[REVS] A Technique for Counting NATed Hosts

From: SecuriTeam (support_at_securiteam.com)
Date: 04/30/03


To: list@securiteam.com
Date: 30 Apr 2003 19:55:21 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

  A Technique for Counting NATed Hosts
------------------------------------------------------------------------

SUMMARY

This article proposes a method where by monitoring the IP's ID field an
external (to the network) attacker can monitor the number of live hosts
residing behind a NATed network.

DETAILS

Abstract:
There have been many attempts to measure how many hosts are on the
Internet. Many of those endpoints, however, are NAT boxes (Network Address
Translators), and actually represent several different computers. We
describe a technique for detecting NATs and counting the number of active
hosts behind them. The technique is based on the observation that on many
operating systems, the IP header's ID field is a simple counter. By
suitable processing of trace data, packets emanating from individual
machines can be isolated, and the number of machines determined. Our
implementation, tested on aggregated local trace data, demonstrates the
feasibility (and limitations) of the scheme.

ADDITIONAL INFORMATION

The complete article is available from:
 <http://www.research.att.com/~smb/papers/fnat.pdf>
http://www.research.att.com/~smb/papers/fnat.pdf

The information has been provided by <mailto:smb@research.att.com> Steven
M. Bellovin.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • Re: Heavyweight Network Mapping Tools
    ... multiple threads so as not to adversely effect any individual sub network ... The goals for the OPTE project are slightly ... >> Hosts alive through ICMP ... I was loooking more for the vulnerability scanning approach without ...
    (Pen-Test)
  • [TOOL] FloppyFW, Floppy Based Firewall
    ... * Access lists, IP-masquerading (Network Address Translation), connection ... * Serial support for console over serial port. ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • Re: Scanning Class A network
    ... > within the network to identify hosts and ports exposed to the ... ICMP was not allowed in the network ... ports for all IPs. ... Cross site scripting and other web attacks before hackers do! ...
    (Pen-Test)
  • Very slow SMB performance on one interface of a multi-homed server
    ... one interface and a private gigabit network on the other. ... Of the seven hosts, four are Windows 2000 server and three are XP. ... Connections using the office LAN and, ...
    (microsoft.public.windows.server.networking)
  • Re: Very slow SMB performance on one interface of a multi-homed server
    ... Seven multi-homed hosts are connected to a fast ethernet office LAN on ... one interface and a private gigabit network on the other. ... Of the seven hosts, four are Windows 2000 server and three are XP. ... Connections using the office LAN and, ...
    (microsoft.public.windows.server.networking)