Skip to main content Skip to search

DDoS Attacks on Carrier-grade NAT Infrastructure

September 26, 2019

In this video, Solutions Architect, Glen Turner, talks about how our integrated DDoS protection solution can be used to protect the carrier-grade NAT infrastructure and IP NAT pools.


In this video, Solutions Architect, Glen Turner, talks about how our integrated DDoS protection solution can be used to protect the carrier-grade NAT infrastructure and IP NAT pools.

AI Transcript:

Hi, today we’re going to discuss a particular DDOS attack on your Carrier-grade NAT infrastructure, where a malicious actor is targeting IP resources in your NAT IP pool.

So, as an illustration, let’s draw our service provider access and core network.

And we have our Carrier-grade Nat device, our Edge routing, and then finally the internet out here.

In this particular DDoS attack, it’s a volumetric attack and infrastructure attack against and NAT pool resource and the CGN device.

And a particular IP address is going to be selected and targeted by our malicious actor.

These particular DDoS attacks are crippling to both the Carrier-grade NAT device and to the subscribers themselves. And the primary reason is we have our subscribers out here and depending upon the oversubscription rate of subscribers to public IP resources, we could have as many as 64:1, maybe it’s a 256:1 ratio and we could have as many as 256 subscribers actually affected by this single attack that comes into this device.

Along with that, we’re going to be exhausting the pipes resources as well to be able to carry traffic for other subscribers, who are not actually attached to that particular IP address.

The service provider will normally have some DDOS protection architecture or infrastructure deployed. And this case, what we’re really concerned about is our DDOS detection mechanism.

And it’s very typical when these types of DDoS attacks happen that we have telemetry from our router up to our DDOS detector.

And this DDOS detector based upon the policy and has been set up is going to trigger a black hole inside of the router. This can be done through BGP Flowspec or also with remote triggering black hole capabilities. So this attack is mitigated at this point and then this point we restore full capability to carry traffic across our network. Unfortunately though, the CGN device, doesn’t know that this null routing has happened. So these subscribers that may be mapped to the effect of nat IP address, are now out of service. This could be happening based upon two things. One is policies looking at destination address or source address or both.

This router actually could be no routing their traffic. Or it could be allowing their traffic through and the null routing the response.

The bottom line is the effect. Is the same as our subscribers are now out of service.

So how do we mitigate this type of DDoS attack. Here at A10 Networks we have a particular feature called Auto blacklisting of NAT pool addressing. So, we can detect the attack or we can be signaled that the attack is happened and take that particular IP address on the service. So in this case, our IP address now, it will be signaled once the attack is detected. We will get a /32 update in our routing table to the Carrier-grade NAT device. We will take that particular prefix and then it will affect only our control plane.

This is not a traffic plane routing update and we will take the particular IP address out of service of the NAT pool. And now, at this point, we need to gracefully move these subscribers to an unaffected public IP address.

So, we will move to our next IP address. And now, we have fully restored service to our subscribers.

Once the DDoS attack has abated. The DDOS detector will remove the null route. It will also remove the /32 update to the CGN device and restore service to that IP address.

This particular IP address then we’ll come back on line and now we can restore our services back to particular subscribers and put this back into service completing our NAT pool … and allowing the subscribers to have full service again to the Internet.

So, I hope you’ve learned something today and thank you for joining our video.

Related Resources