Internet access denial by higher-tier ISPS: A NAT-based solution

Abstract

The Internet is an interconnection of Autonomous Systems (ASes) of which many are controlled by Internet Service Providers (ISPs). ASes use Border Gateway Protocol (BGP) to communicate routing information to each other. BGP does not allow a network to control how its traffic is routed. As a result, traffic belonging to a specific network can be intentionally dropped as it is routed by BGP through a malicious ISP; a behavior we define as Internet access denial. The impact of Internet access denial, especially when performed by higher-tier ISPs, can be severe. In this paper, Network Address Translation (NAT) is used as a solution to overcome the Internet access denial problem by hiding the traffic identity. The proposed solution is scalable to fit large networks, by using pools of IP addresses across several NAT routers. Under high network load, the performance degradation of introducing NAT on the end-to-end delay and throughput is at most 0.2% and 0.3%, respectively.