ReDAN: An Empirical Study on Remote DoS Attacks against NAT Networks

NDSS Symposium 2025

Presented by: [Your Name]
Original Authors: Xuewei Feng, Yuxiang Yang, Qi Li, et al.

What is NAT?

  • Network Address Translation: Maps private IP addresses to a single public IP.
  • Used in 4G/5G, public Wi-Fi, Cloud VPS, and IoT.
  • Commonly believed to enhance security by concealing internal hosts.
  • The Reality: Vulnerabilities in NAT implementations allow remote attackers to disrupt connectivity.

ReDAN Overview

Remote DoS Attacks targeting NAT

  1. Identification: Distinguish if a public IP belongs to a NAT device or a single host using a PMTUD side-channel.
  2. Termination: Remotely sever active TCP connections by manipulating NAT session mappings.

Key Discovery: Over 92% of real-world NAT networks tested were vulnerable.

Background: PMTUD

  • Path MTU Discovery (PMTUD): Determines the largest packet size allowed on a network path without fragmentation.
  • If a packet is too large, a router sends an ICMP "Fragmentation Needed" message.
  • The host then reduces its packet size for that destination.

Step 1: Identifying NAT

Exploiting PMTUD Desynchronization

  • The attacker's Vantage Point (VP) tricks a client into lowering its MTU.
  • The VP then sends an ICMP Echo (Ping) to the public IP.
  • Separate Host: Responds with fragmented packets (matches its new MTU).
  • NAT Device: Responds with a standard 1500-byte packet (the gateway's MTU remains unchanged).

This side channel allows attackers to pinpoint NAT gateways on the Internet.

Step 2: Severing Connections

Exploiting the lack of RST packet validation

  1. Remove Mappings: Attacker sends crafted TCP RST packets with guessed ports to the NAT device.
  2. Deception: Many NAT devices remove the session mapping without checking if the sequence number is valid.
  3. State Manipulation: Attacker sends PUSH/ACK packets to the server, causing the server to send valid RSTs to the client.
  4. Result: Connectivity is lost even if the internal client's stack is secure!

Widespread Vulnerability

Target Type Tested Vulnerable
Router Firmware (OpenWrt, etc.) 8 types 6 (75%)
Commercial NAT Devices 30 models 29 (96.7%)
Real-world NAT Networks 180 166 (92.2%)
Affected Vendors: NETGEAR, Linksys, Huawei, TP-Link, Xiaomi, Cisco Meraki, etc.

Impact on Real Networks

  • 4G LTE/5G: 100% of tested 4G and 100% of 5G networks were vulnerable.
  • Public Wi-Fi: ~80-87% vulnerability rate across Wi-Fi 4, 5, and 6.
  • Cloud Networks: Vulnerabilities found in ALICLOUD, HUAWEI CLOUDS, and Tencent Cloud.
  • Attack Bandwidth: Only ~5.7 Mbps is needed to block all SSH/FTP traffic for a NAT network.

Ethical Considerations

  • User Consent: Vantage points obtained user approval before identification.
  • Non-Intrusive: Experiments only targeted the researchers' own controlled connections.
  • Responsible Disclosure: Vulnerabilities reported to IETF and affected vendors (Apple, Microsoft, Linux, etc.).
  • CVEs: 5 identifiers obtained (e.g., CVE-2023-6534).

Countermeasures

1. Fix PMTUD Side Channel

NAT devices should synchronize PMTU values with internal clients to prevent information leakage.

2. Strict TCP Validation

Enforce sequence number checking for RST packets before removing NAT mappings.

Prototype on OpenWrt 22.03 confirmed these fixes work!

Conclusion

  • NAT is not a "security silver bullet."
  • ReDAN exploits fundamental flaws in NAT specifications (PMTUD).
  • Attackers can remotely identify and disable entire networks with minimal bandwidth.
  • Critical need for updated NAT standards and stricter packet validation.

Thank You!

Questions?


Paper: "ReDAN: An Empirical Study on Remote DoS Attacks against NAT Networks"