- Posts: 220
- Thank you received: 0
Detect or Block double NAT
18 years 1 week ago #16810
by Elohim
Replied by Elohim on topic Re: Detect or Block double NAT
There isn't a good way to detect double nat or even just simply NAT for that matter. You can take a stab at guessing the operating system based on the TTL and certain characteristics to determine that it's behind a NAT firewall/router but beyond that, there's not certain way to do it.
17 years 10 months ago #17926
by aLTeReGo
Replied by aLTeReGo on topic Re: Detect or Block double NAT
Detecting a double NAT is actually rather simple. For each router a packet goes though the TTL is decremented by one.
Create a SPAN/RSPAN/Port Mirror at a central point of egress.. this it usually easiest to do at the firewall. count the number of hops (routers) the client should be going though before reaching the firewall and subtract from 128. 128 is the default TTL value for a Windows 2k/XP machine. If the clients usually go though one router before reaching the firewall subtract 2 from 128. One for your router and one more for the router you are trying to find. If they shouldn't be going though any routers before the firewall look for a TTL of 127.
Now using a packet capture program such as WireShark create a capture filter that will show you only packets with a TTL of 126. This will show you the clients who are behind two routers.
WireShark display filter -> "ip.ttl == 126"
WireShark capture filter -> "ip[8] = 126"
Create a SPAN/RSPAN/Port Mirror at a central point of egress.. this it usually easiest to do at the firewall. count the number of hops (routers) the client should be going though before reaching the firewall and subtract from 128. 128 is the default TTL value for a Windows 2k/XP machine. If the clients usually go though one router before reaching the firewall subtract 2 from 128. One for your router and one more for the router you are trying to find. If they shouldn't be going though any routers before the firewall look for a TTL of 127.
Now using a packet capture program such as WireShark create a capture filter that will show you only packets with a TTL of 126. This will show you the clients who are behind two routers.
WireShark display filter -> "ip.ttl == 126"
WireShark capture filter -> "ip[8] = 126"
17 years 10 months ago #17932
by nske
Replied by nske on topic Re: Detect or Block double NAT
Indeed, however it is easy for the end router to overwrite the TTL, if the administrator wants to keep it transparent.
17 years 3 months ago #22223
by SmartDude
Overrite ttl value ? i didn't get it . Can u explain plzzz.. i know now
ttl 127 can detect NATs
Share the Knowledge, make a master being a Master...
Best Regards,
SmartDude
Replied by SmartDude on topic Re: Detect or Block double NAT
Indeed, however it is easy for the end router to overwrite the TTL, if the administrator wants to keep it transparent.
Overrite ttl value ? i didn't get it . Can u explain plzzz.. i know now
ttl 127 can detect NATs
Share the Knowledge, make a master being a Master...
Best Regards,
SmartDude
17 years 3 months ago #22224
by nske
Replied by nske on topic Re: Detect or Block double NAT
Some Packet Filtering software like Linux'
Netfilter
provide the ability to change the information of any field in the TCP/IP headers before the packet is sent on it's way.
This is called "Packet Mangling" in Linux.
So a router (or NAT gateway) running Linux could very easily set the TTL of packets originating from internal hosts to be the maximum before it forwarded them to the outside and also replace any other header information that could betray the originating TCP/IP stack, thus there would be no evidence that the packets were not send from the router itself.
I think Openbsd's PF can also do that through the Scrub option.
This is called "Packet Mangling" in Linux.
So a router (or NAT gateway) running Linux could very easily set the TTL of packets originating from internal hosts to be the maximum before it forwarded them to the outside and also replace any other header information that could betray the originating TCP/IP stack, thus there would be no evidence that the packets were not send from the router itself.
I think Openbsd's PF can also do that through the Scrub option.
Time to create page: 0.127 seconds