Skip to main content

Detect or Block double NAT

More
18 years 5 months ago #14975 by SmartDude
Dear all,
How do i block / detect Double internet sharing (NAT) eg.
I shared the internet to 192.168.0.14
then again 192.168.0.14 shared internet to 192.168.1.14

So how do we detect/block this 2 time internet sharing (NAT)
I heard there is a paper about detecting double NAT but can't find it. I hope u guys will help me . Thank in advance

Share the Knowledge, make a master being a Master...
Best Regards,
SmartDude
More
18 years 5 months ago #15045 by SmartDude
Nobody replied to my query :(
is the question unclear guys ?

Share the Knowledge, make a master being a Master...
Best Regards,
SmartDude
More
18 years 5 months ago #15053 by d_jabsd
Honestly, there is really no way to detect this. That is whole point of NAT. It makes multiple hosts look like one.

You might be able to make a logical guess by looking at traffic patterns and the amount of bandwidth used by a the host in question, but there is no easy way to disect the packet and say definitively that a host is doing NAT for one or more machines.
Try looking for a router. Use the IEEE OUI lookup tool to convert the MAC to a manufacturer. If you find a Cisco-Linksys device where there should be a workstation, then you can start your investigation there.
More
18 years 5 months ago #15112 by SmartDude
Thanks for the reply, but i heard from somebody that from headers there is way to detect the Double NAT, and even there is white paper on internet. But i m unable to find that paper on internet ? Can somebody help me to get that paper.

Share the Knowledge, make a master being a Master...
Best Regards,
SmartDude
More
18 years 5 months ago #15113 by nske
Replied by nske on topic Re: Detect or Block double NAT
As far as I know it is just like d_jabsd said, there is no certain and definite way you can tell if NAT takes place (once or more than once). There are indications that can be extracted from header information and traffic paterns which can lead to a reasonable guess most of the times, however it will always be a guess -any header information that would indicate NAT, like TTL or ID values of IP, can easily be overwritten.

I believe this paper you refer to will be describing such a guessing method.

Given the fact that most papers are published in PDF, you can try your luck using the filetype:pdf filter of google to narrow down your search.
More
18 years 2 months ago #16625 by SmartDude

As far as I know it is just like d_jabsd said, there is no certain and definite way you can tell if NAT takes place (once or more than once). There are indications that can be extracted from header information and traffic paterns which can lead to a reasonable guess most of the times, however it will always be a guess -any header information that would indicate NAT, like TTL or ID values of IP, can easily be overwritten.

I believe this paper you refer to will be describing such a guessing method.

Given the fact that most papers are published in PDF, you can try your luck using the filetype:pdf filter of google to narrow down your search.



Can you tell me how do i get header information for this double NAT ?

Share the Knowledge, make a master being a Master...
Best Regards,
SmartDude
Time to create page: 0.142 seconds