网络中检测共享（NAT）的原理分析及破解对策

心想事成

Now that we've described a system for classifying a NAT by its functionality and limitations, the next task is to examine a network endpoint to detect what kind of address translation is in effect, if any. NAT detection involves exchanging several probe packets with a remote "probe server" somewhere on the Internet (and clearly not behind NAT).Not That Kind of ProbeThe probe server is composed of 4 endpoints across 3 different IP addresses (whether by multihosting or coordinating between processes on separate host machines). The client endpoint initiates the NAT detection process by sending 2 request packets, and the server responds with 4 probes back to the apparent sender, as follows:1. Request sent to Probe Server 1   1a. Probe Server 1 sends response   1b. Alternate Port sends probe   1c. Alternate Host sends probe 2. Request sent to Probe Server 2   2a. Probe Server 2 sends response Because the Client Endpoint may or may not be behind NAT, each probe server sends its packets back at the "apparent" endpoint that originated the probe request. The client must wait to for the probes to arrive or time out, to determine the nature of its network connection.Packet 1: Request to Probe Server 1The initial packet tells the server to send 3 probes at the apparent address of the sender. If the Client Endpoint is behind NAT, this packet creates a mapping between it and Probe Server 1, so that some or all probe packets will may be forwarded.Packet 1a: Probe Server 1 ResponseThis packet acknowledges the initial Probe Request, telling the client that the process has started and demonstrating that it is not offline or firewalled from the Internet. It also returns the "apparent address" of the client back to the client endpoint itself. Since Packet 1 has already created an outgoing mapping, all NAT configurations should forward this packet successfully.Packet 1b: Alternate Port ProbeIf the client receives this packet, then it knows that the NAT mapping for this endpoint forwards traffic from any port on the remote host. If the client NAT rejects the packet, then it's likely that the NAT will reject all unsolicited messages from remote hosts.Packet 1c: Alternate Host ProbeIf the client receives this packet, it should expect the NAT mapping for this endpoint to forward traffic from any host on the Internet. If the client NAT rejects the packet, then it's likely that the NAT will reject all unsolicited messages from remote hosts.Packet 2: Request to Probe Server 2The second request tells a different probe server to send only 1 probe, the response packet, back to the "apparent" endpoint that originated the request. If there is an intervening NAT, this packet will either expand the previous mapping to include the new remote host, or a new mapping will be created with a different apparent address or port.Packet 2a: Probe Server 2 ResponseThis message returns the "apparent" address of the client back to the client endpoint itself. By comparing this address with that returned in Packet 1b, the endpoint can determine whether the NAT uses the same mapping consistently for the same endpoint, or creates a new one on the fly each time. Analyzing The ResultsBefore sending any probe requests, the client application assumes the most pessimistic view -- that it's either offline or blocked from Internet access. It then refines (improves) its opinion of the network limitations as response and probe packets are returned, up to a reasonable timeout period (say 5 seconds). This estimate is never lowered based on incoming data, as each response suggests additional features are supported -- or just confirms something it already knows.Also note that this information only supplements what the operating system already knows -- if there are no active network interfaces, then the client application has a pretty good idea that the it is offline without sending any probes.Receive no packets: Offline or blocked networkBy default, the client application assumes that it is offline or blocked. If no response packets arrive within the reasonable timeout period, then this becomes the final determination.Receive packet 1a or 2a: Restrictive network or betterWhen the client receives a response to its probe request, it assumes that the network is up and that the NAT (if any) will forward packets from remote hosts that already have an established mapping with the local endpoint. In addition, the client application saves the contents of this packet, which indicate the "apparent" network address that the remote host observed.Receive packets 1a and 2a and (1a == 2a): Consistent network or betterIf the client receives a response to the second request, it compares the "apparent" network address returned in each packet. If both servers report the same host and port for the local endpoint, then the client can assume that its address mapping is consistent.Receive packet 1b and 2a and (1b == 2a): Protective network or betterIf the client receives a packet from an unsolicited port on the probe server, it knows that the NAT allows incoming packets from any port on a remote host when a mapping already exists for that host.Receive packet 1c: Permissive network or betterIf the client receives a packet from a host where no previous mapping exists, it knows that the NAT is very permissive or has been configured to forward incoming packets on that port. Note that a NAT may be explicitly configured to allow packets on a single port (if the user knows which port your software uses), or it may simply forward all unknown packets to this host (often called a demilitarized zone) -- but there is no automatic way to tell the difference.Receive packets 1a and 1c and (1a == local): Direct networkIf the client knows that it is on a permissive network, it compares the apparent host address and port against the address and port on the local interface it is bound to. If they are identical, the client may assume it is directly connected to the Internet and that no NAT is present -- or is sufficiently camoflauged as to make no difference.原文见：http://www.codewhore.com/nat4.html

