ipfw NAT vulnerable to DOS attacks by sending ip packets to external ip address and any port.
In this situation CPU usage goes to 100%.
NAT should find a matched internal address, and, if not, skip the packet to external ip.
This process (with failed search) take a many time and resources.
Could you add some more detail or steps to reproduce? If this issue still exists in FreeBSD I would be very interested in fixing this. If I don't have any response in the next few months I will close this issue.
It seems that the problems still exists:
(Articles in German)
It's a variant of the LAND attack https://en.wikipedia.org/wiki/LAND.
My solution is to use ipfw (which is used to activate NAT) to drop incoming packets sourced from the public NAT IP. So simple antispoofing.
All versions up to current are affected.
I went through the source code and can drill the problem down to an full scan of an unsorted linked list in a given hash bucket. This eats CPU cycles for breakfast.
A workaround is to increase the hash table size in sys/netinet/libalias/alias_local.h:
#define LINK_TABLE_OUT_SIZE 4001
A short term solution is to make the hard coded parameters tunable.
But the real solution is to find a data structure which allows sub linear access methods to the flow data. Possibly using a non blocking algorithm for access and modification.