In this paper, we conduct an empirical study on remote DoS attacks targeting NAT networks. We show that Internet attackers operating outside local NAT networks can remotely identify a NAT device and subsequently terminate TCP connections initiated from the identified NAT device to external servers. Our attack involves two steps. First, we identify NAT devices on the Internet by exploiting inadequacies in the PMTUD mechanism within NAT specifications. This deficiency creates a fundamental side channel that allows Internet attackers to distinguish if a public IPv4 address serves a NAT device or a separate IP host, aiding in the identification of target NAT devices. Second, we launch a remote DoS attack to terminate TCP connections on the identified NAT devices. While recent NAT implementations may include protective measures, such as packet legitimacy validation to prevent malicious manipulations on NAT mappings, we discover that these safeguards are not widely adopted in real world. Consequently, attackers can send crafted packets to deceive NAT devices into erroneously removing innocent TCP connection mappings, thereby disrupting the NATed clients to access remote TCP servers. Our experimental results reveal widespread security vulnerabilities in existing NAT devices. After testing 8 types of router firmware and 30 commercial NAT devices from 14 vendors, we identify vulnerabilities in 6 firmware types and 29 NAT devices. Moreover, our measurements reveal a stark reality: 166 out of 180 (over 92%) tested real-world NAT networks, comprising 90 4G LTE/5G networks, 60 public Wi-Fi networks, and 30 cloud VPS networks, are susceptible to exploitation. We responsibly disclosed the vulnerabilities to affected vendors and received a significant number of acknowledgments. Finally, we propose our countermeasures against the identified DoS attack.

翻译：本文针对NAT网络开展远程DoS攻击的实证研究。我们证明，在本地NAT网络外部操作的互联网攻击者能够远程识别NAT设备，并随后终止从已识别NAT设备发往外部服务器的TCP连接。我们的攻击包含两个步骤：首先，通过利用NAT规范中PMTUD机制的缺陷来识别互联网上的NAT设备。该缺陷构成了一个本质性的侧信道，使得互联网攻击者能够区分某个公共IPv4地址是服务于NAT设备还是独立IP主机，从而辅助识别目标NAT设备。其次，我们对已识别的NAT设备发起远程DoS攻击以终止其TCP连接。尽管近期的NAT实现可能包含防护措施（例如通过数据包合法性验证来防止对NAT映射的恶意篡改），但我们发现这些防护措施在现实环境中并未得到广泛采用。因此，攻击者可以发送特制数据包诱使NAT设备错误地移除正常的TCP连接映射，从而破坏NAT客户端访问远程TCP服务器的能力。实验结果表明现有NAT设备普遍存在安全漏洞：在测试的8种路由器固件和来自14家厂商的30台商用NAT设备中，我们发现了6种固件类型和29台NAT设备存在漏洞。此外，测量数据揭示了一个严峻现实：在180个实测的真实NAT网络（包括90个4G LTE/5G网络、60个公共Wi-Fi网络和30个云VPS网络）中，有166个（超过92%）存在被利用的风险。我们已向受影响厂商负责任地披露了这些漏洞，并获得了大量确认反馈。最后，我们针对已识别的DoS攻击提出了相应的防御对策。