewall without the NAT, and I'll have only outbound calls, I'll choose a NAT).
RE: DDOS attacks and Large ISPs doing NAT?
To merge these 2 great threads, it is the case is it not that NAT is a great way to avoid DDOS problems. I don't even want to imagine what the billing/credit issues would be like if your always-on phone with a real IP is used as a zombie in a DDOS. Hey I didn't use all that traffic last monthetc etc I still maintain, since the last time this was on Nanog, that real IP addresses should not be entrusted to the great unwashed. And as for NAT breaking applications, I think its time the applications wised up and worked around the NAT issues. Look, if your application is important enough to you as the developer, you are going to want it to penetrate and work for as many ppl as possible right? Office workers, home users with gateways, GPRS/GSM/3G cell users etc etc. So you make it use protocols that traverse NAT without breaking. Look at the streaming media players out there, they try to use, in order, multicast (the most effcient and best quality), UDP,TCP then HTTP. If it cant get a connection with any of the first protocols, it falls back to http, and you get your stream. When you look at the economics of usability of your app, I think your going to want to make it work through firewalls. Jm -Original Message- From: Jake Khuon [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 02, 2002 1:51 AM To: [EMAIL PROTECTED] Subject: Re: Large ISPs doing NAT? ### On Thu, 2 May 2002 10:42:01 +0200, Daniska Tomas [EMAIL PROTECTED] ### casually decided to expound upon [EMAIL PROTECTED] the following ### thoughts about RE: Large ISPs doing NAT? : DT and what if one of the devices behind that phone would also be a DT personal ip gateway router (or how you call that)... you could DT recursively iterate as deep as your mail size allows you to... It's possible. Could it get ugly? Yes. Do we just want to shut our eyes and say let's not go there well... maybe. I just don't think the solution is to say, this can never happen... we must limit all handheld devices to sitting behind a NAT gateway. DT hope this thread will not end in a router behind a router that DT serves as a router seving as a router to another router which has DT some other routers connected... God forbid! We might have a network on our hands! -- /*===[ Jake Khuon [EMAIL PROTECTED] ]==+ | Packet Plumber, Network Engineers /| / [~ [~ |) | | --- | | for Effective Bandwidth Utilisation / |/ [_ [_ |) |_| N E T W O R K S | += */
RE: DDOS attacks and Large ISPs doing NAT?
jon, 1000x ack and for all: i think this MOTD is something very close to the isp nat thread :) There are only 10 types of people in this world: those who understand binary, and those who don't. (Credits to Theodore Tzevelekis/Cisco) deejay -- Tomas Daniska systems engineer Tronet Computer Networks Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first. -Original Message- From: Mansey, Jon [mailto:[EMAIL PROTECTED]] Sent: 2. mája 2002 19:31 To: [EMAIL PROTECTED] Subject: RE: DDOS attacks and Large ISPs doing NAT? To merge these 2 great threads, it is the case is it not that NAT is a great way to avoid DDOS problems. I don't even want to imagine what the billing/credit issues would be like if your always-on phone with a real IP is used as a zombie in a DDOS. Hey I didn't use all that traffic last monthetc etc I still maintain, since the last time this was on Nanog, that real IP addresses should not be entrusted to the great unwashed. And as for NAT breaking applications, I think its time the applications wised up and worked around the NAT issues. Look, if your application is important enough to you as the developer, you are going to want it to penetrate and work for as many ppl as possible right? Office workers, home users with gateways, GPRS/GSM/3G cell users etc etc. So you make it use protocols that traverse NAT without breaking. Look at the streaming media players out there, they try to use, in order, multicast (the most effcient and best quality), UDP,TCP then HTTP. If it cant get a connection with any of the first protocols, it falls back to http, and you get your stream. When you look at the economics of usability of your app, I think your going to want to make it work through firewalls. Jm
Re: DDOS attacks and Large ISPs doing NAT?
