IP agnostic real-time traffic filtering and host identification using TCP timestamps

In this work, we describe and evaluate the design and implementation of natfilterd, a flexible and lightweight extension of the Linux netfilter packet filter framework, which enables us to identify hosts completely independent of IP addresses by taking advantage of certain characteristics of TCP timestamps. As an immediate consequence, not only can we count hosts behind a NAT gateway but block TCP traffic from single hosts without blocking the gateway itself. Our work extends ideas from Bursztein, which we improve in terms of performance as well as matching quality and usability in practice. A theoretical runtime of O(log(n)) for matching packets against a database of n hosts is achieved. We empirically verify this result and conclude that our approach scales extremely well and is therefore suitable for at least medium-scale networks of a few thousand hosts.