9

My home router can use port-forwarding to act as a server, so I assume all internet packets sent with my public IP address as a destination are hitting it (and just not getting any response from my router since I am not using the port-forwarding).

Could one IP therefore just flood my router this way and quickly use up all of my monthly data cap limit? If this is always a possibility, just like Denial-of-Service attacks, is there anything the internet backbone and my provider do to limit it? Do cell phone data providers do more to prevent this since cell data caps are smaller?

bobuhito
  • 623
  • 1
  • 4
  • 15
  • 1
    For the record, this question started on Stack Overflow. Due to no response, I then posted a [similar question to the Network Engineering experts](https://networkengineering.stackexchange.com/questions/83006/dropping-malicious-packets-as-close-to-the-source-as-possible). Then, Stack Overflow migrated its version to Superuser, – bobuhito Apr 25 '23 at 09:58

1 Answers1

8

My home router can use port-forwarding to act as a server, so I assume all internet packets sent with my public IP address as a destination are hitting it (and just not getting any response from my router since I am not using the port-forwarding).

You're probably not getting any response because the router's firewall is set to quietly drop everything. Packets would be hitting it even if it didn't do port-forwarding, as long as it had a global (public) IP address.

However, the presence of a port-forwarding feature doesn't mean it'll actually work. With a cellular connection, it's very likely that your router doesn't have a public IPv4 address at all – most such connections are behind CGNAT (carrier-grade NAT, applied by your ISP), and so the IP address shown by "What is my IP" wouldn't really be your address.

So first look carefully at your router's status page, where the router itself (not any third-party website) shows your "WAN IP address". If it's a private address – including if it's an 100.64./10 address – then you are behind CGNAT and your router is not even receiving those packets at all.

(Though while you're there, don't forget to look for "WAN IPv6 address" to find out whether your ISP supports that yet. IPv6 addresses usually won't be affected by CGNAT, although they may still be firewalled as described below.)

Could one IP therefore just flood my router this way and quickly use up all of my monthly data cap limit?

In the simplest case, if you have a public IP address (whether it's IPv4 or IPv6) and are not behind an ISP-level firewall, yes they could.

If this is always a possibility, just like Denial-of-Service attacks, is there anything the internet backbone and my provider do to limit it?

Your provider might, although given how small the limits seem to be, they would likely not react in time (and they probably don't care that much, either). They're fully capable of blocking traffic to your individual IP, though, and can do it before it reaches the system responsible for accounting, if they wanted to.

The "internet backbone" doesn't care about what kind of traffic it carries, and the traffic it does carry is in volumes that would drain your limit in seconds anyway (with 100Gbps and 400Gbps links now being the norm), so there's no time to apply any additional filtering anyway.

(There is no single "internet backbone" and hasn't been for decades; it's privately managed by various carriers – the bunch of "Tier 1" carrier ISPs is what makes up the most of it. Besides that, a large chunk of "local" traffic goes directly via private peerings between ISPs rather than through carriers, making it invisible to the "backbone" anyway.)

Do cell phone data providers do more to prevent this since cell data caps are smaller?

Many such providers put their customers behind a stateful firewall at ISP level, so that inbound packets wouldn't be accepted at all if they do not belong to a known connection or flow (similar to how a router's or PC's stateful firewall works).

(Also, as long as we're talking only about IPv4, many cell network operators just don't issue their customers public IPv4 addresses directly at all – they implement CGNAT instead, which has a similar result to your router doing NAT without port forwarding: the inbound packets either stop at the ISP's CGNAT gateways, or sometimes don't even reach them at all.

The usual result1 of being behind CGNAT is very similar to being behind a stateful firewall – you will receive replies to your own connections, but will not receive any "new" packets.

That being said, increasingly more ISPs and network operators support IPv6, and CGNAT is usually not applied to IPv6, but an ISP that applies CGNAT to IPv4 traffic can just as well apply a regular firewall to IPv6 traffic, so it's not an issue.)

But if you have a dedicated public IP address for your cellular connection, presumably having obtained it with the intent of receiving inbound connections (despite the data cap), then you've kind of opted in to receiving any kind of inbound packet.


1 (Though that's not inherent to NAT or CGNAT – I've seen operators do 1:1 CGNAT in the past, for reasons other than address scarcity, and it did fully allow inbound packets due to being 1:1 mapped – but the vast majority of operators using CGNAT implement it just like your router does NAT; as you can see from the almost-weekly "why does my port-forwarding not work" threads we have here.)

u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • 1
    Thanks for the detailed answer. My cell phone uses IPv6, so I guess my only defense against this "Data Cap Attack" (I don't see a financial motive for the attacker, but consider a vengeful ex-girlfriend, or?) is to keep my public IPv6 address a secret. By the way, do any cell phones have a setting to automatically reset/randomize its IPv6 address if unsolicited inbound traffic exceeds some low level, like 1 MB? – bobuhito Apr 25 '23 at 10:16
  • 1
    Something to add: Most ISP's only count real data-packets. TCP Handshake packets (like the initial connection attempt) usually are not counted. And as long as your device/router isn't accepting any traffic it won't get any further than that initial handshake. However for UDP traffic this won't work as every UDP packet is a data-packet. Most common use of UDP (for home users) is BitTorrent. Even after you stop the BitTorrent application on your end, others will still try to send you some UDP traffic for a while (possibly hours) that will count towards your quota. – Tonny Apr 25 '23 at 12:36
  • somewhat unrelated, but I have a VPS and I have noticed that inbound ARP traffic use up around 3% of my monthly bandwidth quota. Which doesn't sound like much but it's still around 30GB of data or 1GB every day! – Michael Apr 25 '23 at 22:15
  • 1
    @Michael ARP really shouldn't be counted in your quota. If your VPS provider is charging you for ARPs then get a new provider. Also that's a lot of ARPs. Also you should know that a lot of VPS providers only charge for outbound traffic. – user253751 Apr 26 '23 at 18:11
  • @user253751 it's actually a very inexpensive provider, hence I assume the reason why inbound traffic is charged for. – Michael Apr 26 '23 at 21:09
  • well, I suppose you are getting what you pay for. Sounds like they don't really know what they're doing. If you're getting other people's ARPs, I bet you could change your VPS's IP address and impersonate their servers. (don't do that, it's illegal) – user253751 Apr 26 '23 at 21:22