31 Jan
2002
31 Jan
'02
7:16 p.m.
1) check out mac-address ranges 2) count flows/ip to determine if this pattern appears to be legit. (this in theory could also be done to prevent file sharing systems that keep a large number of peer-to-peer connections) 3) port/ip based filtering
4) TCP fingerprinting of flows. Not sure about all NAT implementations, but most seem to rewrite on the fly, not proxy (as would be sensible). Likewise, by watching sequence numbers, sack behavior, etc one could certainly recognize different strains of tcp stacks behind an address, and with practice determine multiple instances of the same strain. ..kg.. ObNoise. How would one construe whether its proper for multiple logical partitions of a machine to fetch comcast nntp pr0n?