Malicious attacks can be launched by misusing the network address translation technique as a camouflage.To mitigate such threats,network address translation identification is investigated to identify network address t...Malicious attacks can be launched by misusing the network address translation technique as a camouflage.To mitigate such threats,network address translation identification is investigated to identify network address translation devices and detect abnormal behaviors.However,existingmethods in this field are mainly developed for relatively small-scale networks and work in an offline manner,which cannot adapt to the real-time inference requirements in high-speed network scenarios.In this paper,we propose a flexible and efficient network address translation identification scheme based on actively measuring the distance of a round trip to a target with decremental time-tolive values.The basic intuition is that the incoming and outgoing traffic froma network address translation device usually experiences the different number of hops,which can be discovered by probing with dedicated time-to-live values.We explore a joint effort of parallel transmission,stateless probes,and flexible measuring reuse to accommodate the efficiency of the measuring process.We further accelerate statistical countingwith a new sublinear space data structure Bi-sketch.We implement a prototype and conduct real-world deployments with 1000 volunteers in 31 Chinese provinces,which is believed to bring insight for ground truth collection in this field.Experiments onmulti-sources datasets show that our proposal can achieve as high precision and recall as 95%with a traffic handling throughput of over 106 pps.展开更多
The transition from IPv4 to IPv6 is doomed to be a long process. The network Address translation (NAT) technology is used very popularly in IPv4 network to make up the shortage of network address. It is a desiderate...The transition from IPv4 to IPv6 is doomed to be a long process. The network Address translation (NAT) technology is used very popularly in IPv4 network to make up the shortage of network address. It is a desiderated problem to make the users behind NAT gateway to access to IPv6 networks. By studying the transition technology from IPv4 to IPv6 and introducing NAT technology in IPv6, a scenario is put forward through 6to4 tunnel The scenario is implemented and the gateway system's performance is analyzed.展开更多
End hopping is one of the good methods to defend against network attack,but has problems with network address translation(NAT) because packets sent from an unknown endpoint would be dropped by NAT.To avoid the dropp...End hopping is one of the good methods to defend against network attack,but has problems with network address translation(NAT) because packets sent from an unknown endpoint would be dropped by NAT.To avoid the dropping of packets,we propose a punching scheme:a client sends a punching packet to create mapping rules in NAT,so that the packets from the server would be able to pass through effectively with such rules.In this paper,some preliminaries and definitions are provided for building the model of end hopping.Then we discuss the main reason of such packet dropping and specify all the failure situations based on the model.What's more,we analyze how the punching scheme helps end hopping cross NAT.Finally,we validate the feasibility of this scheme with empirical results:if the client is behind a NAT and with punching scheme,the service rate increases to 100%.Therefore,our proposed scheme can greatly improve the performance of crossing NAT in end hopping with little security and computational overhead.展开更多
基金The work is supported by the National Key Research and Development Program of China(2018YFB1800202)the NUDT Research Grants(No.ZK19-38).
文摘Malicious attacks can be launched by misusing the network address translation technique as a camouflage.To mitigate such threats,network address translation identification is investigated to identify network address translation devices and detect abnormal behaviors.However,existingmethods in this field are mainly developed for relatively small-scale networks and work in an offline manner,which cannot adapt to the real-time inference requirements in high-speed network scenarios.In this paper,we propose a flexible and efficient network address translation identification scheme based on actively measuring the distance of a round trip to a target with decremental time-tolive values.The basic intuition is that the incoming and outgoing traffic froma network address translation device usually experiences the different number of hops,which can be discovered by probing with dedicated time-to-live values.We explore a joint effort of parallel transmission,stateless probes,and flexible measuring reuse to accommodate the efficiency of the measuring process.We further accelerate statistical countingwith a new sublinear space data structure Bi-sketch.We implement a prototype and conduct real-world deployments with 1000 volunteers in 31 Chinese provinces,which is believed to bring insight for ground truth collection in this field.Experiments onmulti-sources datasets show that our proposal can achieve as high precision and recall as 95%with a traffic handling throughput of over 106 pps.
文摘The transition from IPv4 to IPv6 is doomed to be a long process. The network Address translation (NAT) technology is used very popularly in IPv4 network to make up the shortage of network address. It is a desiderated problem to make the users behind NAT gateway to access to IPv6 networks. By studying the transition technology from IPv4 to IPv6 and introducing NAT technology in IPv6, a scenario is put forward through 6to4 tunnel The scenario is implemented and the gateway system's performance is analyzed.
基金Supported by the National Natural Science Foundation of China (60973141,61272423)the Specialized Research Fund for the Doctoral Program of Higher Education of China (20100031110030)the Funds of Key Lab of Fujian Province University Network Security and Cryptology (2011004)
文摘End hopping is one of the good methods to defend against network attack,but has problems with network address translation(NAT) because packets sent from an unknown endpoint would be dropped by NAT.To avoid the dropping of packets,we propose a punching scheme:a client sends a punching packet to create mapping rules in NAT,so that the packets from the server would be able to pass through effectively with such rules.In this paper,some preliminaries and definitions are provided for building the model of end hopping.Then we discuss the main reason of such packet dropping and specify all the failure situations based on the model.What's more,we analyze how the punching scheme helps end hopping cross NAT.Finally,we validate the feasibility of this scheme with empirical results:if the client is behind a NAT and with punching scheme,the service rate increases to 100%.Therefore,our proposed scheme can greatly improve the performance of crossing NAT in end hopping with little security and computational overhead.
