In order to find alternative techniques, we performed a search for papers that cite Bellovian’s Counting NATs paper. We were able to find and read a few promising papers (see the bottom of this post) that use TCP time stamps to identify active hosts behind a NAT device. The basic idea behind this technique is that each machine has a unique clock skew calculated as a function of the TCP timestamp, the system time, and the clock frequency ( and a few other variables of course). The papers what use this technique, or slight variations of it, reported relative success in counting hosts.
We decided we would need to run a few controlled experiments to see the applicability of this technique. One potential concern is that the load-balancer may overwrite the TCP timestamp in packets from the server such that our client will only be able to measure the clock skew of the load balancer and would therefore be unable to identify the back-end hosts.
In addition to the controlled experiments, I will also write a script to fetch and diff pages from sites known to be using load balancing ( identified in a previous paper).
1 – Approximating the Number of Active Nodes Behind a NAT Device
2 – IP Agnostic Real-Time Traffic Filtering and Host Identification Using TCP Time stamps
3 – Remote Physical Device Fingerprinting