Re: NATting a whole country?

[Gadi Evron <ge () linuxbox org>]

On Wed, 3 Jan 2007, Steven M. Bellovin wrote:
> According to
> http://www.nytimes.com/aponline/technology/AP-TechBit-Wikipedia-Block.html
> all of Qatar appears on the net as a single IP address.  I don't know
> if it's NAT or a proxy that you need to use to get out to the world,
> but whatever the exact cause, it had a predictable consequence -- the
> entire country was barred from editing Wikipedia, due to abuse by
> (presumably) a few people.

Half related, the amazing Steven Murdoch did some traffic analysis on a
similar issue, trying to detect machines behind the annonyzing Tor network.

"By requesting timestamps from a computer, a remote adversary can find out
the precise speed of its system clock. As each clock crystal is slightly
different, and varies with temperature, this can act as a fingerprint of
the computer and its location."

ftp://ftp.fortunaty.net/video/23c3/wmv/timeskew2-t2s1.wmv
http://events.ccc.de/congress/2006/Fahrplan/events/1513.en.html

Anyone remember CAIDA's study on the crystals for detecting machines
through NATs?
http://www.caida.org/publications/papers/2005/fingerprinting/KohnoBroidoClaffy05-devicefingerprinting.pdf

Another good lecture on traffic analysis at CCC, which was an
introduction by George Danezis:
http://events.ccc.de/congress/2006/Fahrplan/attachments/1185-DanezisTAIntro.pdf

        Gadi.