NUTSS STUNT Publications Project Page Downloads

libnutss

  • Binaries: download
  • Source: srpm bz2 zip
  • Examples: nutssping other examples
  • Docs: API reference

NAT Testing Software

  • Client: Windows, Linux
  • Server: Linux
  • Running the Client
  • Client Documentation
  • Server Documentation
  • Frequently Asked Questions
  • Survey Results

Current Tests

The client currently tests TCP port binding properties of the NAT, the NAT's packet mangling characteristics, the NAT's filtering or firewalling behaviour and checks the timeouts for TCP bindings in various states.

TCP Port Binding

  • Binding Behaviour -- Independent if the internal endpoint (address and port) determines the binding. address dependent or address and port dependent if the internal endpoint along with the remote address and remote endpoint determine the binding respectively. session dependent if each TCP session is allocated a new binding.
  • Binding Delta -- The difference in the binding's port for successive connections from the same internal endpoint to different remote endpoints.
  • Hairpining -- Whether or not the NAT correctly routes TCP SYN packets from an internal endpoint to the external binding allocated for a different internal endpoint.
  • Overloading -- Whether or not the NAT assigns the same binding for two different internal endpoints
  • Port number preservation -- Whether or not the external binding has the same port as the port of the internal endpoint when possible.
  • Port range preservation -- Whether or not the external binding port falls in the same port range as the port of the internal endpoint. The port ranges LOW, HIGH and DYNAMIC are defined as 0 - 1023, >= 1024, >= 49152 respectively.
  • Port parity preservation -- Whether or not the binding port is even if and only if the internal endpoint port is even. Whether or not two internal endpoints where the second port is one higher that the first are allocated binding ports that have the same relationship.

TCP Packet Mangling

  • TCP Data -- Whether or not the NAT modifies bytes in the TCP payload that looks like the binary encoding of an internal endpoint.
  • ICMP Data -- Whether or not the NAT correctly translates encapsulated IP packets in the ICMP payload.
  • TCP Sequence number -- Whether or not the NAT advertises a different TCP sequence number in the SYN packet than the one advertised by the internal host.
  • IP TTL -- Whether or not the NAT increases the IP time-to-live value of outbound TCP packets.

TCP Packet Filtering

  • Endpoint filtering -- Open if the NAT correctly routes incoming unsolicited SYN packets to the host. Independent if the NAT routes incoming SYN packets sent from any remote endpoint to the binding for an internal endpoint that has established a connection to some remote endpoint. Address if the NAT routes incoming SYN packets sent from a remote endpoint to the binding for an internal endpoint that has established a connection to a the same remote address but a different port. Address and port otherwise.
  • TCP Responses -- Whether the NAT accepts and correctly routes, silently drops, generates a TCP RST or reset packet or generates an ICMP error in response to various packets addressed to an external binding. The situations tested are unsolicited incoming SYN packets before a binding is created, SYN packets from the same remote address to which the binding is connected, SYN packets from a different remote address than the one to which the binding is connected, SYN packets received from the remote endpoint after and outgoing SYN to that endpoint, after receiving a TCP reset in response to an outgoing SYN, after receiving an ICMP TTL exceeded error or ICMP Host Unreachable error in response to the outgoing SYN, and incoming SYNACK packet instead of the incoming SYN packet in the last four cases.

TCP Binding Timers

  • TCP Timer -- How long the NAT keeps a binding alive and routes incoming packets when the TCP session is in a particular state. The states tested are SYN-Sent, Established, Timed-Wait and Closed.

TCP Port Prediction

  • Port prediction rate -- What percentage of the client's attempts to predict the external binding for a new TCP stream before it is initiated are correct.

Command Line Parameters

Parameter Details
-i, --interface iface iface is the interface to run STUNT on. The list of interfaces can be viewed by passing help as the interface. For the overloading test, two interfaces are required both of which must be on the same network segment; they can be passed in with multiple -i options.
-p, --port port port is the port on which the STUNT server is running. Default is 3478.
-v, --debug multiple uses increases the debugging verbosity
-b, --test-bindings perform the binding tests above
-f, --test-filtering perform the filtering and packet mangling tests above
-t, --test-timers perform the timer tests above
-r, --test-portpred perform the port prediction test above
-o, --output file writes the fingerprint to a file for later use
--timer-syn nsec the number of seconds the connection should be in SYN-Sent state before the SYNACK is sent.
--timer-estd nsec the number of seconds the connection should be in established state before a keep-alive ACK is sent.
--timer-fin nsec the number of seconds the connection should be in timed-wait state before a retransmission of the FIN is sent.
--timer-rst nsec the number of seconds the connection should be in closed state forced by a RST before a retransmission of the RST is sent.
--timer-portpred nsec the number of seconds the clients should try to predict ports for. Default is 3600.
--binding-interval nsec the number of seconds the clients should to wait between successive binding tests. Default is 0. If the binding test repeatedly reports an error, for example with Open BSD based NATs, try raising this value to 120.
--portpred-interval nsec the number of seconds to wait between port prediction attempts. Default is 60.