Website has some funky scrolling on an iPad. There’s some kind of scrolljacking happening. -1 on usability.

Have they removed it? It seems to scroll as expected on Firefox mobile for Android, so maybe it's a platform-specific hack?

What legitimate purpose is there for the browser to even support this?

Yet another example of how NAT only provides obscurity, not actual security.

You can minimize attack surface, but it's silly to depend on NAT for security in any way, especially since so many devices can act like black boxes with arbitrarily insecure connections to who knows where. You can't trust that subnet alone validates a device - "but it's in the dmz!"

You have to design security around never (when possible) giving a host an opportunity to screw things up. Assume every host will be hostile at some point in its lifetime - zero trust or bust.

I'm not sure these attacks have anything to do with NAT - all of the stuff under "DHCP methods to control routes" sounds like it would work just the same if the router was handing out public IPs to the internal network. Or even if the internal network is statically-assigned for that matter. The only requirement seems to be a DHCP client on the WAN interface that's overly permissive in what it accepts.