Security Enhancement by Detecting Network Address Translation Based on Instant Messaging

Bi, Jun; Zhang, Miao; Zhao, Lei

doi:10.1007/11807964_97

Cited by 4 publications

(3 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Besides the above "low level" approaches, which only look at IP headers and TCP headers, there are also a few ideas which utilize deep packet inspection and thus operate on the application layer. For example, Zhao et al [15] and Bi et al [16] inspect the payload of packets which belong to connections of instant messaging clients. They argue that this is a suitable approach to host counting since most users run only one instance of an instant messaging client on each machine.…”

Section: Related Workmentioning

confidence: 99%

IP agnostic real-time traffic filtering and host identification using TCP timestamps

Wicherski

Weingarten

Meyer

2013

38th Annual IEEE Conference on Local Computer Networks

View full text Add to dashboard Cite

In this work, we describe and evaluate the design and implementation of natfilterd, a flexible and lightweight extension of the Linux netfilter packet filter framework, which enables us to identify hosts completely independent of IP addresses by taking advantage of certain characteristics of TCP timestamps. As an immediate consequence, not only can we count hosts behind a NAT gateway but block TCP traffic from single hosts without blocking the gateway itself. Our work extends ideas from Bursztein, which we improve in terms of performance as well as matching quality and usability in practice. A theoretical runtime of O(log(n)) for matching packets against a database of n hosts is achieved. We empirically verify this result and conclude that our approach scales extremely well and is therefore suitable for at least medium-scale networks of a few thousand hosts.

show abstract

Section: Related Workmentioning

confidence: 99%

IP agnostic real-time traffic filtering and host identification using TCP timestamps

Wicherski

Weingarten

Meyer

2013

38th Annual IEEE Conference on Local Computer Networks

View full text Add to dashboard Cite

show abstract

“…For example, Bellovin [14] presents, a method relying on special packet header fields, like for example the IP ID or TCP window size. Moreover in [15] a method for detecting NAT based on instant messaging traffic of different active hosts is described. In addition, Kohno et al [16] present a method to detect NAT based on passively fingerprinting devices by detecting clock skews in physical devices.…”

Section: Related Workmentioning

confidence: 99%

Passive Remote Source NAT Detection Using Behavior Statistics Derived from NetFlow

Abt

Dietz

Baier

et al. 2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Network Address Translation (NAT) is a technique commonly employed in today's computer networks. NAT allows multiple devices to hide behind a single IP address. From a network management and security point of view, NAT may not be desirable or permitted as it allows rogue and unattended network access. In order to detect rogue NAT devices, we propose a novel passive remote source NAT detection approach based on behavior statistics derived from NetFlow. Our approach utilizes 9 distinct features that can directly be derived from Net-Flow records. Furthermore, our approach does not require IP address information, but is capable of operating on anonymous identifiers. Hence, our approach is very privacy friendly. Our approach requires only a 120 seconds sample of NetFlow records to detect NAT traffic within the sample with a lower-bound accuracy of 89.35%. Furthermore, our approach is capable of operating in real-time.

show abstract

“…In [12] authors make use of IP-ID fields to detect subscribers using NAT devices in wireless networks. Another methodology is described in the following papers [17], [3], [5] and [4], in which authors utilized application layer information to discover NAT devices. They assume that instant messaging is one of the most popular softwares so they make use of instant messaging network packets to detect a NAT device.…”

Section: Related Workmentioning

confidence: 99%

Approximating the Number of Active Nodes Behind a NAT Device

Tekeoglu¹,

Altiparmak²,

Tosun³

2011

2011 Proceedings of 20th International Conference on Computer Communications and Networks (ICCCN)

View full text Add to dashboard Cite

Abstract-Network Address Translation (NAT) is used for various reasons on the Internet and hides the IP address and number of nodes behind the NAT device. Although many applications benefit from the knowledge of number of active nodes behind a NAT device, existing schemes are limited. In this paper, we use TCP timestamp option to count the number of active nodes. Timestamp option includes current timestamp of the machine in the TCP packet. We propose an efficient scheme that counts the number of machines using clustering of timestamps. We use least-squares line fit of timestamp values and convex hulls to efficiently maintain the crucial information about existing clusters. Proposed scheme is online and requires minimal resources. We have investigated various aspects of the scheme to improve its performance. Using a developed tool to send packets, we have observed that the proposed scheme approximates the number of machines that send more than threshold number of packets well. Real experiments validate the proposed scheme.

show abstract

Security Enhancement by Detecting Network Address Translation Based on Instant Messaging

Cited by 4 publications

References 11 publications

IP agnostic real-time traffic filtering and host identification using TCP timestamps

IP agnostic real-time traffic filtering and host identification using TCP timestamps

Passive Remote Source NAT Detection Using Behavior Statistics Derived from NetFlow

Approximating the Number of Active Nodes Behind a NAT Device

Contact Info

Product

Resources

About