The NAT device implements security through , the limit on the number of sessions that can be established, session table aging, and so on.
NAT is a stateful address translation technique, and session tables are core NAT resources. If deny of service (DoS) attacks, such as SYN-Flood attacks, are initiated, all NAT session table resources may be used up, which causes a failure to establish session tables for common users and therefore access failures. With this function, a NAT device counts the number of TCP, UDP, and ICMP sessions established using a single IP address. If the number of sessions initiated using a source IP address or destined for a destination IP address exceeds a specified threshold, the IP address cannot be used to initiate new connections.
After the total number of TCP, UDP, and ICMP sessions used by the IP address falls below the configured threshold, the IP address can be used again to initiate TCP, UDP, and ICMP connections.
The aging time for application-specific NAT session entries in a NAT table can be set on a NAT device. After the aging time elapses, the NAT device automatically ages the entries and releases session resources. The NAT device can be configured to forcibly age all session tables or a specific type of session tables.
A NAT device uses a multi-core structure and allows the flow construction and forwarding processes to share CPU resources. The NAT device dynamically learns the sizes of flows and limits the speed and resources used to construct flows.
If the number of user sessions reaches a specified upper limit, constructing flows deteriorates the performance of other services. To minimize the impact, the speed at which the NAT device constructs flows can be set. Alternatively, the committed access rate (CAR) function can be configured to limit the speeds at which the NAT device constructs flows for all users to help properly transmit user services.
The NAT blacklist function protects against attacks initiated using the network-side first packets on a specific set of an IP address, port number, and protocol type or on all IP addresses. If no internal server is deployed or public network traffic has no matching entry in the session table on a NAT device, traffic reaching a specified rate threshold is considered attack traffic. The IP address, destination UDP port number, and destination TCP port number of the attack traffic is added to a NAT blacklist on the NAT device. The NAT device discards network-side traffic that matches the blacklist entry of the specified IP address, port numbers, and protocol types. If public network traffic that matches only the IP address in the blacklist, statistics about the traffic are collected, and traffic is not discarded. In addition, NAT blacklist entries can be automatically cleared. If the reverse attack traffic rate is less than 16 kpps within 10 minutes, the blacklist entry ages automatically or is aged manually.