【译】识别NAT设备 | idouba

【译】识别NAT设备

@todo 翻译该文章

原文: Detecting NAT Devices using sFlow

Detecting NAT Devices using sFlow

Peter Phaal, sFlow.org

?

Overview

Unauthorized NAT (Network Address Translation) devices can be a significant security problem. Typically the NAT device will appear to the network administrator as an end host and it will authenticate itself onto the network. However, the NAT device provides unrestricted access to any number of hosts connecting to it directly, or more troublingly via wireless (Wi-Fi 802.11). Wi-Fi is a particular problem since it allows access to the network from a considerable distance, allowing unauthorized access without even entering the building. Reliably detecting NAT devices is difficult since they are virtually indistinguishable from legitimate hosts. This paper describes how the detailed, pervasive, traffic monitoring capabilities of sFlow (RFC 3176) can be used to identify NAT devices on a network.

Technique

Figure 1 shows a simplified network topology. The firewall connects the router to the Internet. The router is connected to two distribution switches. In this network the administrative policy is for host computers to be directly connected to the distribution switches, as is shown by Host C. Two hosts, A and B, are connected to the distribution switch through an illicit NAT router. The two distribution switches are sending a continuous stream of sFlow data to the sFlow Analyzer. The challenge is to find the NAT router using the sFlow traffic measurements.

nat_network

Figure 1: Network with NAT Router

The NAT detection technique is based on two observations about the IP TTL (Time To Live) field.

  1. Host operating systems have characteristic initial TTL values. This property of individual operating system implementations of TCP/IP is well known and can be used as part of a “fingerprint” to identify the operating system that a host is running merely by examining its traffic. The technique is well described in Passive OS Fingerprinting: Details and Techniques by Toby Miller.
  2. NAT devices or gateways decrement the TTL on packets that they forward.

sFlow provides a stream of sampled packet headers captured at the two switches. These packet headers can be decoded and IP source addresses and TTL values can be extracted. Suppose all the hosts use the Windows operating system, each host would then generate IP packets with a TTL value of 128. Since the TTL value is decremented each time the packet traverses a router, a packet seen at the firewall from Host C would always have a TTL of 127. Similarly, a packet from Host C seen by the other switch (Switch 10.10.49.204) would also have a TTL of 127. However, the switch connecting Host C to the network (Switch 10.10.67.1) should always see a TTL of 128. The algorithm for detecting NAT routers relies on the observation that switches directly connected to a host, or in the same subnet as a host, will always see packets from the host with a TTL that is characteristic of the host operating system. In this example the sFlow Analyzer would see a TTL of 127 when examining packets sampled by switch 10.10.49.1 that? apparently originated from “host” 10.10.49.1. The TTL values in packets from Hosts A and B are decremented by the NAT router before they are passed to the switch, revealing the existence of the router. The effectiveness of this algorithm is easily demonstrated using sFlow data from a production network.

Experiment

The? sflowtool utility can be used to decode sFlow packets and feed results into a script. The? findnat.awk script shown in Figure 2 implements the NAT discovery algorithm and identifies likely NAT hosts.

Figure 2: findnat.awk

The script is provided with IP addresses of the distribution switches and the subnets containing their hosts. The script refines the algorithm in a couple of ways. Firstly, it only considers TCP traffic. This helps eliminate false positives created by the use of the traceroute tool (which varies TTL in order to identify routers on a path). Traceroute uses ICMP or UDP packets. The second refinement involves the determination of the hosts native TTL. It appears from empirical observation that TTL values are either 1, 255 or particular even numbers in between. Rather than enumerate all the known TTL values (such as 60, 64, 128 etc), the discriminator function simply tests to see if a packet TTL is 1, 255 or even.

?Figure 3: findnat.awk results

Figure 3 shows the result of running the script. It clearly identifies host 10.10.49.204 as a NAT router. It reports the TTL as 127 and shows the source TCP port as 62216. The high port number is further indication that this is a NAT router since many NAT routers assign very high port numbers to avoid clashes with well known server ports.? In addition there are apparently two other NAT routers, 10.10.67.126 and 10.10.67.121. However, both these “routers” have the same MAC address, 0004806dd700, suggesting that there is indeed a router, but that it is not performing a NAT function and that the addresses 10.10.67.126 and 10.10.67.121 are in fact host addresses. It would be interesting to know how many active hosts there are behind the NAT router. The paper A Technique for Counting NATted Hosts, AT&T Labs, Steven M. Bellovin, describes a technique for estimating? the number of hosts behind a NAT router by examining the IP Id values in a series of packets. Each host will generate its own increasing sequence of Id values.

?Figure 4: tcpdump results

Figure 4 shows the result of a tcpdump trace examining packets from the NAT router (10.10.49.204). It appears that there are 3 distinct sequences of IP id numbers.

chart

Figure 5: IP Id Value vs. Time

The chart in Figure 5 plots id values as a function of time and very clearly shows the three different sequences of id numbers, indicating that there are three active hosts behind the NAT router.

Conclusion

原创文章。为了维护文章的版本一致、最新、可追溯,转载请注明: 转载自idouba

本文链接地址: 【译】识别NAT设备


, , , ,

No comments yet.

发表评论