A Technique for Counting NATted Hosts smb@research.att.com - - PowerPoint PPT Presentation

a technique for counting natted hosts
SMART_READER_LITE
LIVE PREVIEW

A Technique for Counting NATted Hosts smb@research.att.com - - PowerPoint PPT Presentation

Finding NATs A Technique for Counting NATted Hosts smb@research.att.com http://www.research.att.com/smb 973-360-8656 AT&T Labs Research Florham Park, NJ 07932 1 Steven M. Bellovin November 15, 2002


slide-1
SLIDE 1

Finding NATs

A Technique for Counting NATted Hosts

smb@research.att.com http://www.research.att.com/˜smb 973-360-8656 AT&T Labs Research Florham Park, NJ 07932

✂✁☎✄✆✁

Steven M. Bellovin — November 15, 2002

1

slide-2
SLIDE 2

Finding NATs

Why is this Interesting?

Because of the shortage of IPv4 addresses, many people use Network Address Translators (NATs).

Internet censuses can’t easily count NATted hosts.

How many machines are out there?

✂✁☎✄✆✁

Steven M. Bellovin — November 15, 2002

2

slide-3
SLIDE 3

Finding NATs

Basic Technique

Observation: the IPid is usually implemented as a counter.

By detecting approximate sequences of IPid, we can detect distinct hosts.

Packets with the same IP address but belonging to different IPid sequences come from different hosts.

✂✁☎✄✆✁

Steven M. Bellovin — November 15, 2002

3

slide-4
SLIDE 4

Finding NATs

Methodology

To permit proper control analysis, used “synthetic NAT”.

Used packet header traces from AT&T Florham Park lab. (To preserve privacy, destination addresses and port numbers were omitted.)

Packets from each /28 were treated as having the same source address.

After the analysis run, comparison was made to the real data.

✂✁☎✄✆✁

Steven M. Bellovin — November 15, 2002

4

slide-5
SLIDE 5

Finding NATs

Sequence Identification Rules

Drop IPid of 0; try IPid normal and byte-swapped.

Packets must be “close enough” together in time.

Bias towards exact IPid matches.

IPid values must be “close enough”.

After collection, “close-enough” adjacent sequences are coalesced.

✂✁☎✄✆✁

Steven M. Bellovin — November 15, 2002

5

slide-6
SLIDE 6

Finding NATs

Analytic Graph

10000 20000 30000 40000 50000 60000 500 1000 1500 2000 2500 3000 3500 4000 4500 IP id value Packet Arrival Time (seconds) fp-td-0a0: 5 hosts found

✂✁☎✄✆✁

Steven M. Bellovin — November 15, 2002

6

slide-7
SLIDE 7

Finding NATs

Control Graph

10000 20000 30000 40000 50000 60000 500 1000 1500 2000 2500 3000 3500 4000 4500 IP id value Packet Arrival Time (seconds) Control data: 6 hosts

✂✁☎✄✆✁

Steven M. Bellovin — November 15, 2002

7

slide-8
SLIDE 8

Finding NATs

Limitations

Collisions can cause miscounts.

Large gaps in IPid space, caused by intranet traffic, confuse the program.

Much more suited for counting SOHO hosts than corporate NATs. (Better algorithms may change this.)

Some operating systems (Linux, OpenBSD, FreeBSD, Solaris) sometimes use different algorithms for IPid assignment.

With Path MTU enabled, IPid doesn’t matter, and may be constant.

✂✁☎✄✆✁

Steven M. Bellovin — November 15, 2002

8

slide-9
SLIDE 9

Finding NATs

Privacy Issues

Properly-designed NATs can rewrite IPid field.

In fact, they must, to avoid fragment collisions.

Scheme related to passive OS fingerprinting.

✂✁☎✄✆✁

Steven M. Bellovin — November 15, 2002

9

slide-10
SLIDE 10

Finding NATs

Future Directions

Obvious: use technique on real trace data.

Use other header data (TCP/UDP connection 4-tuple, TCP timestamp

  • ption) to improve packet grouping).

Use signal processing algorithms to pick out lines.

✂✁☎✄✆✁

Steven M. Bellovin — November 15, 2002

10

slide-11
SLIDE 11

Finding NATs

Related Work

Armitage counted non-default port numbers from Quake III clients.*

Wendland uses IPids to identify the identical host for Netcraft’s Web server surveys. (Similar technique used by Burch and Cheswick; Mahajan et al.; probably others.)

*http://www.caia.swin.edu.au/reports/020712A/CAIA-TR-020712A.pdf

✂✁☎✄✆✁

Steven M. Bellovin — November 15, 2002

11