how to identify non-host based devices: 1) check out mac-address ranges 2) count flows/ip to determine if this pattern appears to be legit. (this in theory could also be done to prevent file sharing systems that keep a large number of peer-to-peer connections) 3) port/ip based filtering I suspect that for the people who went out and bought the linksys/other routers that want to link up their two home computers you will see a few that just say "hey, it's just another $5/mo and i don't have to worry about this device i got at frys/best buy/compusa/whatnot that i don't really understand". there's [almost alyways] a way to beat any system. I think they are just trying to reduce the support costs of people with these devices at a time when they are getting bad PR (at least here in MI) about the switchover from @home-> comcast. the uninitiated will blame comcast when it's their router/nat/whatnot unit. - jared On Thu, Jan 31, 2002 at 04:44:59PM -0500, David Charlap wrote:
Keith Woodworth wrote:
From a technical standpoint how does one detect NAT users over the network?
You can't deterministically do so, but there are some telltale signs. NAT implementations (at least the ones I've seen) tend to choose very large port numbers (above 30,000) for the ports that they generate.
Of course, this can happen without NAT. And it is possible to write NAT stacks that choose low-numbered ports (it's trivially easy to make this change in the Linux IPMASQ code, for instance.)
Anybody who tries to detect NAT through these kinds of heuristic methods will end up with a lot of false positives and false negatives. And if it becomes a problem, the NAT implementors will simply alter their code to make it impossible to distinguish from a single host's traffic.
-- David
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.