Detecting NAT Routers   
Thursday, April 24 2003 @ 08:35 AM
CDT
Contributed by: opticfiber A great paper written by Peter Phaal explains
the simple method used in his companies product, Sflow, to detect multiple host
behind a NAT firewall. The secret, it would seem is simply monitoring of the TTL
of out going packets and comparing them to a host know not to be using a NAT
firewall.
Another method only touched upon by Phaal is passive OS finger
printing, although this method is less reliable, an statistical analasys could
determine if multiple operating systems were using the same network network
device. If this were the case it would be reasonable to assume that that host
was in fact a NAT device.
AT&T Labs has published a paper explaining
how to count the number of devices behind a NAT device. The method AT&T
uses, relies on the fact that most operating systems (excluding Linux and Free
BSD) use IP header ID's as simple counters. By observing out of sequence header
ID's, an analasys can calculate how many actual hosts are behind a NAT
device.
Each of these methods can be easily defeated through better
sterilization by the router itself. In the first example, if the TTL for each
TCP packet was re-written by the router for each packet to the value of 128, the
first method would no longer function. For the second method, sterilizing IP
header information and stripping unneeded TCP flags would successfully undermine
this scheme. For the last Method, counting hosts behind a router. Striping the
fragmentation flag for syn packets, and setting the IP ID to '0', (like Linux
and Free BSD both do) would make it impossible to count hosts behind a NAT
router.
网络尖兵也是采用国外的技术。
看看这里吧:
[URL=http://www.sflow.org/detectNAT/]http://www.sflow.org/detectNAT/[/URL]
[IMG]http://www.sflow.org/detectNAT/p_w_picpaths/network.jpg[/IMG]
 
[b][color=#ff0000]网络尖兵原来采用的检测技术主要是:[/color][/b]
1、检查从下级IP出来的IP包的IP-ID是否是连续的,如果不是连续的,则判定下级使用了nat。
2、检查从下级IP出来的IP包的ttl值是否是32、64、128这几个值,如果不是,刚判定下级使用了nat。
3、检查从下级IP出来的http请求包中是否包含有proxy的字段,如果有,则下级用了http代理。
[color=#ff0000]由于检测和防检查技术的对抗升级,现在可能增加了检测的内容:[/color]
[b]一、通过行为统计:[/b]
1. 在三秒内同一IP對兩個以上的網站進行Request,將此IP視為透過NAT進行傳輸。
2.
在兩秒內,若同一IP對同一個網站,進行兩次以上的Request,將此IP視為透過NAT進行傳輸。
[b]二、深度检测数据包内容:[/b]
1.检测并发连接数量
2.检测下级IP出来的QQ号码数量,如果同时有5个QQ号,则判定为共享.
3.更多的检测方法
[b]三、城市热点提供的检测技术:[/b]
[b]基于应用监控系统解决方案:
[/b]      
某些公司采取的技术有轨迹检测法、时钟偏移检测法和应用特征检测法。下面就这些技术做详细的介绍。
方法之一 ID(identification)轨迹检测法:
      
对来自某个源IP地址的TCP连接中,IP头中的16位标识(identification),对于某个windows用户,其identification随着用户发送的IP包的数量增加而逐步增加,如果在一段时间后,发现某个源IP地址,如图所示,有三段identification在连续变化,则说明该“黑户”此时最少有三个用户在同时使用宽带。
方法之二时钟偏移检测法:
      
不同的主机物理时钟偏移不同,网络协议栈时钟与物理时钟存在对应关系;不同的主机发送报文的频率因此与时钟存在一定统计对应关系;通过特定的频谱分析算法,发现不同的网络时钟偏移来确定不同的主机。
方法之三应用特征检测法:
      
数据报文中的HTTP报头中的User-agent字段因操作系统版本、IE版本和布丁的不同而不同,如图。因此通过分析不同的HTTP报头数而确定主机数。
另外对于一台主机同一时间只能登录一个MSN帐号,据此分析可判断主机数。
Windows
update 报文里也包含一些操作系统版本信息,也可以据此计算主机数。
      
通过以上三种方法就能很准确地非法接入的宽带用户地主机数,无论其采用共用NAT、共用Proxy、或分时段共用帐号上网(包括ADSL和LAN上网两种模式),该非法接入监控系统,都能得到IP地址与所携带用户数的准确对应关系,借助于Radius论证报文,再将它转换为用户帐号与所携带用户数的对应关系。当然,由于本方案采用了多个指标来综合分析,为排除干扰提高准确性,并不实时提供这种对应关系,而是采用按天/周/月提供统计报表的形式,将结果提交给运营商的相关部门。
[color=#ff0000][b]针对电信的封锁,解决方法请看:[/b][/color]
[URL=http://bbs.routerclub.com/thread-13504-1-2.html]http://bbs.routerclub.com/thread-13504-1-2.html[/URL]