Detecting NAT Routers

meilinxiaoxue

                zz from : http://antionline.com/archive/index.php/t-241802.html   
        Thursday, April 24 2003 @ 08:35 AM EDT
        Contributed by:
William Reyor
        Views: 2,157
   
   
        

A
great paper written by Peter Phaal
explains the simple method used in his companies product, Sflow, to
detect multiple host behind a NAT firewall. The secret, it would seem
is simply monitoring of the TTL of out going packets and comparing them
to a host know not to be using a NAT firewall.
Another method
only touched upon by Phaal is passive OS finger printing, although this
method is less reliable, an statistical analasys could determine if
multiple operating systems were using the same network network device.
If this were the case it would be reasonable to assume that that host
was in fact a NAT device.
AT&T Labs
has published a paper explaining how to count the number of devices
behind a NAT device. The method AT&T uses, relies on the fact that
most operating systems (excluding Linux and Free BSD) use IP header
ID's as simple counters. By observing out of sequence header ID's, an
analasys can calculate how many actual hosts are behind a NAT device.
Each of these methods can be easily defeated through better
sterilization by the router itself. In the first example, if the TTL
for each TCP packet was re-written by the router for each packet to the
value of 128, the first method would no longer function. For the second
method, sterilizing IP header information and stripping unneeded TCP
flags would successfully undermine this scheme. For the last Method,
counting hosts behind a router. Striping the fragmentation flag for syn
packets, and setting the IP ID to '0', (like Linux and Free BSD both
do) would make it impossible to count hosts behind a NAT router.
               
               
               
               
               

本文来自ChinaUnix博客，如果查看原文请点：http://blog.chinaunix.net/u/6702/showart_463731.html