Content area
Full Text
Abstract
NAT(Network Address Translation), which was suggested as a solution for the shortage of IPv4(Internet Protocol version 4) addresses, translates private network addresses into global network addresses and also hides addresses of hosts behind an NAT. Due to these characteristics of an NAT, it has not been easy to detect and identify hosts behind an NAT.
In this study, we researched on characteristics of an NAT and a NATted host in order to resolve difficulties in identifying NATted hosts and improved NAT Detection Algorithms after experimenting with the existing NAT Detection Algorithms. And, finally, we propose a new NATted host Detection and Identification Algorithm using Port Patterns of SYN Packets. Extending the traditional algorithms using linear patterns generated from IP ID in IP header of data packets, our proposed algorithm can identify NATted hosts and group them more efficiently by analyzing additional information in IP header such as Source IP or Source Port and improving accuracy and reducing calculation with investigating Port patterns of SYN packets.
Key Words: NAT Detection, Host Identification, Packet Analysis, Port-Pattern Clustering
1. Introduction
IPv6 was spotlighted as a solution for the IPv4 address exhaustion as internet usage has been increasing, however, it's not being commercialized widely due to many realistic reasons. To solve this problem, NAT(Network Address Translator)[l] has been suggested and NAT routers are being widely used at homes and offices in order to use more internet devices with less money [2].
NAT translates IP addresses of Private Network into IP addresses of Global Network using a RFC 1918[3] address allocation mechanism for private internets and this feature is usually implemented in routers or firewalls in order to save IP addresses. NAT temporarily resolves the shortage of IP addresses[4] and hides private IP addresses of inner hosts.
As for an ISP(Intemet Service Provider), data traffic would be increased since there might be lots of unknown hosts behind a NAT and ISPs have difficulties in detecting and responding to DoS/DDoS attacks from NATted hosts because NAT hides network topologies of inner hosts[5] and sidesteps access controls of network administrators and it's also used for hiding their IP addresses by hackers.
For these reasons, some researches on detecting NAT devices have been carried out. Current popular NAT detecting techniques are:...