Identification of hosts behind a NAT device utilizing multiple fields of IP and TCP

NAT provides a function to translate private IP addresses into a public IP address. With NAT functions, hosts with private IP addresses can be connected to the Internet, but they are hidden on the Internet. When malicious hosts behind a NAT device attack service providers on the Internet, firewalls attached on the services may detect the attack. After the attacks are detected, they may block all the traffic including the malicious hosts and other normal ones from the NAT, since all the traffic from the NAT have a same source IP address and the hosts behind the NAT cannot be identified individually by them. In this paper, we propose an effective method to identify hosts behind a NAT device by utilizing multiple fields of IP and TCP such as IPID, TTL, SYN flag, and timestamp. The proposed method can identify the number of hosts behind a NAT device, and their OSs with very high accuracy compared to existing works utilizing only one field.