Paper 2026/149
Private IP Address Inference in NAT Networks via Off-Path TCP Control-Plane Attack
Adityavir Singh, Ashoka University
Mahabir Prasad Jhanwar, Ashoka University
Abstract
Recent work at NDSS 2024 demonstrated that widely deployed NAT behaviors in Wi-Fi routers - including port preservation, insufficient reverse-path validation, and the absence of TCP window tracking enable off-path TCP hijacking attacks in NATed wireless networks. These attacks exploit design weaknesses in NAT gateway routers to detect whether some internal client behind the NAT maintains an active TCP connection with a target server and, upon detection, to disrupt or manipulate that connection. In this paper, we show that these behaviors have significantly broader privacy implications. …
Paper 2026/149
Private IP Address Inference in NAT Networks via Off-Path TCP Control-Plane Attack
Adityavir Singh, Ashoka University
Mahabir Prasad Jhanwar, Ashoka University
Abstract
Recent work at NDSS 2024 demonstrated that widely deployed NAT behaviors in Wi-Fi routers - including port preservation, insufficient reverse-path validation, and the absence of TCP window tracking enable off-path TCP hijacking attacks in NATed wireless networks. These attacks exploit design weaknesses in NAT gateway routers to detect whether some internal client behind the NAT maintains an active TCP connection with a target server and, upon detection, to disrupt or manipulate that connection. In this paper, we show that these behaviors have significantly broader privacy implications. We demonstrate that an off-path attacker can not only hijack active TCP connections but also accurately infer the private IP addresses of individual clients behind a NAT that are engaged in TCP commu- nication with a target server. Our attack operates under the same realistic assumptions as prior work, yet leverages previously unex- plored behaviors in NAT state management and TCP control-plane interactions to reconstruct the full client-side connection tuple. We evaluate our attack both in a controlled laboratory testbed and in a real-world Wi-Fi network. For SSH connections, our method reliably identifies the private IP addresses of connected clients and enables forcible termination of their TCP sessions. For HTTPS connections, although the attacker successfully terminates the un- derlying TCP connection, modern browsers rapidly re-establish a new connection using new ephemeral ports; nevertheless, our attack reveals the private IP addresses of the originating clients, ex- posing a persistent privacy leakage. Our findings demonstrate that off-path TCP hijacking attacks in NATed Wi-Fi networks pose a seri- ous and previously unrecognized threat to client privacy, extending well beyond connection disruption to enable deanonymization of internal hosts.
BibTeX
@misc{cryptoeprint:2026/149,
author = {Suraj Sharma and Adityavir Singh and Mahabir Prasad Jhanwar},
title = {Private {IP} Address Inference in {NAT} Networks via Off-Path {TCP} Control-Plane Attack},
howpublished = {Cryptology {ePrint} Archive, Paper 2026/149},
year = {2026},
url = {https://eprint.iacr.org/2026/149}
}