Proxy & NAT Server detection

Proxy & NAT Server detection

Post by Christopher Chl » Mon, 06 Jul 1998 04:00:00




>Not true. It's much harder, but certainly not impossible to tell if a
>particular user is running Sygate.

This is interesting. Could you tell me how one can distinguish traffic coming
from a Network Address Translator?

The packets have the MAC SRC address of the host, the SRC IP address of the
host, the UDP and TCP SRC PORT numbers could be anything, so how are you going
to distinguish them?

Are you implying that Sygate gives itself away by always using SRC PORT
numbers in some particular range?

Or does SYGATE give itself away by responding to some particular port number <
1024?

Perhaps its registration verification sends something to some fixed IP
address?

Chris.

Christopher Chlap
University of Canberra, Australia

http://willow.canberra.edu.au/~chrisc/nat32.html
-----------------------------------------------------------------------

 
 
 

Proxy & NAT Server detection

Post by Tom Perkin » Mon, 06 Jul 1998 04:00:00


If I was trying to figure this out.  I'd look for patterns in port
numbers assigned by NAT vs clients.  The number of connections to
different web servers would also be an indicator.



> >Not true. It's much harder, but certainly not impossible to tell if a
> >particular user is running Sygate.

> This is interesting. Could you tell me how one can distinguish traffic coming
> from a Network Address Translator?

> The packets have the MAC SRC address of the host, the SRC IP address of the
> host, the UDP and TCP SRC PORT numbers could be anything, so how are you going
> to distinguish them?

> Are you implying that Sygate gives itself away by always using SRC PORT
> numbers in some particular range?

> Or does SYGATE give itself away by responding to some particular port number <
> 1024?

> Perhaps its registration verification sends something to some fixed IP
> address?

> Chris.

> Christopher Chlap
> University of Canberra, Australia

> http://willow.canberra.edu.au/~chrisc/nat32.html
> -----------------------------------------------------------------------


 
 
 

Proxy & NAT Server detection

Post by Christopher Chl » Tue, 07 Jul 1998 04:00:00



>If I was trying to figure this out.  I'd look for patterns in port
>numbers assigned by NAT vs clients.  The number of connections to
>different web servers would also be an indicator.

Patterns in port numbers will not give you reliable information. Which source
port number are used varies from system to system. While you might be able to
detect patterns in Windows TCP/IP-based clients, what about Unix boxes and all
the others?
Some NATs always map src ports to numbers in a certain range, these
implementations give themselves away, but I doubt you could rely on this. I
know of at least one NAT which doesn't do this. Also, you don't know in
advance which (if any) NAT is in use or which flavour of TCP/IP stack is
generating the packets.

Connections to web servers are no guide either. Many people these days connect
to exactly one WEB Server: their proxyhost.

I believe it would be extremely difficult to detect a well-implemented NAT
with any reasonable degree of confidence.

Chris.  

Christopher Chlap
University of Canberra, Australia

http://willow.canberra.edu.au/~chrisc/nat32.html
-----------------------------------------------------------------------

 
 
 

Proxy & NAT Server detection

Post by Tom Perkin » Tue, 07 Jul 1998 04:00:00


I think it'd be tough, but impossible, no.  I certainly don't think it'd
be worth anyones effort.  Far more importants areas that need attention
than someone sneaking a LAN behind a NAT machine.  They've had ISDN
routers with NAT built in for years and I don't think it's ever been an
issue with the ISPs there.

The only real issue I can imagine is traffic volume and the ISP can
always limit that in their Terms & Conditions.  Plus a volume limit
would cover the traffic hog with only one machine as well.

If I was going to try -- I'd look for heavy volume.  Use telnet, ftp,
etc. probes to solict responses from the target to try and identify the
target type (ie, Win95, WinNT, Linux, FreeBSD, etc).  While different
NAT implementations may assign ports in different ways the patterns look
would likely indicate a favor so you'd need a data base of favors (sorta
like the track marks for viruses).  Then there's loading from different
web servers at the same time.  If you id the browser(s) then you can
compare what multiple (at the same time) connections established by a
single browser vs what two separate browsers via NAT would look like.
Need a data base for that to I'd guess.