心想事成

QUOTE
Detecting NAT Routers    Thursday, April 24 2003 @ 08:35 AM CDTContributed by: opticfiber A great paper written by Peter Phaal explains the simple method used in his companies product, Sflow, to detect multiple host behind a NAT firewall. The secret, it would seem is simply monitoring of the TTL of out going packets and comparing them to a host know not to be using a NAT firewall.Another method only touched upon by Phaal is passive OS finger printing, although this method is less reliable, an statistical analasys could determine if multiple operating systems were using the same network network device. If this were the case it would be reasonable to assume that that host was in fact a NAT device.AT&T Labs has published a paper explaining how to count the number of devices behind a NAT device. The method AT&T uses, relies on the fact that most operating systems (excluding Linux and Free BSD) use IP header ID's as simple counters. By observing out of sequence header ID's, an analasys can calculate how many actual hosts are behind a NAT device.Each of these methods can be easily defeated through better sterilization by the router itself. In the first example, if the TTL for each TCP packet was re-written by the router for each packet to the value of 128, the first method would no longer function. For the second method, sterilizing IP header information and stripping unneeded TCP flags would successfully undermine this scheme. For the last Method, counting hosts behind a router. Striping the fragmentation flag for syn packets, and setting the IP ID to '0', (like Linux and Free BSD both do) would make it impossible to count hosts behind a NAT router.

smile787

GOOD，好文~辛苦了~

心想事成

终于让我找到了：网络尖兵也是采用国外的技术啊。看看这里吧：http://www.sflow.org/detectNAT/看图片，原理都是一样。

心想事成

QUOTE
The NAT detection technique is based on two observations about the IP TTL (Time To Live) field.Host operating systems have characteristic initial TTL values. This property of individual operating system implementations of TCP/IP is well known and can be used as part of a "fingerprint" to identify the operating system that a host is running merely by examining its traffic. The technique is well described in Passive OS Fingerprinting: Details and Techniques by Toby Miller. NAT devices or gateways decrement the TTL on packets that they forward. sFlow provides a stream of sampled packet headers captured at the two switches. These packet headers can be decoded and IP source addresses and TTL values can be extracted. Suppose all the hosts use the Windows operating system, each host would then generate IP packets with a TTL value of 128. Since the TTL value is decremented each time the packet traverses a router, a packet seen at the firewall from Host C would always have a TTL of 127. Similarly, a packet from Host C seen by the other switch (Switch 10.10.49.204) would also have a TTL of 127. However, the switch connecting Host C to the network (Switch 10.10.67.1) should always see a TTL of 128. The algorithm for detecting NAT routers relies on the observation that switches directly connected to a host, or in the same subnet as a host, will always see packets from the host with a TTL that is characteristic of the host operating system.In this example the sFlow Analyzer would see a TTL of 127 when examining packets sampled by switch 10.10.49.1 that  apparently originated from "host" 10.10.49.1. The TTL values in packets from Hosts A and B are decremented by the NAT router before they are passed to the switch, revealing the existence of the router.The effectiveness of this algorithm is easily demonstrated using sFlow data from a production network.
这下我们可以破了“网络尖兵”了

