In this paper, we conduct an empirical study on remote DoS attacks targeting NAT networks. We show that Internet attackers operating outside local NAT networks can remotely identify a NAT device and subsequently terminate TCP connections initiated from the identified NAT device to external servers. Our attack involves two steps. First, we identify NAT devices on the Internet by exploiting inadequacies in the PMTUD mechanism within NAT specifications. This deficiency creates a fundamental side channel that allows Internet attackers to distinguish if a public IPv4 address serves a NAT device or a separate IP host, aiding in the identification of target NAT devices. Second, we launch a remote DoS attack to terminate TCP connections on the identified NAT devices. While recent NAT implementations may include protective measures, such as packet legitimacy validation to prevent malicious manipulations on NAT mappings, we discover that these safeguards are not widely adopted in real world. Consequently, attackers can send crafted packets to deceive NAT devices into erroneously removing innocent TCP connection mappings, thereby disrupting the NATed clients to access remote TCP servers. Our experimental results reveal widespread security vulnerabilities in existing NAT devices. After testing 8 types of router firmware and 30 commercial NAT devices from 14 vendors, we identify vulnerabilities in 6 firmware types and 29 NAT devices. Moreover, our measurements reveal a stark reality: 166 out of 180 (over 92%) tested real-world NAT networks, comprising 90 4G LTE/5G networks, 60 public Wi-Fi networks, and 30 cloud VPS networks, are susceptible to exploitation. We responsibly disclosed the vulnerabilities to affected vendors and received a significant number of acknowledgments. Finally, we propose our countermeasures against the identified DoS attack.

翻译：本文针对NAT网络的远程拒绝服务攻击开展实证研究。我们证明，在本地NAT网络外部操作的互联网攻击者能够远程识别NAT设备，并随后终止从已识别NAT设备发往外部服务器的TCP连接。我们的攻击包含两个步骤。首先，我们通过利用NAT规范中PMTUD机制的缺陷来识别互联网上的NAT设备。该缺陷形成了一个基础性的侧信道，使得互联网攻击者能够区分一个公共IPv4地址是服务于NAT设备还是独立的IP主机，从而辅助识别目标NAT设备。其次，我们对已识别的NAT设备发起远程DoS攻击以终止其TCP连接。尽管近期的NAT实现可能包含保护措施，例如通过数据包合法性验证来防止对NAT映射的恶意篡改，但我们发现这些防护措施在现实世界中并未被广泛采用。因此，攻击者可以发送精心构造的数据包来欺骗NAT设备，使其错误地移除正常的TCP连接映射，从而破坏NAT客户端访问远程TCP服务器的能力。我们的实验结果表明，现有NAT设备普遍存在安全漏洞。在测试了来自14家厂商的8种路由器固件和30台商用NAT设备后，我们在6种固件类型和29台NAT设备中发现了相关漏洞。此外，我们的测量揭示了一个严峻的现实：在测试的180个真实世界NAT网络中（包括90个4G LTE/5G网络、60个公共Wi-Fi网络和30个云VPS网络），有166个（超过92%）存在被利用的风险。我们已负责任地向受影响厂商披露了这些漏洞，并收到了大量确认回复。最后，我们针对所发现的DoS攻击提出了相应的防御对策。