Your Smart Home Can't Keep a Secret: Towards Automated Fingerprinting of IoT Traffic with Neural Networks

The IoT (Internet of Things) technology has been widely adopted in recent years and has profoundly changed the people's daily lives. However, in the meantime, such a fast-growing technology has also introduced new privacy issues, which need to be better understood and measured. In this work, we look into how private information can be leaked from network traffic generated in the smart home network. Although researchers have proposed techniques to infer IoT device types or user behaviors under clean experiment setup, the effectiveness of such approaches become questionable in the complex but realistic network environment, where common techniques like Network Address and Port Translation (NAPT) and Virtual Private Network (VPN) are enabled. Traffic analysis using traditional methods (e.g., through classical machine-learning models) is much less effective under those settings, as the features picked manually are not distinctive any more. In this work, we propose a traffic analysis framework based on sequence-learning techniques like LSTM and leveraged the temporal relations between packets for the attack of device identification. We evaluated it under different environment settings (e.g., pure-IoT and noisy environment with multiple non-IoT devices). The results showed our framework was able to differentiate device types with a high accuracy. This result suggests IoT network communications pose prominent challenges to users' privacy, even when they are protected by encryption and morphed by the network gateway. As such, new privacy protection methods on IoT traffic need to be developed towards mitigating this new issue

DCCP Simultaneous-Open Technique to Facilitate NAT/Middlebox Traversal

https://datatracker.ietf.org/doc/rfc5595/Publisher PD

NAT Denial of Service: An Analysis of Translation Table Behavior on Multiple Platforms

Network Address Translation or NAT, is a technology that is used to translate internal addresses to globally routable addresses on the internet. NAT continues to be used extensively in almost every network due to the current lack of IPv4 addresses. Despite being exceptionally commonplace, this networking technique is not without its weaknesses, and can be disabled with a fairly straightforward attack. By overpopulating the translation table, the primary mechanism used to translate the internal to external addresses, an attacker can effectively deny all internal users access to the external network. This paper takes an in-depth look at how five different vendors: Cisco, Extreme, Linksys, VMWare, and Vyatta, implement the translation table during active NAT sessions and how they are affected by TCP, UDP, and ICMP variations of the DOS attack

ENAT-PT: An Enhanced NAT-PT Model

NAT-PT would allow IPv4 nodes to communicate with IPv6 nodes transparently by translating the IPv6 address into a registered V4 address. However, NAT-PT would fall flat when the pool of V4 addresses is exhausted. NAPT-PT multiplexes the registered address’ ports and will allow for a maximum of 63K outbound TCP and 63K UDP sessions per IPv4 address, but it is unidirectional. We present in this paper a novel solution ENAT-PT（an enhanced NAT-PT），which will allow for a great number of inbound sessions by using a single V4 address. By using ENAT-PT, we can visit V6 networks from a V4 network with a small address pool

Peer-to-Peer Communication Across Network Address Translators

Network Address Translation (NAT) causes well-known difficulties for peer-to-peer (P2P) communication, since the peers involved may not be reachable at any globally valid IP address. Several NAT traversal techniques are known, but their documentation is slim, and data about their robustness or relative merits is slimmer. This paper documents and analyzes one of the simplest but most robust and practical NAT traversal techniques, commonly known as "hole punching." Hole punching is moderately well-understood for UDP communication, but we show how it can be reliably used to set up peer-to-peer TCP streams as well. After gathering data on the reliability of this technique on a wide variety of deployed NATs, we find that about 82% of the NATs tested support hole punching for UDP, and about 64% support hole punching for TCP streams. As NAT vendors become increasingly conscious of the needs of important P2P applications such as Voice over IP and online gaming protocols, support for hole punching is likely to increase in the future.Comment: 8 figures, 1 tabl

IPv4 address sharing mechanism classification and tradeoff analysis

The growth of the Internet has made IPv4 addresses a scarce resource. Due to slow IPv6 deployment, IANA-level IPv4 address exhaustion was reached before the world could transition to an IPv6-only Internet. The continuing need for IPv4 reachability will only be supported by IPv4 address sharing. This paper reviews ISP-level address sharing mechanisms, which allow Internet service providers to connect multiple customers who share a single IPv4 address. Some mechanisms come with severe and unpredicted consequences, and all of them come with tradeoffs. We propose a novel classification, which we apply to existing mechanisms such as NAT444 and DS-Lite and proposals such as 4rd, MAP, etc. Our tradeoff analysis reveals insights into many problems including: abuse attribution, performance degradation, address and port usage efficiency, direct intercustomer communication, and availability

NAT denial of service: An Analysis of translation table behavior on multiple platforms

Network Address Translation or NAT, is a technology that is used to translate internal addresses to globally routable addresses on the internet. It is used extensively in almost every network requiring global connectivity due to the current lack of IPv4 addresses. The primary mechanism used to facilitate the translation of internal addresses to external addresses and vice versa is the translation table. This study takes an in-depth look at how five different vendors: Cisco, Extreme, Linksys, VMWare, and Vyatta, implement the translation table during active NAT sessions. Additionally, this study analyzes the methodology required to fill a translation table and the Denial of Service that is a result of the attack. We consider the relative difficulty of accomplishing this task between the different platforms and protocols (TCP vs UDP vs ICMP). We conclude this study with steps that can be taken to prevent or mitigate the NAT DOS attack

Security aspects in voice over IP systems

Security has become a major concern with the rapid growth of interest in the internet. This project deals with the security aspects of VoIP systems. Various supporting protocols and technologies are considered to provide solutions to the security problems. This project stresses on the underlying VoIP protocols like Session Initiation Protocol (SIP), Secure Real-time Transport Procotol (SRTP), H.323 and Media Gateway Control Protocol (MGCP). The project further discusses the Network Address Translation (NAT) devices and firewalls that perform NAT. A firewall provides a point of defense between two networks. This project considers issues regarding the firewalls and the problems faced in using firewalls for VoIP; it further discusses the solutions about how firewalls can be used in a more secured way and how they provide security

Challenges to the End-to-End Internet Model

In 1981 Saltzer, Reed, and Clark identified “end-to-end” principles related to the design of modern layered protocols. The Internet today is not as transparent as envisioned by [SALTZER81]. While most of the intelligence remains concentrated in end-systems, users are now deploying more sophisticated processing within the network for a variety of reasons including security, network management, E-commerce, and survivability. Applications and application-layer protocols have been found to interact in unexpected ways with this new intelligent software within the network such as proxies, address translators, packet filters, intrusion detection, and differentiated service functions. In this paper we survey examples of the problems caused by the introduction of this new processing within the network which is counter to the end-to-end Internet model proposed by [SALTZER81]. * 1 2 3 The conflict between the end-to-end Internet model and the introduction of new processing within the network is being addressed on a case-by-case basis in each development effort. There are no indications that new devices installed within the network (which break the end-to-end model) will disappear and in fact there has been dramatic growth in their implementation due to recent denial-ofservice attacks. Transition to IPv6 only solves a subset of these issues, and its deployment is proceeding slowly. Future work is obviously needed to create a consistent environment for protocol development that preserves the transparency provided by the end-to-end Internet model