心想事成

思科的NAT 检测的功能介绍：http://www.cisco.com/en/US/products/sw/ios...0080110ae9.html

心想事成

一封信：http://clug.chicago.il.us/mail-archive/Mar2001/0845.html

心想事成

QUOTE
通用的被动式操作系统指纹扫描工具p0f2004-07-18类别：扫描器主页：http://lcamtuf.coredump.cx/p0f.shtmlP0f v2是一个通用的被动式操作系统指纹扫描工具。p0f可以确认以下机器的操作系统：- 连接到你机器的机器(SYN模式),- 你要连接的机器(SYN+ACK模式),- 你连不上的机器(RST+模式),- 你可以监听通讯的那些机器 P0f还有其他手段来检测或测量下面的东西：- 防火墙的存在或伪装(对策略强制有用),- 到远端系统的距离以及它启动的时间,- 其他网络连接(DSL, OC3, avian carriers)以及他的ISP. 所有这些甚至在扫描的设备位于一个主动包过滤防火墙后，这时候我们常用的扫描器束手无策的时候都可以完成。P0f不产生任何其他的网络流量：直接的或者间接的。没有name lookups、没有神秘的嗅探、没有ARIN查询，什么都没有！怎么做到的？很简单：魔法。在这儿你可以找到答案。我在哪儿可以得到它？点击这儿你可以得到p0f v2 (2.0.4)。如果你觉得自己够幸运，你可以试试最近的开发快照(2.0.5-b1)(如果你需要报告一个Bug或者提交一个新的特性请下载它试试)。如果你喜欢p0f，希望跟踪这个产品，建议你订阅位于Freshmeat的该项目。Windows用户可以下载这个Kirby Kuehl制作的预编译的二进制版本。想在移动设备上使用的人可以在Kevin Currie的主页上下载ARM的移植版本。 p0f的一些功能已经内建于OpenBSD中，谢谢Mike Frantzen(他的工作实际上启发了p0f V2的重写）。netfilter的Linux补丁在这儿。P0f可以允许在Linux、FreeBSD、NetBSD、OpenBSD、MacOS X、Solaris、AIX和Windows(已经其他一些有pcap或者pcap移植库的系统)上。第三方的项目如p0f_db或p0f-stats提供了p0f输出更容易的存储和分析。

心想事成

QUOTE
There is a new application note < http://www.sflow.org/detectNAT/ > describing a technique for detecting unuathorised NAT devices using sFlow. NAT devices can be a security problem if they hide wireless access points. An uncontrolled wireless access point can allow unrestricted access to the network from a considerable distance. The following steps will let you configure Traffic Server to forward sFlow so you can use the script in the paper (provided you are monitoring switches using sFlow,XRMON or an sFlow probe): 1. Use the Server->Forwarding option to forward sFlow from all agents in the network to localhost, port 7343 (Agent=0.0.0.0/0, Address=127.0.0.1, Port=7343). 2. Modify the findnat.awk script so that there is an "agents[agent]=subnet" line for each of your edge switches. 3. Run the script using the command: sflowtool -p 7343 | ./findnat.awk Note: This technique will not work with NetFlow sources since they do not provide the IP TTL information needed for the analysis. ---------------------- Peter Phaal InMon Corp.

心想事成

sFlow步入实用      sFlow步入实用     一项不太为人所知的实时网络监测标准，将为高速网络用户带来价值。     尽管IETF的sFlow草案标准已经公布多年了，但还没有几家厂商实施它。专家和用户表示，随着一些企业中的网络传输流速度增加到千兆和万兆，sFlow将成为跟踪网络性能和提供网络安全的一种越来越重要的工具。     2001年被IETF批准成为一项草案标准的sFlow是一种网络监测技术，它利用对整个网络上传送的局域网和广域网数据包流的随机采样，让用户详细、实时地掌握网络传输流的性能、趋势和问题。  网络监测功能一般是通过将网络探测器设备(如运行探测器软件的PC或专用设备)安装在网络的某一网段上采集数据实现的。探测器常常被插入到局域网交换机上的镜像端口中，即被配置为复制来自交换机上另一个端口的传输流的端口。探测器将只能够从镜像端口采集传输流数据。     sFlow被部署在运行于网络中实际的交换机和路由器上的各个网络管理信息库中(MIB)中，MIB是基于硬件或基于软件的代理。sFlow支持者表示，这样做可以更全面地展示网络性能。监测发生在每台具有sFlow功能的交换机的每一个端口上，而不是只出现连接探测器的端口或网段上。     sFlow MIB对流经端口的数据包随机采样，而不是捕获和记录交换机或路由器端口上的每一个数据包。这些叫做sFlow数据报的样本被转发给网络上的一台sFlow采集服务器。在这台服务器上，样本数据报利用一种算法进行处理，算法根据采样的数据建立网络传输流的完整模型。     sFlow背后的技术是由交换机监测软件生产商InMon的工程师、HP以及Foundry Networks的开发人员联合开发的。将sFlow技术应用在局域网交换机中的厂商包括HP、Foundry和 Extreme Networks。HP OpenView、NetScout的nGenius Performance Manager 和InMon Traffic Server等产品中提供了对sFlow的软件支持。     sFlow应用实例     在佛罗里达州Tampa市的Moffit癌症中心中，具有sFlow功能的交换机被用于测量网络性能以及用作一种安全工具。该中心表示，“sFlow为其提供了网络中每一个端口的实时网络统计数据。有关传输流模式信息的详细程度非常高，详细到了协议和端口级。如果网络上有人做错了什么事，你可以跟踪他们，一直找到他们插入PC的地方。”     Kingdon Capital Management是纽约一家小型对冲基金公司，该公司也计划使用sFlow。在其网络上传输着很多的实时数据，这种实时数据流基本是由平均价值为每笔1千万美元的交易构成的，他们希望sFlow能更好地了解网络性能的总体情况。了解更多的数据包和协议专有信息的能力将会对其有更大的帮助，它将使该公司可以得到比通常得到的信息更加详细的内容。     安全功能     一些专家表示，除了提供网络性能的实时快照外，sFlow还可被用作一种网络安全工具。检测作为网络地址翻译(NAT)设备的未经授权的网络设备就是一个例子。sFlow草案标准作者、InMon公司工程师Peter Phaal表示，这可能包括一台具有NAT功能的普通无线路由器。尽管连接到网络上的NAT设备也许看似合法的端点节点，但这些设备可能成为有线或无线用户的后门，提供对未经授权的连接访问。     由于sFlow对来自网络中每一个端口的数据流进行采样，sFlow数据分析器可以通过比较交换机和NAT设备间的子网数据，识别网络中作为NAT设备的节点。

