Detecting subscribers using NAT devices in wireless data networks

A network address translation (NAT) device can aggregate/disaggregate traffic from/to multiple computers connected to the box appearing as one computer to the rest of the network. A wireless data service subscription may be shared by using a NAT device where multiple computers can then use the wireless service at the same time. This is transparent to the service provider since all traffic comes from and goes to the same address. However, it potentially can lead to lost revenue since the current prevalence of flat rate pricing schemes means that one paid subscription can be shared by many users. Therefore, it is important for service providers to be able to detect such subscribers and take proper action, e.g., put them on a different pricing scheme or add explicit terms to their contract to disallow this practice. In this paper, we propose a novel method to identify subscribers using NAT devices in real time. The key observation is that each device generates an independent number sequence (usually increasing) to fill the identification field of IP packet headers (IPID). Our basic technique involves detecting overlapping increasing IPID subsequences as an indication of multiple devices behind a single Internet Protocol (IP) address. Our complete solution takes into account various practical issues affecting the properties of IPID sequences.