|Survey Data Mining: Home | FAQ | Archive | Glossary|
ssl srvrs by domain
web authoring tools
web share changes
isp market share
dns load balancing
p3p compact policy
telephone area code
DNS site operator
Mail Server Survey
CA Market Share
RTSP Server Survey
Web Survey by IP
|What is NAT?|
IP V4 Network Address Translation (NAT) has become an increasingly common function in the Internet for a variety of reasons. NATs are used to interconnect a private network consisting of unregistered IP addresses with a global IP network using limited number of registered IP addresses. NATs are also used to avoid address renumbering in a private network when topology outside the private network changes for variety of reasons. And, there are many other applications of NAT operation.
In other words, in the context of the web servers a browser visits, the IP address we visit, may appear to be one thing, while the server that is actually providing the data may be residing on a completely different IP address, with a device in between (often a firewall) translating traffic to allow communications to work.
When NAT is employed, administrators will typically use one of 3 ranges of IP addresses, known as private, or non-routable addresses. These ranges are designated for private use, and as such cannot be reached directly from the internet. A separate device, such as a firewall, can be configured to send traffic incoming to a specific port (e.g. http port 80) to an internal private address, making it appear as if the webserver is operating on a public address.
10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
|How We (Or anyone else) Can Detect NAT Usage|
For example, the following session shows captures a request to a typical web server:
$ telnet www.securityspace.com 80 Trying 188.8.131.52... Connected to www.securityspace.com. Escape character is '^]'. GET /sample.html HTTP/1.0Having issued the request to retrieve the page sample.html, the server responds with the HTTP header and an HTML page.
HTTP/1.1 200 OK Date: Fri, 04 May 2001 20:08:11 GMT Server: Apache/1.3.12 (Unix) Connection: close Content-Type: text/html <HTML> <HEAD></HEAD> <BODY>Sample Page</BODY> </HTML> Connection closed by foreign host. $
Now let's consider the exact same response received from a poorly configured IIS server:
HTTP/1.1 200 OK Server: Microsoft-IIS/4.0 Content-Location: http://10.1.1.1/sample.html Date: Wed, 11 Apr 2001 07:22:38 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Tue, 09 Jan 2001 21:41:34 GMT ETag: "b43f97ef847ac01:4096" Content-Length: 55 <HTML> <HEAD></HEAD> <BODY>Sample Page</BODY> </HTML> Connection closed by foreign host. $
The above example shows that the IIS server is returning a header field called Content-Location, and that this field is showing the location of the document being requested from the webserver's perspective. In this case, it happens to reveal that the web server resides on a private class A address of 10.1.1.1, providing pretty good proof that there is a NAT device between the webserver and the internet at large, and that the device is probably a firewall of some sort.
|Is This Really a Problem?|
A general rule of thumb is that you never give out information if you can avoid doing so, unless it is necessary.
|How Do We Fix This?|
A different procedure applies to IIS version 4.0 and IIS version 5.0. In addition, a work-around exists involving renaming static web pages to end with .asp and to then configure a custom HTTP Header that specifies a Content-Location tag explicitly.
|Number of IIS servers examined||817,227||100.00%|
|Number of IIS Servers that revealed the IP address via the Content-Location tag||9||0.00%|
|Number of IIS Servers that revealed an IP in the Content-Location tag different from the IP accepting the connection||198||0.02%|
|Number of IIS Servers that revealed a private non-routable IP in the Content-Location tag||178||0.02%|
|Number of IIS Servers that use the Class A 10.*.*.* private network||72||0.01%|
|Number of IIS Servers that use the Class B 172.16-31.*.* private network||37||0.00%|
|Number of IIS Servers that use the Class C 192.168.*.* private network||69||0.01%|