Explanation of NAT and NAT table flooding

NAT stands for Network Address Translation. NAT provides 2 main duties.

The first duty is that it allows the translation of one (external) IP address to multiple (internal) IP addresses, which allows you to use more than 1 device through an Internet connection utilizing only 1 IP.

The second task that NAT performs relates to security, where it will normally only allow incoming traffic if it has been requested, so incoming unsolicited data will be ignored, and this process uses the NAT table (translation table) too keep track of the requests to know what to allow in.

NAT diagram

NAT flooding, or NAT table flooding is where the maximum number of connections or table entries is used up, and there is no more room to add further entries. The NAT table is used to track requests for data and route the data appropriately. When you click to pull up a webpage like google, as the data request is sent to google, the NAT table gets an entry about this request that logs: the computer that asked for it, the port it was requested on, where it was requested from, and the amount of time to keep this request alive (timeout). When the data comes back from google after the request, it references this to the NAT table to route the data back from which it was requested.

If data coming from the Internet does not have a NAT table entry, then that data is simply dropped, as there is no record that it was requested, and this goes a long way to keep your devices free from unrequested attacks from the Internet.
If the NAT table is full, then the data will still come and go, but with no room to create the entry in the table, the incoming data will be dropped as an unrequested connection. The NAT table in the radio (device mounted on roof by MCSNet for the Internet) uses has 2048 ports it can use at a time, so NAT flooding is normally very rare except in a couple of cases. NAT flooding through a router is also possible and is one of the reason why your router might 'hang'. The maximum number of connections supported by a router varies among different brands and models. Port forwarding and the DMZ (de-militarized zone) are protocols to allow some or all unrequested packets to a specified device.

Typical causes of NAT table flooding. The most common case of NAT flooding is peer to peer file sharing, where the file sharing program tries to connect to hundreds or thousands of other devices simultaneously. The fix to prevent NAT flooding while using a file sharing program is to limit the number of simultaneous connections, usually a couple hundred is sufficient. Another option, that is not usually available, is to set the timeout on open connections to a lower number, the default is normally 1440 minutes (24 hours), which means that the NAT table will wait up to 24 hours for the data before dropping the entry and feeing up the table entry. Viruses and other infections like botnets can also cause flooding, and the obvious fix here is to clean the infection or reload the software on the infected device.

Example: Adjusting Number of Connections used by utorrent

utorrent is currently the most popular bit torrent client. This shows how to fix the number of connections setting to help avoid NAT flooding issues.

  1. At the top, click on the Options menu item.
  2. Select, 'Preferences'
  3. In the window that appears, on the left hand panel select 'Bandwidth'
  4. Change the 'Global maximum number of connections' entry to 100 or less
  5. Click 'Apply'
utorrent max connections setting screen shot
This same setting can be found in other popular clients like 'Bit Torrent' and 'Vuze.'

Keywords: NAT flooding