[REVS] A Technique for Counting NATed Hosts
From: SecuriTeam (support_at_securiteam.com)
To: firstname.lastname@example.org Date: 30 Apr 2003 19:55:21 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or email@example.com
- - - - - - - - -
A Technique for Counting NATed Hosts
This article proposes a method where by monitoring the IP's ID field an
external (to the network) attacker can monitor the number of live hosts
residing behind a NATed network.
There have been many attempts to measure how many hosts are on the
Internet. Many of those endpoints, however, are NAT boxes (Network Address
Translators), and actually represent several different computers. We
describe a technique for detecting NATs and counting the number of active
hosts behind them. The technique is based on the observation that on many
operating systems, the IP header's ID field is a simple counter. By
suitable processing of trace data, packets emanating from individual
machines can be isolated, and the number of machines determined. Our
implementation, tested on aggregated local trace data, demonstrates the
feasibility (and limitations) of the scheme.
The information has been provided by <mailto:firstname.lastname@example.org> Steven
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: email@example.com
In order to subscribe to the mailing list, simply forward this email to: firstname.lastname@example.org
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.