Skip to main content Skip to search

The Effect of DDoS Attacks on Carrier-grade NAT Devices

October 1, 2019


In this video, Solutions Architect, Glen Turner, discusses what happens when a carrier-grade NAT infrastructure and IP NAT pools are subjected to DDoS attacks.

AI Transcript:

Hi, today, we’re going to talk about the effects of DDOS attacks on Carrier-grade Nat devices in the service provider network. In our typical network, we have our subscribers on the edge and we have our access and core network.

We will have a Carrier Grade NAT device installed toward the edge. Our peering router, and then the internet.

And now, in the internet, we will have some malicious actor who wishes to attack the infrastructure within the service provider network.

These attacks within the CGN network can cause problems with both the device and for the subscriber itself.

We now have moved the public IP address. That’s typically is a sign to our subscriber on to the Carrier Grade NAT device and now we are overloading that address with multiple subscribers.

So when a volumetric DDoS attack comes into our CGN device, we have this distribution of the attack across multiple subs. In some cases, depending upon the service provider and their ability to use their current IPv4 infrastructure for NATing, we may see a 64:1 subscriber to IP Ratio or even a size 256:1.

So, these particular volumetric DDoS attacks that are coming into the Carrier Grade NAT device, that are targeting our NAT pool will have the effect on the subscribers of actually distributing and actually amplifying the attacker across multiple users.

So that’s the first problem. The second one is within the Carrier Grade NAT device itself is now we can exhaust resources such as the ability to build sessions to connection rate set up time. These particular problems within the Garrier Grade NAT device will now cause an outage not only for this number of subscribers, but also for any services also map, within the data path of this particular attack. So within our Carrier Grade NAT device, we’re going to have a particular data path for the attack.

And this will take the effect of L2 L3 network processors, maybe CPUs, etc.

To mitigate these particular types of DDoS attacks, which we’ll cover in a later video, we need to be able to drop this attack very early in the data path to protect the device.

And protecting the device, we also need to be able to blacklist these NAT IP addresses as well.

By blacklisting, the NAT IP address, now, we can remap our subscribers into another space where the public IP is no longer compromised for storing service back to them.

The other type of attacks we want to be aware ofmis a attack that exposes endpoint independent filtering connections. In these types of attacks, we have multiple entities in the internet which could be as simple as a bot net. And they are using implant independent filtering connections to actually attack a known NAT pool IP address and port.

The there’s a couple of effects here. One is that our subscriber now actually sees this attack and the attack we were talking about before where it’s actually just attacking a random NAT IP address, we really just have the idea of the infrastructure being attacked itself and causing an outage for subscribers for that particular IP address.

Here we’re actually transferring the volumetric DDoS attack in word to our subscriber.

So, in this particular attack, we have a couple of the facts. One is we are  reducing the ability to carry traffic on our core links, due to the volumetric attack. We’re also passing it through the box, compromising the actual hardware itself.

And then we’re passing it into the access network and for particular access networks, such as PAN, this can be devastating for multiple users as well, that may not even be tied as these are to this IP address, but simply just tied to this infrastructure.

By using a combination of techniques of blacklisting the NAT IP address and also connection rate-limiting, we can reduce this type of DDoS attack, restoring service to our subscriber.

It’s important to note that this particular attack can also exhaust other resources such as our ability to set up sessions with our connection rate facility within the device as well.

So we need to be able to have a connection rate limiter and we also need to be able to identify the attack and then mitigate the attack by moving this particular subscriber set over on to another public IP address.

So, thank you for listening today and be sure and check out our other videos here at A10 Networks.

Additional Resources