心想事成

可以击败网络尖兵了Each of these methods can be easily defeated through better sterilization by the router itself. In the first example, if the TTL for each TCP packet was re-written by the router for each packet to the value of 128, the first method would no longer function. For the second method, sterilizing IP header information and stripping unneeded TCP flags would successfully undermine this scheme. For the last Method, counting hosts behind a router. Striping the fragmentation flag for syn packets, and setting the IP ID to '0', (like Linux and Free BSD both do) would make it impossible to count hosts behind a NAT router. 在第一个例子，如果所有的tcp包通过iptables重新把TTL写为128，就可以破解掉了。在第二种方法，清除IP头的信息和抽取掉不需要的TCP标记，也可以完美的破解掉在第三种方法，剥离破碎的syn包的标记，设置IP的ID为“0”，也使它无法计算出在NAT后面的主机有多少台。猜测认为网络尖兵只使用了比较TTL的技术，所以可以很容易的破解掉！！而如果是用cisco的接入设备的话，可能需要三者同时兼顾才行！

DreamCat

郁闷，CPU坏了，刚才为老大的帖子写了好多东西，没等提交~~~~555555555555555555555555555555555555555555555555555白写了。。。。简单说吧，这种NAT检测作为技术而言，我们都应该掌握，不过现在我只能认为这个技术还是太早了~~。似乎唯一可用的也就是无线网络了。全面的IPV6时代才是这个技术生存的真正空间。谢谢老大提供这么多资料。。。

dhp

QUOTE (哈啤猫 @ Nov 8 2004, 12:41 AM)
简单说吧，这种NAT检测作为技术而言，我们都应该掌握，不过现在我只能认为这个技术还是太早了~~。似乎唯一可用的也就是无线网络了。全面的IPV6时代才是这个技术生存的真正空间。
上楼的，我不这么认为：我想你也知道，现在好多地方都在开始实施限制共享上网了。限制共享上网，你认为它对用户有好处吗？恰恰相反，如果以后你家里有好几台电脑或是可以上网的电器（很快会有的），而你要为此付多一倍或更多的上网费用，你会愿意吗？真正受益的只是网络接入服务提供商。最近在网上好多朋友说深圳市正在陆续实行限制共享上网，心想不知何时会查到我这，相信这个时间不久了。哎！我的网吧怎么办？附：

QUOTE
您好，感谢您一直对中国电信的支持。　　根据《互联网保护条例》和公安局相关文件规定，未在相关部门申请互联网经营许可登记的私人性质用户，不得采用共享技术下挂多台电脑上网并向他人提供互联网接入服务。　　经我局核查，贵用户使用的ADSL采用1＋N技术下挂 4台以上电脑共享上网。　　为保证网络质量稳定、维护中国电信用户的合法权益，请您接到通知后于 11月 15 日之前到我局营业厅或拨打10000号进行业务登记，并按相关规定套入相应的资费类别。　　　逾期不来办理的，我公司将不保证其上网质量并保留依法追究相关法律责任的权利。同时按相关规定，将其转入相应的资费类别，并于11月份开始实施收费。  深圳市公安局公共信息网络安全监察分局文件(点击放大）  此致 广东电信有限公司深圳分公司2004年 11月

心想事成

网络尖兵图示：

cxsztl

老大真厉害啊，HOHOHO