[ NNSquad ] Verizon's clever FIOS router NAT table limitation, "DoS yourself at will with p2p"

NNSquad - Network Neutrality Squad
NNSquad Home Page
NNSquad Mailing List Information

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] Verizon's clever FIOS router NAT table limitation, "DoS yourself at will with p2p"

To: nnsquad@nnsquad.org
Subject: [ NNSquad ] Verizon's clever FIOS router NAT table limitation, "DoS yourself at will with p2p"
From: Andy Burnette <acb@acb.net>
Date: Tue, 06 Nov 2007 18:09:13 -0500

Lauren, et al

Verizon FIOS' delivered Actiontec router (a beast of a wireless NAT box
w/ a 533mhz proc and somewhere north of 200megs of ram if I recall
correctly) has a firmware limitation of ~1024 NAT table entries.

Perfect for email reading, and web surfing. Once you start up any peer
to peer app (pick any app with loads of connections), the Actiontec
holds the first NAT entries for four minutes, even if you overrun the
table. Thus, once you even try to bring up your favorite web page,
you've already DoS'ed yourself. Stop everything, and in 4 minutes,
you're back in business.

http://www.broadbandreports.com/forum/r17679150-Howto-make-ActionTec-MI424WR-a-network-bridge

(you then have a 75watt NIM in place....MoCa to Ethernet. Of course,
this also disables the VOD service, and guide data for STB's in the
house. I didn't notice that side effect immediately as I have a couple
Tivos in place which already provide a channel guide.)

I've personally verified the validity of the actions "accidentally"
after my own FIOS install and saw the exact error message "nat Error :
connection pool is full" (or something similar, it's been a while) once
the connections reach 1k entries or so.

The difference between this and most other SOHO routers (even far less
capable devices) is others typically "immediately" FIFO the NAT table
and do not hold entries for minutes at a time. A slowdown, perhaps, but
you can still check your email. The Actiontec isn't so kind.

Cheers,
andy burnette

p.s. compared to comcast's alleged forging of packets, I'd call the
verizon solution far more clever. No network appliances or sandvine
services needed to throttle traffic that may be less desirable, or
use more network resources. More like a flash grenade than a smoking gun.
Big flash, and you don't have a clue what hit your connection;-)

_______________________________________________
NNSquad mailing list information:
http://lists.nnsquad.org/mailman/listinfo/nnsquad

Prev by Date: [ NNSquad ] Comments on NNSquad Purpose
Next by Date: [ NNSquad ] NNSquad Mailing List searchable archive is now available
Previous by thread: [ NNSquad ] Comments on NNSquad Purpose
Next by thread: [ NNSquad ] NNSquad Mailing List searchable archive is now available
Index(es):
- Date
- Thread