Comcast Gunning for NAT Users 979
phillymjs writes: "A co-worker of mine resigned today. His new job at Comcast: Hunting down 'abusers' of the service. More specifically, anyone using NAT to connect more than one computer to their cable modem to get Internet access- whether or not you're running servers or violating any other Acceptable Use Policies. Comcast has an entire department dedicated to eradicating NAT users from their network. We knew this was coming since this Slashdot article from two months ago, but did anyone think they'd already be harassing people that are using nothing more than the bandwidth for which they are paying? It makes me very happy that my DSL kit arrived yesterday, and I'll be cancelling my Comcast cable modem early next week." Earthlink and Comcast have both been advertising lately their single-household, multi-computer services (and additional fees) -- probably amusing to many thousands of broadband-router owners, at least until the cable companies really crack down.
methods (Score:3, Interesting)
Re:methods (Score:3, Interesting)
Meanwhile... (Score:3, Interesting)
they can try they wont win. (Score:2, Interesting)
Besides, how is this going to fly with the AT&T policy of allowing it and even encouraging it? AT&T will gladly sell you a smc or linksys NAT/firewall... that constitutes encouraging it.
Kudos to AT&T (Score:1, Interesting)
Furthermore, outages are still too common, and performance is still too variable.
However, the basic service is good, and the attitude of AT&T (at least in Eastern MA) is still good. They tolerated NAT, looking the other way, and then (I think) supported it; they don't block ports; and they don't particularly seem to mind members who run servers, as long as those servers are reasonably secure; even though the service agreement disallows servers (last time I checked).
I read about dimwits like Comcast frequently on Slashdot, and I'm thankful that my provider is still reasonable.
I wonder what they plan to do? (Score:4, Interesting)
As everybody else is wondering: how do they plan to ferret out NAT users? Go to everyone's home and count the number of computers? ComCast used to be such a nice service, it's a shame what they're doing to it. Lets count the ways they've made the service worse recently:
Still, even with all of these indiscresions, I'm inclined not to believe this story as is. There doesn't appear to be much actual evidence (has anyone been flagged for having a NAT yet?) to support the claims. Also, did the co-worker quit because the job is nigh-impossible? My hoax sense is tingling...
Re:methods (Score:5, Interesting)
on their webpage that can only be accessed when you'r on their network ( a this webpage providing usefull information like your month quota ), there's a client script that send back your browser IP. That's it : if your ip is typical from a home subnet, you'r using NAT.
Re:Firewall (Score:1, Interesting)
Verification of their Policy is in the Comcast FAQ (Score:5, Interesting)
You'll find more about my experience with Comcast broadband services [ctdata.com] on my company's web site, if you are interested.
Re:Crack down? (Score:2, Interesting)
NAT Detection method and avoidance (Score:3, Interesting)
To avoid this, get the MAC address from an old NIC, or a machine that will never be connected to the subnet on the cable-modem system, and (assuming your NAT box supports MAC spoofing) configure your NAT box to use that IP address.
More likely than not, the providers are too stupid to do the necessary research, and will look at the high bandwidth users and do a packet sniff to see what their activity looks like.
Re:methods (Score:2, Interesting)
Can they do this without a warrant (Privacy et all?)
Re:methods (Score:2, Interesting)
Can you imagine the amount of computing power they would need to maintain to prove something like this? They would need regularlly sniff packets from every connection, try to figure out the OS, store the data, and continue. Thats not to mention that about half the time the OS will come up "unknown". Oh, and by the way, heres an extra $10 on your bill to pay for the army of people to maintain this.
There is no attempt made to randomize this source port field selection and a clever heuristic could probably fingerprint it.
That would probably be a 5 line patch to randomize it.
Seems a little silly (Score:4, Interesting)
Privacy? (Score:2, Interesting)
If they can, then it follows that they may read my email (again, without prior evidence of wrongdoing) in order to enforce their business practices - this seems like a pretty clear violation of privacy.
NOTE - I don't really think that my email is private, nor do I believe that IP traffic is secure - the question I'm asking isn't about the capabilities of the ISP. Rather, I'm curious as to whether or not they have the legal _right_ to monitor my traffic (payload, not headers) without a complaint (or a warrant).
Earthlink doesn't charge more for NAT (Score:2, Interesting)
Re:methods (Score:2, Interesting)
Did anyone ever consider this? (Score:2, Interesting)
The reason that broadband cable access is so cheap is because they don't exect you to use it all of the time.
I say that cable is cheap because you can get near T1 performance (~$600/mo) from a cable line. The companies don't want you online all of the time because it costs them more money for the extra bandwidth.
Its kind of like the 56k ISPs. You can have unlimited hours of use, but they don't want you connected if you're not using it. They don't want an idle connection wasting a phone line. Don't get me wrong though. I'm not on their side. I want to be able to run my network on a cable connection as well. We just need to compromise or something...
