Hybrid DDoS Cloud


Hi, today, we’re going to discuss a particular DDoS attack on your Carrier-grade NAT infrastructure, where a malicious actor is targeting IP resources in your NAT IP pool.

So, as an illustration let’s draw our service provider access and core network.

And we have our Carrier-grade NAT device, our edge routing, and then finally the internet out here.

In this particular attack, it’s a volumetric attack, an infrastructure attack against a NAT pool resource and the CGN device.

And a particular IP address is going to be selected and targeted by our malicious actor.

These particular attacks are crippling to both the Carrier-grade NAT device and to the subscribers themselves. And the primary reason is we have our subscribers out here and depending upon the oversubscription rate of subscribers to public IP resources, we could have as many as 64 to 1, maybe it’s a 256 to 1 ratio and we could have as many as 256 subscribers actually affected by this single attack that comes into this device.

Along with that. We’re going to be exhausting the pipes resources as well to be able to carry traffic for other subscribers, who are not actually attached to that particular IP address.

The service provider will normally have some DDoS mitigation architecture or infrastructure deployed. In this case, what we’re really concerned about is our DDoS detection mechanism.

And it’s very typical when these types of attacks happen that we have telemetry from our router up to our DDoS detector. And this DDoS detector, based upon the policy and has been set up, is going to trigger a black hole inside of the router. This can be done through BGP flowspec or also with remote triggering black hole capability.

So, this attack is mitigated at this point and then this point we restore full capability to carry traffic across our Network. Unfortunately, though, the CGN device doesn’t know that this null routing has happened. So these subscribers that may be mapped to the effected NAT IP address are now out of service.

This could be happening based upon two things. One is policy is looking at destination address or source address, or both. This router actually could be null routing their traffic. Or it could be allowing their traffic through and the null routing the response.

The bottom line is the effect is the same: our subscribers are now out of service.

So how do we mitigate this type of attack? Here at A10 Networks we have a particular feature called auto blacklisting of NAT pool addressing. So, we can detect the attack or we can be signaled that has attack has happened and take that particular IP address out of service.

So in this case, our IP address now, it will be signaled once the attack is detected. We will get a /32 update in our routing table to the Carrier-grade NAT device. We will take that particular prefix and then it will affect only our control plane. This is not a traffic plane routing update. And we will take the particular IP address out of service of the NAT pool.

And now, at this point, we need to gracefully move these subscribers to an unaffected public IP address. So, we will move to our next IP address. And now, we have fully restored service to our subscribers.

Once the attack has abated, the DDoS detector will remove the null route. It will also remove the /32 update to the CGN device and restore service to that IP address.

This particular IP address, then we’ll come back on line. And now we can restore our services back to particular subscribers and put this back into service completing our NAT pool and allowing the subscribers to have full service again to the Internet.

So, I hope you’ve learned something today, and thank you for joining our video.

Related Resources