Slow-Port-Exhaustion DoS Attack on Virtual Network Using Port Address Translation

Abstract

Nowadays, Network Address Translation (NAT) is widely used to allow multiple devices within a private network to make use of a less number of public IP addresses. NAT Overloading or Port Address Translation (PAT) is an extension of NAT that can translate both the IP address and the port number of a packet in order to identify which inside local address each packet belongs to. PAT is often used in a virtual environment, where multiple virtual machines are connected to the Internet by using the host machine's IP address. However, an apparent downside of PAT is the fact that when all of the ports are used, no more new outbound connection could be made from the local addresses. In this paper, we present Slow-port-exhaustion DoS Attack on a virtual network, a new type of DoS Attack that exploits some flaws of the TCP protocol. In this attack, a compromised internal virtual machine with a low amount of attack bandwidth can occupy host machine's ports for a long time and therefore makes other machines on the same virtual network could not connect to the external network. We created a virtual network with PAT implemented gateway and perform the experimental attack. In the analysis, we explore a gateway's behavior that could benefit this kind of attack. We also introduce some countermeasures against this kind of attack.