ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
A technique for counting natted hosts
Full text PdfPdf (554 KB)
Source Internet Measurement Conference archive
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment table of contents
Marseille, France
SESSION: Session 9: traffic analysis table of contents
Pages: 267 - 272  
Year of Publication: 2002
ISBN:1-58113-603-X
Author
Steven M. Bellovin  AT&T Labs Research
Sponsor
SIGCOMM: ACM Special Interest Group on Data Communication
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 6,   Downloads (12 Months): 35,   Citation Count: 15
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/637201.637243
What is a DOI?

ABSTRACT

There have been many attempts to measure how many hosts are on the Internet. Many of those end-points, however, are NAT boxes (Network Address Translators), and actually represent several different computers. We describe a technique for detecting NATs and counting the number of active hosts behind them. The technique is based on the observation that on many operating systems, the IP header's ID field is a simple counter. By suitable processing of trace data, packets emanating from individual machines can be isolated, and the number of machines determined. Our implementation, tested on aggregated local trace data, demonstrates the feasibility (and limitations) of the scheme.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
P. Srisuresh and K. Egevang, "Traditional IP network address translator (traditional NAT)," RFC 3022, Internet Engineering Task Force, Jan. 2001.
 
2
T. Hain, "Architectural implications of NAT," RFC 2993, Internet Engineering Task Force, Nov. 2000.
 
3
J. Postel, "Internet protocol," RFC 791, Internet Engineering Task Force, Sept. 1981.
4
Neil Spring , Ratul Mahajan , David Wetherall, Measuring ISP topologies with rocketfuel, Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications, August 19-23, 2002, Pittsburgh, Pennsylvania, USA
 
5
J.C. Mogul and S. E. Deering, "Path MTU discovery," RFC 1191, Internet Engineering Task Force, Nov. 1990.
 
6
M. Holdrege and P. Srisuresh, "Protocol complications with the IP network address translator," RFC 3027, Internet Engineering Task Force, Jan. 2001.
 
7
D. Senie, "Network address translator (nat)-friendly application design guidelines," RFC 3235, Internet Engineering Task Force, Jan. 2002.
 
8
Jim Reeds, "Cracking" a random number generator," Cryptologia, vol. 1, no. 1, January 1977.
 
9
Jacques Stern, "Secret linear congruential generators are not cryptographically secure," in Proceedings of the IEEE Symposium on Foundations of Computer Science, 1987.
 
10
S. Kent and R. Atkinson, "Security architecture for the internet protocol," RFC 2401, Internet Engineering Task Force, Nov. 1998.
 
11
H. Schulzrinne, S. Casner, R. Frederick, and V. Jacobson, "RTP: a transport protocol for real-time applications," RFC 1889, Internet Engineering Task Force, Jan. 1996.
 
12
Honeynet Project, "Know your enemy: Passive fingerprinting," March 2002, http://project.honeynet.org/ papers/finger.

CITED BY  15
Andre Broido , Evi Nemeth , K. C. Claffy, Spectroscopy of DNS update traffic, ACM SIGMETRICS Performance Evaluation Review, v.31 n.1, June 2003
Alefiya Hussain , John Heidemann , Christos Papadopoulos, A framework for classifying denial of service attacks, Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, August 25-29, 2003, Karlsruhe, Germany
Brice Augustin , Xavier Cuvellier , Benjamin Orgogozo , Fabien Viger , Timur Friedman , Matthieu Latapy , Clémence Magnien , Renata Teixeira, Avoiding traceroute anomalies with Paris traceroute, Proceedings of the 6th ACM SIGCOMM on Internet measurement, October 25-27, 2006, Rio de Janeriro, Brazil
Alefiya Hussain , John Heidemann , Christos Papadopoulos, Distinguishing between single and multi-source attacks using signal processing, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.46 n.4, p.479-503, 15 November 2004
Tadayoshi Kohno , Andre Broido , K. C. Claffy, Remote Physical Device Fingerprinting, IEEE Transactions on Dependable and Secure Computing, v.2 n.2, p.93-108, April 2005
Ruoming Pang , Mark Allman , Vern Paxson , Jason Lee, The devil and packet trace anonymization, ACM SIGCOMM Computer Communication Review, v.36 n.1, January 2006
M. Siekkinen , G. Urvoy-Keller , E. W. Biersack , T. En-Najjary, Root cause analysis for long-lived TCP connections, Proceedings of the 2005 ACM conference on Emerging network experiment and technology, October 24-27, 2005, Toulouse, France
Richard W. Thommes , Mark J. Coates, Deterministic packet marking for time-varying congestion price estimation, IEEE/ACM Transactions on Networking (TON), v.14 n.3, p.592-602, June 2006
Moheeb Abu Rajab , Fabian Monrose , Andreas Terzis, On the impact of dynamic addressing on malware propagation, Proceedings of the 4th ACM workshop on Recurring malcode, November 03-03, 2006, Alexandria, Virginia, USA
Chad D. Mano , Andrew Blaich , Qi Liao , Yingxin Jiang , David A. Cieslak , David C. Salyers , Aaron Striegel, RIPPS: Rogue Identifying Packet Payload Slicer Detecting Unauthorized Wireless Hosts Through Network Traffic Conditioning, ACM Transactions on Information and System Security (TISSEC), v.11 n.2, p.1-23, March 2008
Chris Kanich , Kirill Levchenko , Brandon Enright , Geoffrey M. Voelker , Stefan Savage, The heisenbot uncertainty problem: challenges in separating bots from chaff, Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, p.1-9, April 15-15, 2008, San Francisco, California
Fabien Viger , Brice Augustin , Xavier Cuvellier , Clémence Magnien , Matthieu Latapy , Timur Friedman , Renata Teixeira, Detection, understanding, and prevention of traceroute measurement artifacts, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.52 n.5, p.998-1018, April, 2008
Songjie Wei , Jelena Mirkovic, Correcting congestion-based error in network telescope's observations of worm dynamics, Proceedings of the 8th ACM SIGCOMM conference on Internet measurement, October 20-22, 2008, Vouliagmeni, Greece
Adam Bender , Rob Sherwood , Neil Spring, Fixing ally's growing pains with velocity modeling, Proceedings of the 8th ACM SIGCOMM conference on Internet measurement, October 20-22, 2008, Vouliagmeni, Greece
Zhichun Li , Anup Goyal , Yan Chen , Vern Paxson, Automating analysis of large-scale botnet probing events, Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, March 10-12, 2009, Sydney, Australia

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.3 Network Operations
          Subjects: Network management

Additional Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.1 Network Architecture and Design
          Subjects: Packet-switching networks
      C.2.5 Local and Wide-Area Networks
          Subjects: Internet (e.g., TCP/IP)


General Terms:
Management, Measurement, Performance

Collaborative Colleagues:
Steven M. Bellovin: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player