a technique for counting natted hosts
play

A Technique for Counting NATted Hosts smb@research.att.com - PowerPoint PPT Presentation

Finding NATs A Technique for Counting NATted Hosts smb@research.att.com http://www.research.att.com/smb 973-360-8656 AT&T Labs Research Florham Park, NJ 07932 1 Steven M. Bellovin November 15, 2002


  1. Finding NATs A Technique for Counting NATted Hosts smb@research.att.com http://www.research.att.com/˜smb 973-360-8656 AT&T Labs Research Florham Park, NJ 07932 �✂✁☎✄✆✁ 1 Steven M. Bellovin — November 15, 2002

  2. ✝ ✝ ✝ Finding NATs Why is this Interesting? Because of the shortage of IPv4 addresses, many people use Network Address Translators (NATs). Internet censuses can’t easily count NATted hosts. How many machines are out there? �✂✁☎✄✆✁ 2 Steven M. Bellovin — November 15, 2002

  3. ✝ ✝ ✝ Finding NATs Basic Technique Observation: the IPid is usually implemented as a counter. By detecting approximate sequences of IPid , we can detect distinct hosts. Packets with the same IP address but belonging to different IPid sequences come from different hosts. �✂✁☎✄✆✁ 3 Steven M. Bellovin — November 15, 2002

  4. ✝ ✝ ✝ ✝ Finding NATs Methodology To permit proper control analysis, used “synthetic NAT”. Used packet header traces from AT&T Florham Park lab. (To preserve privacy, destination addresses and port numbers were omitted.) Packets from each /28 were treated as having the same source address. After the analysis run, comparison was made to the real data. �✂✁☎✄✆✁ 4 Steven M. Bellovin — November 15, 2002

  5. ✝ ✝ ✝ ✝ ✝ Finding NATs Sequence Identification Rules Drop IPid of 0; try IPid normal and byte-swapped. Packets must be “close enough” together in time. Bias towards exact IPid matches. IPid values must be “close enough”. After collection, “close-enough” adjacent sequences are coalesced. �✂✁☎✄✆✁ 5 Steven M. Bellovin — November 15, 2002

  6. Finding NATs Analytic Graph fp-td-0a0: 5 hosts found 60000 50000 40000 IP id value 30000 20000 10000 0 0 500 1000 1500 2000 2500 3000 3500 4000 4500 Packet Arrival Time (seconds) �✂✁☎✄✆✁ 6 Steven M. Bellovin — November 15, 2002

  7. Finding NATs Control Graph Control data: 6 hosts 60000 50000 40000 IP id value 30000 20000 10000 0 0 500 1000 1500 2000 2500 3000 3500 4000 4500 Packet Arrival Time (seconds) �✂✁☎✄✆✁ 7 Steven M. Bellovin — November 15, 2002

  8. ✝ ✝ ✝ ✝ ✝ Finding NATs Limitations Collisions can cause miscounts. Large gaps in IPid space, caused by intranet traffic, confuse the program. Much more suited for counting SOHO hosts than corporate NATs. (Better algorithms may change this.) Some operating systems (Linux, OpenBSD, FreeBSD, Solaris) sometimes use different algorithms for IPid assignment. With Path MTU enabled, IPid doesn’t matter, and may be constant. �✂✁☎✄✆✁ 8 Steven M. Bellovin — November 15, 2002

  9. ✝ ✝ ✝ Finding NATs Privacy Issues Properly-designed NATs can rewrite IPid field. In fact, they must , to avoid fragment collisions. Scheme related to passive OS fingerprinting. �✂✁☎✄✆✁ 9 Steven M. Bellovin — November 15, 2002

  10. ✝ ✝ ✝ Finding NATs Future Directions Obvious: use technique on real trace data. Use other header data (TCP/UDP connection 4-tuple, TCP timestamp option) to improve packet grouping). Use signal processing algorithms to pick out lines. �✂✁☎✄✆✁ 10 Steven M. Bellovin — November 15, 2002

  11. ✝ ✝ Finding NATs Related Work Armitage counted non-default port numbers from Quake III clients. * Wendland uses IPid s to identify the identical host for Netcraft’s Web server surveys. (Similar technique used by Burch and Cheswick; Mahajan et al.; probably others.) * http://www.caia.swin.edu.au/reports/020712A/CAIA-TR-020712A.pdf �✂✁☎✄✆✁ 11 Steven M. Bellovin — November 15, 2002

Recommend


More recommend