On 10/29/2020 11:17 AM, Roberto Peon wrote: > Also interesting to note that the server can ignore anything it wishes > to ignore and pretend it never received it. > (Not to say the crypto/RNG elements are perfect or anything, just > reminding that accepting and replying to the data is ultimately optional!)
And it is indeed a good idea to apply a rate limit of some kind to NAT rebinding events. Somewhere in my test suite is a NAT rebinding attack, in which every packet from the client arrives from a different IP address. That stresses the handling of NAT rebinding, and verifies that the server code is not getting itself tied up in knots trying to handle a whole bunch of rebindings in parallel. -- Christian Huitema
