Today almost all ISPs use a NAT system to assign more people the same IP (at least where I am), probably because the IPv4 addresses are ending and they want to save money. Is it possible to make a DoS / DDoS attack on such a connection? Knowing the public IP address, I think theoretically it is possible to saturate the ISP circuit that uses NAT, but practically it is possible to attack only the single target? Also because I believe it is impossible for anyone with such a power to saturate the entire ISP.
-
Welcome. Your English was fine! I made a couple word changes to make it clearer. – schroeder Sep 02 '18 at 19:33
3 Answers
Saturating bandwidth capacity of an entire ISP is very well possible and unfortunately happens on a daily basis. You’re right that with techniques like carrier grade NAT and end user may not have a dedicated IPv4 address, but that can still result in an outage when attacked. And of course, if the ISP deployed IPv6, it can be possible to uniquely target the end user that way.
- 6,788
- 2
- 27
- 35
-
Well, then you can attack a single user only if he has an IPv6 address or something that gives him the opportunity to be "contacted", otherwise you need to saturate all the ISP, which will require much more power, I asked this question because I remember when a few years ago anyone could attack someone for example on skype and I wondered if it was still possible, now it takes a lot more power which makes it not by all, probably when the ipv6 will be used all over the world will return as before haha. Thanks for the clarifications. – Chi non salta Pavarotti è Sep 03 '18 at 10:18
Answer is yes, it's possible even you are behind a NAT. Because the DDoS attacks vary from network level attack like ping of death to application level attacks.
You may be lucky if your ISP has implemented Anti DDoS protection on their gateway level (most of them does these days, at least for basic attacks like ping of death, high packet rate attacks, etc).
- 2,033
- 1
- 11
- 21
-
1I did some tests and saw that I do not get an answer even from the pings, however, anyway an attack at the application level certainly works in this case too. – Chi non salta Pavarotti è Sep 03 '18 at 10:05
Well it depends. Without any explicit DNAT rules, you cannot be reached directly behind the NAT, but only after an initiated connection has been initiated from your side. However, I'm not quite sure whether the question makes sense, because when the NAT entry/exit point is DoSed, then you will also be affected, since it is your route to the Internet.
- 1,247
- 8
- 10
-
Yes, but if you aim to saturate the ISP's nat, it would take much more power than it would take to saturate the connection of a single person. As I specified in the question I would like to understand if you can only attack the target, since attacking a 30 mbps connection would be affordable for everyone and therefore more risky. – Chi non salta Pavarotti è Sep 03 '18 at 09:54