Security of Czech army information and communication systems - On-line monitoring, Visualization and Packet Filtration. Computer Incident Response Capability Development in the Cyber Defence EnvironmentDetection of NAT devices

The use of unauthorized NAT (Network Address Translation) device in the administrated network introduces serious security issues. This threat was one of the research areas of the CYBER project in 2009.

This research resulted in NfSen plugin named natdet, which detects suspicious NAT devices in network using combination of several detection methods. Some known methods had to be modified for use with NetFlow data, some methods were newly developed.

  • TTL method detects NAT devices by identification of different TTL values introduced by various OSes behind the NAT device.
  • IP ID method identifies IP ID sequences in the communication from particular host revealing possible NAT device.
  • Subnet TTL method performs analysis of TTL destributiou over the inspected subnet and identifies NAT devices by the analysis of the deviation in the TTL distribution.
  • TCP SYN method detects NAT devices by the identification of various length of TCP SYN packet introduced by various OSes behind the NAT device. This method adopts a passive fingerprinting technique.
  • Port sequences method analyses various port sequences in the communication from particular host, which can indicate more hosts hidden behind NAT device.

Results of these methods are then aggregated in order to minimize false positive and false negative rates. Presented NAT detection system was evaluated both at laboratory environment and at the real campus network.


natdet screenshot


Natdet plugin version 1.0.0