IP agnostic real-time traffic filtering and host identification using TCP timestamps

Author

Wicherski, Georg ; Weingarten, Florian ; Meyer, Ulrike

Author_Institution

Dept. of Comput. Sci., RWTH Aachen Univ., Aachen, Germany

fYear

2013

fDate

21-24 Oct. 2013

Firstpage

647

Lastpage

654

Abstract

In this work, we describe and evaluate the design and implementation of natfilterd, a flexible and lightweight extension of the Linux netfilter packet filter framework, which enables us to identify hosts completely independent of IP addresses by taking advantage of certain characteristics of TCP timestamps. As an immediate consequence, not only can we count hosts behind a NAT gateway but block TCP traffic from single hosts without blocking the gateway itself. Our work extends ideas from Bursztein, which we improve in terms of performance as well as matching quality and usability in practice. A theoretical runtime of O(log(n)) for matching packets against a database of n hosts is achieved. We empirically verify this result and conclude that our approach scales extremely well and is therefore suitable for at least medium-scale networks of a few thousand hosts.

Keywords

IP networks; Linux; filtering theory; telecommunication traffic; transport protocols; IP agnostic real-time traffic filtering; Linux netfilter packet filter framework; NAT gateway; TCP timestamp characteristics; TCP traffic; host identification; medium-scale networks; network address translation; packet matching quality; Clocks; Databases; IP networks; Linear regression; Logic gates; Ports (Computers); Real-time systems;

fLanguage

English

Publisher

ieee

Conference_Titel

Local Computer Networks (LCN), 2013 IEEE 38th Conference on

Conference_Location

Sydney, NSW

ISSN

0742-1303

Print_ISBN

978-1-4799-0536-2

Type

conf

DOI

10.1109/LCN.2013.6761302

Filename

6761302