| |
A Technique for Counting NATted Hosts [PDF]
by Jeremy at 12:32 pm EST, Feb 8, 2003 |
Decius wrote: "Steven Bellovin is at it again." Abstract: There have been many attempts to measure how many hosts are on the Internet. Many of those endpoints, however, are NAT boxes (Network Address Translators), and actually represent several different computers. We describe a technique for detecting NATs and counting the number of active hosts behind them. The technique is based on the observation that on many operating systems, the IP headers ID field is a simple counter. By suitable processing of trace data, packets emanating from individual machines can be isolated, and the number of machines determined. Our implementation, tested on aggregated local trace data, demonstrates the feasibility (and limitations) of the scheme. |
| |
RE: A Technique for Counting NATted Hosts [PDF]
by leed25d at 11:56 am EST, Feb 9, 2003 |
From the 'Counting' paper: ] A keyed generator, as is used in OpenBSD and FreeBSD,
] provides some protection, but one needs to be careful
] to avoid duplication if the generator is rekeyed
] periodically. This feature can be enabled in FreeBSD with a kernel compile option.
From the /usr/src/sys/i386/conf/LINT file: ]] # RANDOM_IP_ID causes the ID field in IP packets to be randomized
]] # instead of incremented by 1 with each packet generated. This
]] # option closes a minor information leak which allows remote
]] # observers to determine the rate of packet generation on the
]] # machine by watching the counter.
]] options RANDOM_IP_ID |
|
Remotely Counting Machines behind a NAT box (PDF)
by Decius at 7:04 pm EST, Feb 5, 2003 |
Steven Bellovin is at it again. This time he is paying his keep at Lucent, and the implication are rather disturbing all around. |
|
|
