Abstract
Network Address Translation (NAT) routers aggregate the flows of multiple devices behind a single IP address. By doing so, NAT routers masquerade the original IP address, which is often viewed as a privacy feature, making it harder to identify the communication of individuals devices behind the NAT. De-NAT is the reverse process: re-identifying communication flowing into and out of the NAT. De-NAT can be used for traffic management, security, and lawful surveillance.
We show how DNS requests provide an effective De-NAT mechanism by observing queries to open resolver, in addition to ‘classical’ provider-based De-NAT. This new method allows de-NATing in cases where known schemes fail, e.g., in Windows 8 and 10, and by remote DNS resolvers. We analyze use cases where the suggested DNS based De-NAT is effective, suggest a De-NAT algorithm and evaluate its performance on real (anonymized) traffic. Another contribution is identifying the phenomena of drum beats, which are periodic DNS requests by popular applications and processes; these can allow long-term de-NATing, and also provide fingerprinting identifying specific devices and users. We conclude with recommendations for mitigating de-NATing.
An updated version of this article, is available at https://tinyurl.com/linktoonline.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Statistics at the front page of https://www.opendns.com/.
References
Bellovin, S.M.: A technique for counting NATted hosts. In: Internet Measurement Workshop, pp. 267–272. ACM (2002)
Beverly, R.: A robust classifier for passive TCP/IP fingerprinting. In: Barakat, C., Pratt, I. (eds.) PAM 2004. LNCS, vol. 3015, pp. 158–167. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24668-8_16
Bursztein, E.: Time has something to tell us about network address translation. In: Erlingsson,Ú., Sabelfeld, A. (eds.) Proceedings of the 12th Nordic Workshop on Secure IT Systems (NordSec 2007), Reykjavik, Iceland, October 2007
Danezis, G.: Covert communications despite traffic data retention. In: Christianson, B., Malcolm, J.A., Matyas, V., Roe, M. (eds.) Security Protocols 2008. LNCS, vol. 6615, pp. 198–214. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22137-8_27
Gokcen, Y., Foroushani, V.A., Zincir-Heywood, A.N.: Can we identify NAT behavior by analyzing traffic flows? In: 35th IEEE Security and Privacy Workshops, SPW 2014, San Jose, CA, USA, 17–18 May 2014, pp. 132–139 (2014)
Gilad, Y., Herzberg, A.: Spying in the dark: TCP and tor traffic analysis. In: Fischer-Hübner, S., Wright, M. (eds.) PETS 2012. LNCS, vol. 7384, pp. 100–119. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31680-7_6
Gilad, Y., Herzberg, A., Shulman, H.: Off-path hacking: the illusion of challenge-response authentication. IEEE Secur. Priv. 12(5), 68–77 (2014)
Herrmann, D., Banse, C., Federrath, H.: Behavior-based tracking: exploiting characteristic patterns in DNS traffic. Comput. Secur. 39, 17–33 (2013)
Kirchler, M., Herrmann, D., Lindemann, J., Kloft, M.: Tracked without a trace: linking sessions of users by unsupervised learning of patterns in their DNS traffic. In: Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security, AISec@CCS 2016, Vienna, Austria, 28 October 2016, pp. 23–34 (2016)
Mockapetris, P.: Domain names - concepts and facilities, RFC 1034, November 1987
Postel, J.: Internet datagram protocol RFC791. USC/Information Sciences Institute, RFC 791, September 1981
Srisuresh, P., Egevang, K.: Traditional IP network address translator (traditional NAT), RFC 3022, January 2001
Shulman, H.: Pretty bad privacy: pitfalls of DNS encryption. In: Ahn, G.-J., Datta, A. (eds.) WPES, pp. 191–200. ACM (2014)
Wicherski, G., Weingarten, F., Meyer, U.: IP agnostic real-time traffic filtering and host identification using TCP timestamps. In: LCN, pp. 647–654. IEEE Computer Society (2013)
Acknowledgements
Many thanks to Amit Klein for his helpful comments. Many thanks to Roland van Rijswijk-Deij for his support during this project. This work was supported by the Israeli ministry of Science, grant number 3-11857. Part of the data that led to this research was provided by SURFnet, the National Research and Education Network in the Netherlands, https://www.surfnet.nl/en/.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Orevi, L., Herzberg, A., Zlatokrilov, H. (2018). DNS-DNS: DNS-Based De-NAT Scheme. In: Camenisch, J., Papadimitratos, P. (eds) Cryptology and Network Security. CANS 2018. Lecture Notes in Computer Science(), vol 11124. Springer, Cham. https://doi.org/10.1007/978-3-030-00434-7_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-00434-7_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-00433-0
Online ISBN: 978-3-030-00434-7
eBook Packages: Computer ScienceComputer Science (R0)