[ale] Detecting number of hosts behind a NAT device

Doug McNash dmcnash at smyrnacable.net
Wed Apr 23 23:34:53 EDT 2003



According to the white paper they detect NATed hosts by 
examining the TTL (time to live) field in packets from 
your connection.  This field is decremented on every hop 
so if you use a linux box the monitor on the ISP side will 
set a TTL of 
64->(NAT router)->63.  Your windows box will have a 
default TTL of 128 (if I recall correctly) so it will see 
a TTL of 127.  Without the intervening NAT router it would 
expect 64 or 128 respectivily.

An easy way to defeat this detection would be to change 
your default TTL on all your systems to one more than a 
commonly used value say 65.  The the monitor allways sees 
64.

There are other characteristics of NATed traffic like 
large return port numbers and different sequence number 
series but that would take more compute resources to 
detect.
--
Doug McNash
dmcnash at smyrnacable.net
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list