Leveraging Active Decremental TTL Measuring for Flexible and Efficient NAT Identification

Malicious attacks can be launched by misusing the network address translation technique as a camouflage.To mitigate such threats,network address translation identification is investigated to identify network address translation devices and detect abnormal behaviors.However,existingmethods in this field are mainly developed for relatively small-scale networks and work in an offline manner,which cannot adapt to the real-time inference requirements in high-speed network scenarios.In this paper,we propose a flexible and efficient network address translation identification scheme based on actively measuring the distance of a round trip to a target with decremental time-tolive values.The basic intuition is that the incoming and outgoing traffic froma network address translation device usually experiences the different number of hops,which can be discovered by probing with dedicated time-to-live values.We explore a joint effort of parallel transmission,stateless probes,and flexible measuring reuse to accommodate the efficiency of the measuring process.We further accelerate statistical countingwith a new sublinear space data structure Bi-sketch.We implement a prototype and conduct real-world deployments with 1000 volunteers in 31 Chinese provinces,which is believed to bring insight for ground truth collection in this field.Experiments onmulti-sources datasets show that our proposal can achieve as high precision and recall as 95%with a traffic handling throughput of over 106 pps.

An Alias Resolution Method Based on Delay Sequence Analysis

Alias resolution,mapping IP addresses to routers,is a critical step in obtaining a network topology.The latest work on alias resolution is based on special fields in the packet,such as IP ID,port number,etc.However,for security reasons,most network devices block packets for setting options,and some related fields exist only in IPv4,so these methods cannot be used for alias resolution of IPv6.In order to solve the above problems,we propose an alias analysis method based on delay sequence analysis.In this article,we present a new model to describe the distribution of Internet delays and give a mathematical proof.After experimental measurements using the Macroscopic Internet Topology Data Kit(ITDK)and Ark IPv6 Topology Dataset,it was found that the statistical differences in most alias delay models were very small.The statistical differences in the non-alias delay models are spread over a wide range.Using the wavelet decomposition in delay sequence,it was found that the approximate components and the detail components of the delay sequence of aliases were the same after filtering out the noise,which provided a theoretical explanation for the experimental results.This technology is applicable to both IPv4 and IPv6.