Abstract
Network Address Translation (NAT) routers aggregate the flows of multiple devices behind a single IP address. By doing so, NAT routers masquerade the original IP address, which is often viewed as a privacy feature, making it harder to identify the communication of individuals devices behind the NAT. De-NAT is the reverse process: re-identifying communication flowing into and out of the NAT. De-NAT can be used for traffic management, security, and lawful surveillance.
We show how DNS requests provide an effective De-NAT mechanism by observing queries to open resolver, in addition to ‘classical’ provider-based De-NAT. This new method allows de-NATing in cases where known schemes fail, e.g., in Windows 8 and 10, and by remote DNS resolvers. We analyze use cases where the suggested DNS based De-NAT is effective, suggest a De-NAT algorithm and evaluate its performance on real (anonymized) traffic. Another contribution is identifying the phenomena of drum beats, which are periodic DNS requests by popular applications and processes; these can allow long-term de-NATing, and also provide fingerprinting identifying specific devices and users. We conclude with recommendations for mitigating de-NATing.
An updated version of this article, is available at https://tinyurl.com/linktoonline.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Statistics at the front page of https://www.opendns.com/.
References
Bellovin, S.M.: A technique for counting NATted hosts. In: Internet Measurement Workshop, pp. 267–272. ACM (2002)
Beverly, R.: A robust classifier for passive TCP/IP fingerprinting. In: Barakat, C., Pratt, I. (eds.) PAM 2004. LNCS, vol. 3015, pp. 158–167. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24668-8_16
Bursztein, E.: Time has something to tell us about network address translation. In: Erlingsson,Ú., Sabelfeld, A. (eds.) Proceedings of the 12th Nordic Workshop on Secure IT Systems (NordSec 2007), Reykjavik, Iceland, October 2007
Danezis, G.: Covert communications despite traffic data retention. In: Christianson, B., Malcolm, J.A., Matyas, V., Roe, M. (eds.) Security Protocols 2008. LNCS, vol. 6615, pp. 198–214. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22137-8_27
Gokcen, Y., Foroushani, V.A., Zincir-Heywood, A.N.: Can we identify NAT behavior by analyzing traffic flows? In: 35th IEEE Security and Privacy Workshops, SPW 2014, San Jose, CA, USA, 17–18 May 2014, pp. 132–139 (2014)
Gilad, Y., Herzberg, A.: Spying in the dark: TCP and tor traffic analysis. In: Fischer-Hübner, S., Wright, M. (eds.) PETS 2012. LNCS, vol. 7384, pp. 100–119. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31680-7_6
Gilad, Y., Herzberg, A., Shulman, H.: Off-path hacking: the illusion of challenge-response authentication. IEEE Secur. Priv. 12(5), 68–77 (2014)
Herrmann, D., Banse, C., Federrath, H.: Behavior-based tracking: exploiting characteristic patterns in DNS traffic. Comput. Secur. 39, 17–33 (2013)
Kirchler, M., Herrmann, D., Lindemann, J., Kloft, M.: Tracked without a trace: linking sessions of users by unsupervised learning of patterns in their DNS traffic. In: Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security, AISec@CCS 2016, Vienna, Austria, 28 October 2016, pp. 23–34 (2016)
Mockapetris, P.: Domain names - concepts and facilities, RFC 1034, November 1987
Postel, J.: Internet datagram protocol RFC791. USC/Information Sciences Institute, RFC 791, September 1981
Srisuresh, P., Egevang, K.: Traditional IP network address translator (traditional NAT), RFC 3022, January 2001
Shulman, H.: Pretty bad privacy: pitfalls of DNS encryption. In: Ahn, G.-J., Datta, A. (eds.) WPES, pp. 191–200. ACM (2014)
Wicherski, G., Weingarten, F., Meyer, U.: IP agnostic real-time traffic filtering and host identification using TCP timestamps. In: LCN, pp. 647–654. IEEE Computer Society (2013)
Acknowledgements
Many thanks to Amit Klein for his helpful comments. Many thanks to Roland van Rijswijk-Deij for his support during this project. This work was supported by the Israeli ministry of Science, grant number 3-11857. Part of the data that led to this research was provided by SURFnet, the National Research and Education Network in the Netherlands, https://www.surfnet.nl/en/.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Orevi, L., Herzberg, A., Zlatokrilov, H. (2018). DNS-DNS: DNS-Based De-NAT Scheme. In: Camenisch, J., Papadimitratos, P. (eds) Cryptology and Network Security. CANS 2018. Lecture Notes in Computer Science(), vol 11124. Springer, Cham. https://doi.org/10.1007/978-3-030-00434-7_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-00434-7_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-00433-0
Online ISBN: 978-3-030-00434-7
eBook Packages: Computer ScienceComputer Science (R0)