Re:Adelphia (Score:2, Interesting)
Class action suit? (Score:5, Interesting)
They don't want me doing P2P, they don't want me to play games, they don't want me to have more than one computer hooked up, and they don't want me going wireless. How much more can they block off before its no longer really an Internet Connection?
It seems to me that if they are going to behave this way, then they shouldn't be considered Internet Service Providers anymore. They're not! You can't call it an ISP if they're telling you you can't do the things that makes the Internet the Internet. I have two computers on the net at home. One I use just as an email terminal (very low bandwidth), and the other is where I go cruising the web and do IM etc. Until they tell me that I can only use so much bandwidth, they have no business telling me I can't use more than one computer. They advertise "unlimited bandwidth, 24-7", and then they play these silly games with me. It really makes me want to sue for false advertising.
Re:They Wont Win In Court, Anyway (Score:2, Interesting)
Comcast Tech Says... (Score:2, Interesting)
and I quote: "We don't care, run the firewall, hook up a few computers, we don't really like servers on the network. Just be aware that when you call tech support we're going to ask you to remove the router so that we can test the connection."
If you're really concerned about it... don't run they're browser software... Don't go look at their homepages... I don't think I looked at Excite.com the entire 8 months I was a subscriber before they went down. Just pay your bill in the mail and enjoy the bandwidth when all the easily scared jump ship. If they do knock at your door, phone, e-mail... drop them... there's no contract involved and there are other ISP's out there. Hooray for capitalism!
Run some phone wire to your neighbor's house... (Score:5, Interesting)
However, I read the linked article and my Comcast agreement.
I doubt most people here have done either.
The effort is clearly aimed at people who are sharing their connections outside their homes. The article even has a diagram showing multiple homes. Take a look at this excerpt:
For example: Neighbor Bob buys cable modem service and a wireless home network. Neighbors Carol, Ted and Alice don't buy cable modem service, but they go out and buy antennas compatible with Neighbor Bob's wireless network. Everybody agrees to share Neighbor Bob's connection.
If you have a problem with trying to stop this type of activity, then you also probably think it would be OK to run phone line from your house to your neighbor's house, since you "pay for the bandwidth and can do whatever you wish with it." You would probably think it's OK to run Cat 5 or fiber all over your neighborhood too.
If Comcast tries to make me pay extra for having three networked computers, I'll be as angry as the next geek. But sheez, let's tone down the hype until that actually happens.
Re:methods (Score:2, Interesting)
Interestingly though, check out this page [comcast.net], way down near the bottom:
This seems to imply that running a NATed network is ok, though unsupported. I wonder how long before this item mysteriously disappears...
We'll see (Score:3, Interesting)
My justification was as follows:
1: I don't trust Win2K to be directly connected to the internet because of the many security flaws of the past and surely in the future.
2: The 2 Win2K machines I use, 1 is for personal use, and one I use as a database server and to pcAnywhere into work. I never use both at the same time, I can't.
3: They're benefitting from the fact that I'm running Squid on my Linux box and therefore caching web pages and reducing my actual bandwidth usage.
If I get a response soon, I'll post it, but I've basically come straight out and told them the truth. How they react will be a judgement of their character as a company
I chose ComCast for 1 reason: I could get billing for cable and internet from one company. If they wish to deny me that, I'll simply switch to satellite TV and DSL modem, and they lose my business entirely ($100/month for them right now).
Re:They still won't know for sure... (Score:3, Interesting)
My reply: "Fine, I want to cancel the service right now."
When I cancelled AT&T's cable modem service the order droid basically begged me to stay. "I'll even give you 6 months of a special promo pricing." Fe. What good is special pricing when the service no longer works for 7-day stretches 'cause they screwed up something at their end and refuse to even have a look until they can schedule a needless "service call". The loudest message someone can send a company is to quit doing business with them.
Re:Comments (Score:2, Interesting)
Why skew the stats in MS's favor? Change it to someother company that can use the market share reports. (Opera would be my pick, but I am sure you have your own.)
Re:I wonder what they plan to do? (Score:3, Interesting)
Actually this is exactly the kind of thing that needs to go away. If ISP's got rid of all the "value added" services and just provided an TCP/IP pipe, their costs would be low, and you wouldn't be locked in to their potentially crappy services. Of course they'd have to lower their prices to compensate...
You can get 2GB/month access to very fast news servers for $7 a month. The service is way better then any ISP's news server too. Doesn't it bother you that you're paying for all those extra services that you might not be using and you could easily provide yourself? I'm talking about things like e-mail and web hosting and news service, and DNS...
Not completely true.... (Score:4, Interesting)
My company does technical support for Comcast (Score:5, Interesting)
Hmmm maybe we're just slow to get the news?
Re:methods (Score:3, Interesting)
TTL - This target is used to modify the time to live field in the IP header. It is only valid in the mangle table.
--ttl-set ttl Set the TTL to the given value.
--ttl-dec ttl Decrement the TTL by the given value.
--ttl-inc ttl Increment the TTL by the given value.
