0

What methods do exist for enumeration devices behind a NAT from the upstream connection? I found sflow which uses TTL values. Are there other ways? I think this is partially related to OS fingerprinting. But from OS fingerprinting alone you would probably not know about multiple machines using the same OS.

What could you do to prevent enumeration? I think a proxy intercepting all connections would work. A problem might be UDP and maybe TCP cleartext traffic. Could something like snort or suricata kind of equalize traffic so it looks like it comes all just from a single machine?

ashrafkhan
  • 1
  • 3
    Does this answer your question? [How I can hide from my ISP that I have created a hotspot?](/questions/221508/), [Can ISP distinguish/identify devices behind NAT?](/questions/187195) – Steffen Ullrich Nov 05 '21 at 08:14
  • *"Could something like snort or suricata kind of equalize traffic so it looks like it comes all just from a single machine?"* - these are either passive (no forwarding) or forward the packets as they are and thus don't provide any kind of protection against NAT enumeration. – Steffen Ullrich Nov 05 '21 at 08:16
  • Ways to prevent NAT enumeration highly depend on what the devices behind the NAT actually do - which is unknown in your case. HTTP, TCP, UDP ... proxies can help a lot with enumeration at layer 3/4, but don't prevent enumeration at higher level - like seeing HTTP access pattern which are not caused by a single user. – Steffen Ullrich Nov 05 '21 at 08:23
  • Yes these links partially answer my question. I am assuming a normal home network with notebook, pc, smartphone, IOT devices. How would HTTP stick out? Would a normal proxy already work or does it need to use TLS interception? What could be done about UDP traffic? – ashrafkhan Nov 05 '21 at 17:12
  • *"How would HTTP stick out?"* - for example checking the number of parallel HTTP connections to the same hosts - browsers limit these so more than usual connections means more than one browser and thus likely more than one device. *"What could be done about UDP traffic?"* - transparent proxies can be implemented for UDP though, although not common. The best way is probably just to use a VPN at the NAT router to pass through the untrusted networks which want to do NAT enumeration. It will still be possible to this at the VPN endpoint though, so this should be trusted. – Steffen Ullrich Nov 05 '21 at 17:27

0 Answers0