Counting Devices: Revisiting Existing Approaches in Today's Settings

Abstract

The ability to count and fingerprint devices (optionally, from a given type) that are in a network, and potentially behind a NAT is important not only for network management (e.g., inventory and asset management) but also for business analysis (e.g., product adoption) and security (e.g., to block traffic from a malicious device behind a NAT). As such, researchers have developed a number of solutions to address these questions. However, most existing solutions rely on incidental characteristics of end devices' behaviors. Software updates to end devices or middleboxes (e.g., firewall, NAT) could render existing solutions ineffective. As such, how effective are those solutions in today's settings, e.g., with IoT devices? We propose to answer this answer by evaluating three major approaches that rely on (1) the IP id field, (2) a device's clock skew, and (3) a combination of a device's boot time and the frequency of its TCP timestamp clock, on the network traffic of seventy IoT devices. We show that existing approaches are ineffective with recent IoT devices, and as such the problem of counting devices behind a NAT remains an open problem. Finally, we explore and discuss future potential directions.