[e2e] 100% NAT - a DoS proof internet

Jeroen Massar jeroen at unfix.org
Mon Feb 13 08:51:52 PST 2006


On Mon, 2006-02-13 at 13:46 +0000, Jon Crowcroft wrote:
> In missive <3378EA87-1954-49F6-9CC8-8E91BD030650 at cisco.com>, Fred Baker typed:
> 
>  >>Are you telling me that you think that devices that are behind NATs  
>  >>don't get DOS'd?
>  
> not by address scanning worms, no...

Worms don't come in directly to the IP's that often, they spread mostly
using email, broswers, and other applications and some unknowing user
simply starting applications it should not be running. Host-based
firewalls do a wonderful job here already. Of course there are some viri
which scan semi-randomly but the effect is lower than a email containing
a jucky picture of some teen celebrity.

If you want to protect against address scans then move to IPv6 :)
(though one infected box and they have the local subnet)


Also, the target of the DoS will just shift with your idea, from the
end-host to the NAT box that is 'protecting' it. Which in turn make it
actually harder to work against these attacks. Just read up on some of
the timelines about attacks against IRC servers. First the targetted the
irc servers themselves, after that they started dos'sing the links,
which simply means they will kill of the routers in between the user and
the server..

There is no real magic bullet. Law and especially enforcement is one of
the few things that might help a bit, but that is not something we might
want to see from the e2e point of view.

Greets,
 Jeroen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: This is a digitally signed message part
Url : http://www.postel.org/pipermail/end2end-interest/attachments/20060213/826dfb11/attachment.bin


More information about the end2end-interest mailing list