This week I reviewed the IPids gathered from the captured TCP packets in our closed experiment and discovered results that did not match our initial expectations. In both the packets sent from our client machine and those received from the instances behind the load balancer, the IPids did not reveal a sequential pattern as Bellovian’s paper suggested.
To make sure that the test environment was not somehow altering the results, that is to ensure that the NAT and load balancers where not overwriting IPid fields, we ran one additional test between machine directly connected to the Internet (no NAT) and an instance in EC2 (no load balancer), but still observed the same results as before.
We then looked into the Linux Kernel to see exactly how the IPid of TCP packets are initialized. This revealed that earlier versions of the Linux Kernel did in fact use a global counter to set the IPid, but starting from version 2.4.0 onward the IPid is unique on a per socket connection. Most likely the results in Bellovian’s paper were from one of those earlier versions of the Linux Kernel.
As a conclusion, we have determined that counting the number of IPid sequences is no longer a feasible technique to discover hosts behind a NAT or load balancer. In next week, we will continue to brainstorm and search for new techniques.