Community discussions

MikroTik App
 
Cablenut9
Long time Member
Long time Member
Topic Author
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

1:1 NAT DDoS protection?

Wed Jun 16, 2021 4:40 pm

Is it possible for me to use 1:1 NAT as a DDoS protection system? If I had some Mikrotik router colocated in a datacenter that had one firewall rule that creates a 1:1 NAT to my real IP address, then all people would see is the Mikrotik's address. However, this seems too simple to work, so will it?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: 1:1 NAT DDoS protection?

Wed Jun 16, 2021 7:18 pm

? फ !
¯\_(ツ)_/¯
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: 1:1 NAT DDoS protection?

Wed Jun 16, 2021 7:34 pm

Device simply performing NAT (any kind) does not recognize malicious packet and thus passes such packet along with all others. Hence a 1:1 NAT can not protect you from DDoS ...
Only stateful firewall or DPI can make that distinction and protect devices behind.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: 1:1 NAT DDoS protection?

Wed Jun 16, 2021 7:47 pm

This born from the false assumption "I'm behind NAT, I'm protected"
 
Cablenut9
Long time Member
Long time Member
Topic Author
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: 1:1 NAT DDoS protection?

Wed Jun 16, 2021 7:55 pm

The idea is to use the NAT as a choke point so the "real" network only gets as much as the router can pass through. That's actually what Cloudflare does, but on a bigger scale. Also, it's to help hide the real IP so it can't be targeted directly.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: 1:1 NAT DDoS protection?

Wed Jun 16, 2021 8:26 pm

Also, it's to help hide the real IP so it can't be targeted directly.

What good does it make? If NAT device performs 1:1, then every single packet, destined to "fake" IP will reach "real" IP. Just as there wasn't NAT, only with a hop more. NAT, combined with firewall, is different matter .. but it's the firewall that makes all the difference.
 
Cablenut9
Long time Member
Long time Member
Topic Author
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: 1:1 NAT DDoS protection?

Wed Jun 16, 2021 8:30 pm

If the router at the datacenter is equal to or less powerful than the one at the real network, then I can still do stuff at the protected network and I only have to think about the one at the datacenter. That basically means the NAT is a sacrificial setup that simply protects me from giant attacks.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: 1:1 NAT DDoS protection?

Wed Jun 16, 2021 10:14 pm

Right.

Who is online

Users browsing this forum: baragoon, BinaryTB, Google [Bot], raphaps, rplant and 69 guests