P22. Suppose you are interested in detecting the number of hosts behind a NAT. Y

Question

P22. Suppose you are interested in detecting the number of hosts behind a NAT. You observe that the IP layer stamps an identification number sequentially on each IP packet. The identification number of the first IP packet generated by a host is a random number, and the identification numbers of the subsequent IP packets are sequentially assigned. Assume all IP packets generated by hosts behind the NAT are sent to the outside world.

Based on this observation, and assuming you can sniff all packets sent by the NAT to the outside, can you outline a simple technique that detects the number of unique hosts behind a NAT? Justify your answer.

If the identification numbers are not sequentially assigned but randomly assigned, would your technique work? Justify your answer.

Explanation / Answer

Answer 1) Since all IP packets are sent outside, so we can use a packet sniffer to record all IP
packets generated by the hosts behind a NAT. As each host generates a sequence
of IP packets with sequential numbers and a distinct (very likely, as they are
randomly chosen from a large space) initial identification number (ID), we can
group IP packets with consecutive IDs into a cluster. The number of clusters is the
number of hosts behind the NAT.
For more practical algorithms, see the following paper.
“A Technique for Counting NATted Hosts”, by Steven M. Bellovin, appeared in
IMW’02, Nov. 6-8, 2002, Marseille, France.

Answer 2) However, if those identification numbers are not sequentially assigned but
randomly assigned, the technique suggested in part (1) won’t work, as there won’t
be clusters in sniffed data.

Related Questions

Navigate

• Browse (All)
• Browse P
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.