Lots and lots of work for very little reward.

Regards
Tom



> >If I was trying to figure this out.  I'd look for patterns in port
> >numbers assigned by NAT vs clients.  The number of connections to
> >different web servers would also be an indicator.
> Patterns in port numbers will not give you reliable information. Which source
> port number are used varies from system to system. While you might be able to
> detect patterns in Windows TCP/IP-based clients, what about Unix boxes and all
> the others?
> Some NATs always map src ports to numbers in a certain range, these
> implementations give themselves away, but I doubt you could rely on this. I
> know of at least one NAT which doesn't do this. Also, you don't know in
> advance which (if any) NAT is in use or which flavour of TCP/IP stack is
> generating the packets.

> Connections to web servers are no guide either. Many people these days connect
> to exactly one WEB Server: their proxyhost.

> I believe it would be extremely difficult to detect a well-implemented NAT
> with any reasonable degree of confidence.

> Chris.

> Christopher Chlap
> University of Canberra, Australia

> http://willow.canberra.edu.au/~chrisc/nat32.html
> -----------------------------------------------------------------------

 
 
 

Proxy & NAT Server detection

Post by George Maren » Wed, 08 Jul 1998 04:00:00





>>Not true. It's much harder, but certainly not impossible to tell if a
>>particular user is running Sygate.

>This is interesting. Could you tell me how one can distinguish traffic coming
>from a Network Address Translator?

I was under the impression that NAT implementations used particular
port numbers, and those patterns could be used to distinguish a NAT
source from a non NAT source.

It sounds like I was mistaken.

 
 
 

Proxy & NAT Server detection

Post by Christopher Chl » Wed, 08 Jul 1998 04:00:00



>I was under the impression that NAT implementations used particular
>port numbers, and those patterns could be used to distinguish a NAT
>source from a non NAT source.

>It sounds like I was mistaken.

That's right, you can't tell from prot numbers whether or not a NAT is
running. To convince yourself of this, perform the following experiment:

Start up something like NetMeeting on your machine. Then, in a Windows
Console, type: netstat -an
You will get a list of all the port numbers currently in use on your machine.
Now, from that list you simply can't tell which port numbers are what. On my
machine there is a port number of 6000 always present. Could that be the NAT?
Nope it isn't, its a winsock app I wrote which is listens at port 6000.

The point is, that someone else can never say for sure that this or that  is a
NAT-assigned port.

A previous poster commented about traffic volume. This is also not a reliable
indicator. Many people often have several Netscape Windows open at once. How
are you going to prove that the traffic isn't coming from a single machine?

Chris.

Christopher Chlap
University of Canberra, Australia

http://willow.canberra.edu.au/~chrisc/nat32.html
-----------------------------------------------------------------------

 
 
 

1. Proxy Server Detection

On Sun, 22 Aug 1999 18:16:07 -0700, septik wrote

Nope. That one would be hard to tell.

Apple Computer has a wireless device for their iBook (laptop), and it
has a 56K modem built in to it. It can run several wireless devices
off that "base unit" and have that unit run it all through one ISP
connection (all transparently). It will do DSL, Cable or modem.

The wireless run at capacity 11Mbps, I believe. So, there's an example
of where there's no way on earth anyone is going to find out about
that -- while you can run a whole gaggle of wireless machines around
the house. Hey, no network wires!

See -- <http://www.apple.com/airport/>

2. Problem with defenition of section commands

3. help: NT proxy server & Unix web server...

4. pthreads under linux

5. Modem sharing with NT server, MS Proxy Server & LAN

6. @home CD problems - Grrrrr

7. NAT &linux http proxy

8. Winhlp32.exe Error

9. Proxy ARP & NAT

10. NAT sharing+proxy server

11. Mini-review of proxy/NAT servers for WinNT

12. NAT vs Proxy firewall server Security

13. Another question on NAT/Proxy servers