[dfawcus]

I am assuming attacks against a home/retail NAT box, where the full 5-tuple is not required, only the 3-tuple being translated to on the public side of that NAT box. That being the endpoint independent mapping.

All an attacker needs to do is send packets from any source address and port, but using the same protocol (TCP/UDP) targeting that public 3-tuple, and the NAT box will allow the packet in.

I was not suggesting that the attacker resort to spoofing its source address, but use its real one. The attacker itself could be a zombie controlled by the real CnC entity, so mitigating against detection.

Finding the 3-tuple is the challenge, but not too great a one. One would start by seeing what info could be leaked from the public sites such NATed clients are connecting to.