Approximating the Number of Active Nodes Behind a NAT Device

Network Address Translation (NAT) is used for various reasons on the Internet and hides the IP address and number of nodes behind the NAT device. Although many applications benefit from the knowledge of number of active nodes behind a NAT device, existing schemes are limited. In this paper, we use TCP timestamp option to count the number of active nodes. Timestamp option includes current timestamp of the machine in the TCP packet. We propose an efficient scheme that counts the number of machines approximately using clustering of timestamps. We use least-squares line fit of timestamp values and convex hulls to efficiently maintain the crucial information about existing clusters. Proposed scheme is online and requires minimal resources. We have investigated various aspects of the scheme to improve its performance. Using a developed tool to send packets, we have observed that the proposed scheme approximates the number of machines that send more than threshold number of packets well. Real experiments validate the proposed scheme.

[1]  Jun Bi,et al.  Application Presence Fingerprinting for NAT-Aware Router , 2006, KES.

[2]  Elie Bursztein Time has something to tell us about network address translation , 2007 .

[3]  T. Kohno,et al.  Remote physical device fingerprinting , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[4]  Joseph M. Hellerstein,et al.  Clock Skew Based Node Identification in Wireless Sensor Networks , 2008, IEEE GLOBECOM 2008 - 2008 IEEE Global Telecommunications Conference.

[5]  Tian Bu,et al.  Detecting subscribers using NAT devices in wireless data networks , 2009, Bell Labs Technical Journal.

[6]  Steven M. Bellovin,et al.  A technique for counting natted hosts , 2002, IMW '02.

[7]  Paul Francis,et al.  The IP Network Address Translator (NAT) , 1994, RFC.

[8]  Pyda Srisuresh,et al.  Traditional IP Network Address Translator (Traditional NAT) , 2001, RFC.

[9]  Matt Holdrege,et al.  IP Network Address Translator (NAT) Terminology and Considerations , 1999, RFC.

[10]  Jianping Wu,et al.  Application Presence Information based Source Address Transition Detection for Edge Network Security and Management , 2007 .

[11]  Jun Bi,et al.  Security Enhancement by Detecting Network Address Translation Based on Instant Messaging , 2006, EUC Workshops.

[12]  Michael I. Cohen Source attribution for network address translated forensic captures , 2009, Digit. Investig..

[13]  Richard Lippmann,et al.  The 1999 DARPA off-line intrusion detection evaluation , 2000, Comput. Networks.