Re: How NAT reacts on table flood ?

[Ralph Forsythe <rforsythe () 5280tech com>]

Were you actually NAT'ing out the FreeBSD box, or just using it to inspect 
traffic to/from a public IP?

Any system that performs NAT has a finite amount of space in which to 
translate packets.  In the simplest case, you will be translating all 
traffic out as one IP address (the external IP of the firewall/router). 
Unless a smaller limit is imposed, your hard limit is always the number of 
high ports available for the return traffic; (65536-1024)=64512.  Some 
devices also have a session, or 'state' limit, set lower.  An example 
would be the smaller Netscreen firewalls, which don't let you get anywhere 
close to the number of potentially possibly high ports before the session 
table fills up.

If nmap closes the connections and the NAT device clears the state, you'll 
regain that entry for future use.  However these things can take some time 
to close or expire, so it is very possible to max out the table on any NAT 
device if you can send enough new connections in a given span of time. 
They're also typically designed so that once you have a state you keep it, 
so if a user (or group of them) fills up the table nobody else will be 
able to create a new entry until an old one closes or expires.  Old states 
won't be forced out in favor of new ones.

Some systems have rudimentary protection against this by way of limiting 
the number of sessions any one host can open at a time; obviously gaining 
control of several systems can bypass that control.  Spoofing your IP as 
many within the allowed netblock could also potentially let you do this 
from one host.

Unless the NAT device fails in an open state (very very bad, and also 
quite unlikely) you don't have much of a chance of actually breaching a 
security barrier with this type of 'attack'.  It is an effective DoS tool 
however, since it will block new outbound connections from forming.

- Ralph

On Tue, 11 Jul 2006, Bob Middaugh wrote:

> Use FreeBSD.  I've scanned aggressively with several nmap processes running, with no problem at all....and that box 
> also does stateful packet inspection.

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------