NAT will not help you this case; in opposition, NAT will create the SINGLE bottleneck (NAT router itself) which can not be easily upgraded (you can install 10 web servers instead of one; but you can not install 10 NAT's). NAT is a good for the outgoing calls or to allow single service be visible outside of your network. But it's useless for the broadband service - static NAT is equivalent to the simple filtering out all unused ports on your server. You can think about NAT + DNS combination (so that your IP address migrates and DDOS attack can not succeed without consulting DNS); NAT itself (as IP / port + IP translation) can not prevent DDOS because DDOS is directed to the service point (IP + protocol + port) which should be well known to allow service itself. - Original Message - From: Mansey, Jon [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, May 02, 2002 10:30 AM Subject: RE: DDOS attacks and Large ISPs doing NAT? To merge these 2 great threads, it is the case is it not that NAT is a great way to avoid DDOS problems. I don't even want to imagine what the billing/credit issues would be like if your always-on phone with a real IP is used as a zombie in a DDOS. Hey I didn't use all that traffic last monthetc etc I still maintain, since the last time this was on Nanog, that real IP addresses should not be entrusted to the great unwashed. And as for NAT breaking applications, I think its time the applications wised up and worked around the NAT issues. Look, if your application is important enough to you as the developer, you are going to want it to penetrate and work for as many ppl as possible right? Office workers, home users with gateways, GPRS/GSM/3G cell users etc etc. So you make it use protocols that traverse NAT without breaking. Look at the streaming media players out there, they try to use, in order, multicast (the most effcient and best quality), UDP,TCP then HTTP. If it cant get a connection with any of the first protocols, it falls back to http, and you get your stream. When you look at the economics of usability of your app, I think your going to want to make it work through firewalls. Jm -Original Message- From: Jake Khuon [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 02, 2002 1:51 AM To: [EMAIL PROTECTED] Subject: Re: Large ISPs doing NAT? ### On Thu, 2 May 2002 10:42:01 +0200, Daniska Tomas [EMAIL PROTECTED] ### casually decided to expound upon [EMAIL PROTECTED] the following ### thoughts about RE: Large ISPs doing NAT? : DT and what if one of the devices behind that phone would also be a DT personal ip gateway router (or how you call that)... you could DT recursively iterate as deep as your mail size allows you to... It's possible. Could it get ugly? Yes. Do we just want to shut our eyes and say let's not go there well... maybe. I just don't think the solution is to say, this can never happen... we must limit all handheld devices to sitting behind a NAT gateway. DT hope this thread will not end in a router behind a router that DT serves as a router seving as a router to another router which has DT some other routers connected... God forbid! We might have a network on our hands! -- /*===[ Jake Khuon [EMAIL PROTECTED] ]==+ | Packet Plumber, Network Engineers /| / [~ [~ |) | | --- | | for Effective Bandwidth Utilisation / |/ [_ [_ |) |_| N E T W O R K S | += */
RE: DDOS attacks and Large ISPs doing NAT?
Unless Im mistaken (entirely possible), an IP enabled phone has 2 distinct and separate stacks, the IP stack and the phone stack. As I said, in a NAT'd scenario the IP stack will never see an unsolicited request and hence not respond to it. The phone side of course will ring when called. Duh. GPRS VoIP (yet) Jm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 02, 2002 11:26 AM To: Mansey, Jon Cc: [EMAIL PROTECTED] Subject: Re: DDOS attacks and Large ISPs doing NAT? On Thu, 02 May 2002 11:06:33 PDT, Mansey, Jon said: The DDOS discussion is specifically referring to a live syn or syn/ack attack from hosts that respond to connection requests. A NAT'd cell phone wont, cant ever, respond to an unsolicited connection request. *RING*!! *RING*!! Oh, I'm sorry, that was the clue phone ringing - it couldn't be your phone, since it wouldn't answer an unsolicited connection request You were saying? (To fill in the blanks - get a trojan loaded into the cellphone/PDA combo, and then send it a page telling it who/what to attack). -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
RE: DDOS attacks and Large ISPs doing NAT?
-Original Message- From: Gary E. Miller [mailto:[EMAIL PROTECTED]] Sent: 2. mája 2002 20:00 To: Mansey, Jon Cc: [EMAIL PROTECTED] Subject: RE: DDOS attacks and Large ISPs doing NAT? Who says a NATed host can not be a zombie? Get the NATed host to read an email virus. The virus then coonects to an IRC channel that tells the zombie when to spew. recursion again. the point was just about minimizing, not about completely avoiding. for every solution you do a new exploit will be invented in a short time, no matter how great the patch is Each phone would not spew much, but imagine you got 100M phones to do your DDoS for you... it's not about the number of phones but about capacity of the network even if you have 1k phones on one gsm sector they still only can generate as much as the radio allows for. how many channels you suppose to be available for gprs for the whole sector? three? four? several? maybe if you're optimistic enough. i definitely would not consider gprs being a broadband service. then - there are loads of different portable device on the market now and the diversity will increase. how would you manage to load your ddos clients to all these kinds of devices? in the end you maybe will get a few % (if lucky and tricky enough) of the portables. compare it to the aggregate traffic the whole gprs network could generate (not that much) and i don't think you can talk about a ddos in scale we are used to today -- Tomas Daniska systems engineer Tronet Computer Networks Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first.
Re: DDOS attacks and Large ISPs doing NAT?
On Thu, 02 May 2002 11:32:48 PDT, Mansey, Jon said: As I said, in a NAT'd scenario the IP stack will never see an unsolicited request and hence not respond to it. The phone side of course will ring when called. Duh. That's the *point*. You hand the phone a trojan/virus/whatever when it's making an OUTBOUND connection on the NAT side (for instance, if the PDA side is checking mail, feed it a trojaned piece of mail). You then have the trojan drop you a note Oh, and my phone number is XXX-. Then, when it's time to attack somebody, you send the phone a page that tells the trojan Hey XXX-, wake up and pound on victim address whatever. With proper encoding of the page, the phone's owner may even just say Damn, more bleeping Korean spam in characters I can't read, and not notice that 45 seconds later, the phone starts chirping away by itself The point is that you can contact the phone via *non-NAT* means and have it launch an attack - the fact you can't wake it up via NAT can be worked around. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech msg01417/pgp0.pgp Description: PGP signature