Abstract
Malicious attacks can be launched by misusing the network address translation technique as a camouflage. To mitigate such threats, network address translation identification is investigated to identify network address translation devices and detect abnormal behaviors. However, existing methods in this field are mainly developed for relatively small-scale networks and work in an offline manner, which cannot adapt to the real-time inference requirements in high-speed network scenarios. In this paper, we propose a flexible and efficient network address translation identification scheme based on actively measuring the distance of a round trip to a target with decremental time-to-live values. The basic intuition is that the incoming and outgoing traffic from a network address translation device usually experiences the different number of hops, which can be discovered by probing with dedicated time-to-live values. We explore a joint effort of parallel transmission, stateless probes, and flexible measuring reuse to accommodate the efficiency of the measuring process. We further accelerate statistical counting with a new sublinear space data structure Bi-sketch. We implement a prototype and conduct real-world deployments with 1000 volunteers in 31 Chinese provinces, which is believed to bring insight for ground truth collection in this field. Experiments on multi-sources datasets show that our proposal can achieve as high precision and recall as 95% with a traffic handling throughput of over 106 pps.
Highlights
IntroductionInvolving long-term measuring for the single IP results in considerable storage and computing costs
As a widely adopted protocol, network address translation (i.e., NAT), known as IP masquerading, provides transparent routing to hosts by mapping IP addresses from one realm to another [1]
We propose a flexible and efficient NAT identification scheme that can adapt to large-scale networks and fluctuated traffic
Summary
Involving long-term measuring for the single IP results in considerable storage and computing costs Considering these limitations, we point out that these efforts predominately are designed to work offline for small-scale networks, cannot scale to large-scale NAT identification in real-time. Note that existing techniques test their proposals on offline datasets due to the lack of NAT labeled traffic To fill this gap, we implement a prototype and deploy it in real-world networks during the evaluation. We implement a comprehensive NAT identification scheme integrating the proposed Active Decremental TTL-based (ADT) algorithm and several innovative mechanisms (i.e., parallel transmission, stateless probes, measuring reuse and data approximation). Targeted at the lack of NAT labeled traffic datasets, we design a lightweight prototype by recruiting around 1000 volunteers from 31 Chinese provinces
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