A few comments. (Score:5, Interesting)
Ok, new list with some other points:
I've been a Comcast customer for some time and have had relatively no problems with them to date. I am a little concened that since my IP changed on the 22nd (our area's cutover) I'm unable to ping it from work. Something to do tonight I guess.
Re:NAT Detection method and avoidance (Score:2, Interesting)
This (of course) only applies to Broadband routers. If you are using a linux or windows box for NAT, then the MAC address will be one associated with a standard NIC. Most cablemodem users that are using NAT are using broadband routers, and unless the cable modem infrastructure is dispensing DHCP addresses by MAC address, those routers have the default MAC address. These are the people companies like Comcast will focus on (unless they just look at traffic levels and packet sniff to get an idea what you are up to).
The biggest bandwidth hogs on most ISP systems are alt.binaries.whatever downloaders, and PTP filesharing. Eliminating technical users with linux NAT boxes would not have a significant effect on their total bandwidth utilization.
Comment removed (Score:2, Interesting)
Re:methods (Score:2, Interesting)
Two computers sharing a connection in a household of the latter kind of user means twice the bandwidth, and the cable company doesn't really WANT the first kind of customer.
Two leaches sharing a connection won't pull more data than a single leach, but two casual web browsers sharing a connection will use twice as much as a single casual web browser.
Devising Methods is Straightforward (Score:1, Interesting)
Quite likely they had no particular technical approach in mind and planned on just waiting until the Slashdot crowd surveyed the possible techniques for them. That has been accomplished.
Talking to tech support, 101 (Score:5, Interesting)
But, since everyone else seems to be hopping on the bandwagon taking this as fact I'll chime in anyways.
The solution is to play it smart and don't ever ever tell tech support you're using more then one computer. If they accuse you of using more then one, deny it. They're going to have fun proving that one.
Adelphia Powerlink flipped their freaking lid when the guy was trying to troubleshoot my connection by pinging it and I told him I'd gotten his ping.
"How do you know that? It's coming up as host unreachable here."
"Yeah I know I'm running a firewall on my machine."
"What?! You're not allowed to use a firewall on our network!"
"Uhm, why not? Oh maybe I should turn it off so all these people trying to DoS me can mess up your network a little more?"
So remember, when calling tech support:
1) You are using 1 computer.
2) You are using Windows.
3) Never mention the words: firewall, router, linux, server. They are verboten.
Always "follow" their absurd troubleshooting suggestions no matter how stupid they sound. Hey.. sometimes they do work, but otherwise just take what they tell you and translate the steps into your OS of choice. Or if you already tried it give them the answer they're looking for.
Re:Run some phone wire to your neighbor's house... (Score:2, Interesting)
Yea, I have a problem with an ISP trying to stop this sort of behavior. It's a matter of retroactively trying to solve a bad pricing model with more stupid, unenforceable rules.
If one shares one's phone line with the neighbors, one is restricted from use when others are using it. Presumably, someone is going to get sick of the inconvenience and buy their own line.
Same with bandwidth. There is a finite amount. If I share TOO MUCH, my pipe to the internet will suck. Not to mention the poor saps on a metered plan. However, when it comes to Cable service broadband there are interesting differences:
1. The cable tv model doesn't work this way, sharing doesn't hurt MY TELEVISION signal, but does hurt cable company revenue. Sounds unfair and thus illegal. Anyone wonder why cable broadband thinks they can enforce similar rules on their ISP customers?
2. But sharing cable broadband DOES impact the service... with a catch: Whether I share via NAT or the cable company signs up my neighbors direct doesn't matter, it still hurts my bandwidth.
So the instinct is to screw the company and share with your neighbors for a split of the fee. The fallout of which is that the cable company might not install a fatter pipe to your neighborhood (a questionable scenario even if everyone was honest).
The answer of course is to support the ISP/service with the plan you like. I hate big conglomerates and am fortunate enough to have a few choices, some of them pleasant.
Re:Uhh... (Score:3, Interesting)
On the contrary. Having a bunch of nodes behind an OpenBSD NAT firewall with state modulation should, it seems to me, look the same to an outside observer as having a single OpenBSD node.
Nevertheless, the documented point of state modulation isn't to hide the fact that you're doing NAT. It's to correct for the fact that many operating systems pick initial sequence numbers poorly, and are thus vulnerable to sequence prediction attacks [bindview.com]. So there may well be ways to tell the difference -- though it would surprise me.
In the end, though, I agree with the sentiment expressed elsewhere under this topic: that ISPs are misguided in trying to penalize intelligent use of their services, but also that users are misguided in playing hide-and-seek with bad ISPs' policy enforcement rather than choosing more honest and professional ISPs.
Free cable? (Score:2, Interesting)
Re:TTL? (Score:3, Interesting)
1) Purchase a 5-port hub
2) Plug cable modem into it.
3) Plug up to four computers into it
4) Pay $5 for each additional IP used
You are explicitly NOT allowed to have anything in front of those boxen, thus they would not be able to assign you IP's, and you would not pay them extra. The cap of 4 PC's is too low as well.