[ale] Detecting number of hosts behind a NAT device
James P. Kinney III
jkinney at localnetsolutions.com
Thu Apr 24 00:02:12 EDT 2003
Personally, I like the "pick a random number between 64 and 128" method
for each packet. That should scramble their statistics gathering about
as well as trading "Kroger plus" member cards messes with the market
droids.
On Wed, 2003-04-23 at 23:34, Doug McNash wrote:
> According to the white paper they detect NATed hosts by
> examining the TTL (time to live) field in packets from
> your connection. This field is decremented on every hop
> so if you use a linux box the monitor on the ISP side will
> set a TTL of
> 64->(NAT router)->63. Your windows box will have a
> default TTL of 128 (if I recall correctly) so it will see
> a TTL of 127. Without the intervening NAT router it would
> expect 64 or 128 respectivily.
>
> An easy way to defeat this detection would be to change
> your default TTL on all your systems to one more than a
> commonly used value say 65. The the monitor allways sees
> 64.
>
> There are other characteristics of NATed traffic like
> large return port numbers and different sequence number
> series but that would take more compute resources to
> detect.
> --
> Doug McNash
> dmcnash at smyrnacable.net
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
--
James P. Kinney III \Changing the mobile computing world/
CEO & Director of Engineering \ one Linux user /
Local Net Solutions,LLC \ at a time. /
770-493-8244 \.___________________________./
http://www.localnetsolutions.com
GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics) <jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
This is a digitally signed message part
More information about the Ale
mailing list