Re: NAT is not a mechanism for securing a network.. but.. HELP!

From: Shawn K. Quinn (skquinn_at_speakeasy.net)
Date: 08/24/05 

Date: Wed, 24 Aug 2005 09:18:07 -0500

begin quotation
 from Volker Birk <bumens@dingens.org>
 in message <430c3101@news.uni-ulm.de>
 posted at 2005-08-24T08:34
> Nicky <hackeras@gmail.com> wrote:
>> And how can router be crashed? By what way?

> If it does NAT/masquerading, a DoS attack is very easy from inside. Just
> exploit the maximum size of the NAT table by flooding with packages opening
> a huge number of connections.

There are ways around this. The pf packet filter (part of OpenBSD)
allows you to adaptively tune timeouts as capacity nears the maximum.
For example:

|| set timeout { adaptive.start 6144, adaptive.end 12288 }
|| set limit { states 10240, frags 20480, src-nodes 1536 }

Ignore the frags and src-nodes parameters for the moment. As the number
of states goes over 6144 (60% of the maximum, 10240), the timeouts will
gradually start decreasing for new states, until they reach 1/3 of the
original values when the table is chock full. Properly configured, there
should be no realistic way to fill up the state table and keep it full. 

-- 
 ___ _  _____   |*| 
/ __| |/ / _ \  |*| Shawn K. Quinn
\__ \ ' < (_) | |*| skquinn@speakeasy.net 
|___/_|\_\__\_\ |*| Houston, TX, USA