[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT detection

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: NAT detection
From: Mike Shaw <mshaw_(_at_)_wwisp_(_dot_)_com>
Date: Wed, 04 Dec 2002 09:57:42 -0600

A buddy of mine who works for a local branch of a cable co. described how they monitor in his particular situation. With this company, it's not at the local level, but at the regional NOC.

While most of the identification techniques listed so far are nifty, it would be pretty pointless to use these techniques en masse. Most people on this list are sysadmins of some sort, so given the task by management, how would you peg the people who are 'abusing' service? I would do some statistical analysis of the traffic, and look for massive abusers. People who are sharing 802.11b APs to an apartment complex or something will light up like a red flag in sheer bandwidth use. People who are using VPNs or other problem protocols will have alot of port specific traffic. How are you going to distinguish between someone who has set up a regular web server for hosting and someone who is hacking up a highschool project with frontpage? Simple, the people who get bunches o' port 80 traffic to their web server are hosting.

This is the most effective way to do it. Look for the bad boys with traffic analysis, then use the more in-depth techniques to verify that they're abusing TOS. IF the cable companies try doing this stuff en masse, it will only hurt them in the long run. So be it if they do.

-Mike

References:
- NAT detection
  - From: Rossen Iliev

Prev by Date: Re: offtopic?: Discover witch ip address to use.
Next by Date: Re: NAT detection
Previous by thread: Re: NAT detection
Next by thread: Re: NAT detection
Index(es):
- Date
- Thread

Visit your host, monkey.org