Detecting NAT?



  • I was wondering if it is physically possible to detect an extra NAT device on a network?

    In other words, you have a large 10.0.0.0/8 network, and you setup your own 192.168.1.0/24 network inside.

    Can someone on the 10.0.0.0/8 network detect the NAT device as a NAT device, and not just another host?



  • Yes, and you'll find many articles on the Internet about this. The simplest check is to look at the TTL of the packets since different operating systems use different default values. Similarly there are other values in the packet header that can be used.

    Then of course you can look at things like browser user-agent strings and other browser provided information, which may allow you to detect individual machines.



  • @Cry:

    Yes, and you'll find many articles on the Internet about this. The simplest check is to look at the TTL of the packets since different operating systems use different default values. Similarly there are other values in the packet header that can be used.

    Then of course you can look at things like browser user-agent strings and other browser provided information, which may allow you to detect individual machines.

    Are these concepts practical for long-term monitoring a network, or are they just proof of concepts?



  • Practical. The first - TTL checks - has been done by a number of ISPs for a few years now. Both the first 2 I've seen discussed for most of a decade now. Various tools like p0f exist which make this pretty trivial to do.

    The last, browser fingerprints, is another thing I've seen done for years now, though it is harder to do than the above so relatively few will bother with it. It does provide a rich source of information about a network (or individual computer) for those willing to put the effort in (for instance as well as the operating system it will often tell you the patch level and what version of things like Acrobat, Flash, Shockwave, .NET etc are installed).


Log in to reply