Skip to main content

Detect or Block double NAT

More
18 years 2 months ago #16810 by Elohim
There isn't a good way to detect double nat or even just simply NAT for that matter. You can take a stab at guessing the operating system based on the TTL and certain characteristics to determine that it's behind a NAT firewall/router but beyond that, there's not certain way to do it.
More
18 years 2 weeks ago #17926 by aLTeReGo
Detecting a double NAT is actually rather simple. For each router a packet goes though the TTL is decremented by one.

Create a SPAN/RSPAN/Port Mirror at a central point of egress.. this it usually easiest to do at the firewall. count the number of hops (routers) the client should be going though before reaching the firewall and subtract from 128. 128 is the default TTL value for a Windows 2k/XP machine. If the clients usually go though one router before reaching the firewall subtract 2 from 128. One for your router and one more for the router you are trying to find. If they shouldn't be going though any routers before the firewall look for a TTL of 127.

Now using a packet capture program such as WireShark create a capture filter that will show you only packets with a TTL of 126. This will show you the clients who are behind two routers.

WireShark display filter -> "ip.ttl == 126"
WireShark capture filter -> "ip[8] = 126"
More
18 years 2 weeks ago #17932 by nske
Replied by nske on topic Re: Detect or Block double NAT
Indeed, however it is easy for the end router to overwrite the TTL, if the administrator wants to keep it transparent.
More
17 years 5 months ago #22223 by SmartDude

Indeed, however it is easy for the end router to overwrite the TTL, if the administrator wants to keep it transparent.


Overrite ttl value ? i didn't get it . Can u explain plzzz.. i know now
ttl 127 can detect NATs

Share the Knowledge, make a master being a Master...
Best Regards,
SmartDude
More
17 years 5 months ago #22224 by nske
Replied by nske on topic Re: Detect or Block double NAT
Some Packet Filtering software like Linux' Netfilter provide the ability to change the information of any field in the TCP/IP headers before the packet is sent on it's way.

This is called "Packet Mangling" in Linux.

So a router (or NAT gateway) running Linux could very easily set the TTL of packets originating from internal hosts to be the maximum before it forwarded them to the outside and also replace any other header information that could betray the originating TCP/IP stack, thus there would be no evidence that the packets were not send from the router itself.

I think Openbsd's PF can also do that through the Scrub option.
Time to create page: 0.128 seconds