Python Magazine

Chris Angelico rosuav at gmail.com
Sat May 25 23:45:29 EDT 2013 

On Sun, May 26, 2013 at 1:04 PM, John Ladasky
<john_ladasky at sbcglobal.net> wrote:
> A perfectly fair point, Roy.  It's just when you started suggesting connecting to your neighbor's file server -- well, that's not something that many people would ordinarily do.  So, my mind leaped to the possibility of uninvited connections.
>
> Related question: would denial-of-service attacks be more pernicious without a NAT?

Not sure what you mean. If we assume that network topology doesn't
change, then what we have is a single uplink (say, an ADSL connection,
given that most home users don't have luxuries) going to a router
(let's be generous here and say that's a Linux box with two NICs, and
you have a smart admin in charge of it), behind which is a set of
switches and computers making up a LAN of peers. On IPv4, the LAN
would operate on one of the RFC 1918 address blocks - say, 192.168.0.x
- and all external communication would be through one single IP
address - 203.0.113.47 will do for the purposes of discussion.

As far as other hosts on the internet are concerned, that entire
network is one single host, with address 203.0.113.47. It's unaware of
the three computers 192.168.0.4, .0.87, and .0.92; they merge into
one. This means they share the 65536 ports, they share entries on
blacklists, etc, etc.

With IPv6, that ADSL connection would come with a /64 block - say,
2001:db8:142:857::/64. Within that block, each computer would be
assigned a single address - perhaps 2001:db8:142:857::4,
2001:db8:142:857::87, and 2001:db8:142:857::92, or perhaps they'd be
assigned them by their MAC addresses eg
2001:db8:142:857:200:5eff:fe00:531a, which can be done automatically.
Now all your computers (including the router) are individually
addressable; they can be identified separately, or treated as a group
(the /64 representing the whole group). Their ports, blacklist
entries, etc, are all unique. This means you can run three servers on
port 80, etc.

The question now is: What sort of DOS attack are you fearing? If it's
a simple matter of saturating the connection, it makes absolutely no
difference. As Roy said, that's just a question of overloading. If I
command more bandwidth than you do, I can saturate you. Easy. (Very
easy if I have a botnet, for instance.) Harder to judge are the
amplifying attacks; a half-open-connection attack, for instance,
attacks a TCP server's RAM allocation. It's possible that some attacks
will be easier or harder with NAT than without, but you'd have to
evaluate a specific attack technique.

ChrisA

More information about the Python-list mailing list