Title :
IP agnostic real-time traffic filtering and host identification using TCP timestamps
Author :
Wicherski, Georg ; Weingarten, Florian ; Meyer, Ulrike
Author_Institution :
Dept. of Comput. Sci., RWTH Aachen Univ., Aachen, Germany
Abstract :
In this work, we describe and evaluate the design and implementation of natfilterd, a flexible and lightweight extension of the Linux netfilter packet filter framework, which enables us to identify hosts completely independent of IP addresses by taking advantage of certain characteristics of TCP timestamps. As an immediate consequence, not only can we count hosts behind a NAT gateway but block TCP traffic from single hosts without blocking the gateway itself. Our work extends ideas from Bursztein, which we improve in terms of performance as well as matching quality and usability in practice. A theoretical runtime of O(log(n)) for matching packets against a database of n hosts is achieved. We empirically verify this result and conclude that our approach scales extremely well and is therefore suitable for at least medium-scale networks of a few thousand hosts.
Keywords :
IP networks; Linux; filtering theory; telecommunication traffic; transport protocols; IP agnostic real-time traffic filtering; Linux netfilter packet filter framework; NAT gateway; TCP timestamp characteristics; TCP traffic; host identification; medium-scale networks; network address translation; packet matching quality; Clocks; Databases; IP networks; Linear regression; Logic gates; Ports (Computers); Real-time systems;
Conference_Titel :
Local Computer Networks (LCN), 2013 IEEE 38th Conference on
Conference_Location :
Sydney, NSW
Print_ISBN :
978-1-4799-0536-2
DOI :
10.1109/LCN.2013.6761302
