More On Detecting NAT Gateways 551
tcom91 writes "The Slashdot article Remotely Counting Machines Behind A NAT Box described a technique for counting NAT hosts. A recently published paper Detecting NAT Devices using sFlow describes an efficient way of detecting NAT gateways using sFlow, a traffic monitoring technology built into many switches and routers. This technology could be used to enforce single host access policies and eliminate unauthorized wireless access points."
not all ISPs care (Score:3, Informative)
Re:still same bandwidth (Score:4, Informative)
That is.. if you are actually worried about anything.
Re:What will the future hold? (Score:4, Informative)
Now, in today's modern world, with most of the (modern) phone network being packet-switched, it's probably just another way to eek out extra money from a more or less captive audience. Of course, you just know that if businesses were being charged less, home users would still end up paying more in the end. *sigh*
Bzzzt! Sorry; Close, but no cigar! (Score:4, Informative)
The time before there are "fixed" versions of both NAT (which don't decrement TTL), and of IP packet ID's (changing all ID's into a single monotonically increasing order, or randomizing them) will be measured in hours.
Hopefully the authors of this paper aren't doing research for a living...
Just change ISP's (Score:3, Informative)
I get my DSL through speakeasy.net, and so far they seem to be about the coolest provider I've heard of. They don't care how many machines you have hooked up to your connection, they don't care if you run servers, they actually encourage you to share your connection via wireless networking. I read in one of their recent newsletters that if you set up an AP they'd like to know so they can tell the other speakeasy customers about it. I'm pretty sure they're available in most large cities (i'm in seattle).
If you want to sign up and don't mind sending $50 my way use this [speakeasy.net] referral link.
Yawnn.. iptables? (Score:5, Informative)
Yes, and.... (Score:5, Informative)
When my ISP shuts down all the chatter I see, around the clock, from Code Red hits (default.ida requests, etc.), like 12~14 per second, I'll be happy to discuss my 'expanded' bandwidth usage and how it impacts their resources.
Code Red has little direct impact on my boxes, since I'm MS free, but with the general effect being a load on the network right up against my VDSL modem, this is still a very real issue. If the ISP's want to reduce loads, they can look to stop some of the noise from other sources as well. What other sources? Let me think...ummm...spam mail? Port scan probes....
Re:Ummm no ... (Score:4, Informative)
Bandwidth: You can only suck so much down on a broadband connection at a time. One guy downloading MP3's all day is using more bandwidth than two people in a household with simple needs who want to network their two computers.
Customer Support: If the service contract says one IP, one system, they're not going to help you solve problems with your network. Comcast refuses to troubleshoot anything for me until I plug my system directly into the cable modem, for example.
Security: The user bears this cost, not the ISP.
Repairs: If you pay for "consumer level" service, they're only going to give you "consumer level" service, regardless of how many people use the connection.
Re:ISP care? (Score:3, Informative)
No, the ISP does not own the portion of the network from my NAT box to my computers. Per my contract with my ISP, I have exactly one machine connected to their network. That machine happens to be a Linksys router, and it happens to forward requests sent to it over *my* network, but that's none of their business.
Re:What will the future hold? (Score:3, Informative)
Detecting machines behind NAT is useless (Score:4, Informative)
ISP's costs are based on bandwidth used (this can depend on when the bandwidth is used, and whether it's up or down and out of their netblock or inside it). The # of machines connected has no bearing and it's pretty damn difficult to define a 'connected pc' IMO. Which of these would you include?:
- A hardware router running embedded linux
- A hardware router running embedded linux which I've hacked and can surf with
- A linux router (with no keyboard/monitor)
- A linux router (with a keyboard/monitor)
- A palm which is connected 1nce per day to a windows machine behind the router
- A bloke who's hijacking my WiFi connection
- A bloke who's hijacking the hijacker's Infared port
- My laptop which I plug in at night and take to work the next day
- An x server (Or Windows Terminal Server) serving 50 websurfing clients
Will I be charged for maximum# concurrent natted boxes, or average# of natted boxes? Or some other sceme?
I don't see where you could draw a nice precise black line on the definition of internet client; it all looks grey to me.
Speculation:
I think ISP's don't charge for bandwidth YET because it'd cost them money to measure it. I assume it would cost them more to measure {average or maximum natted boxes}. I think they'll finally see the light and begin charging an amount that has some pretty close correlation to their costs (though I think it'll take 5 years or so before new ISP's begin rolling out nice routers which catalog bandwidth based on what time of day it is, etc.).
Re:Can software base routing be traced? (Score:1, Informative)
They don't know about the DHCP, but they can still tell what machines you have if they try hard enough. Your DHCP server gives you an IP address when you connect, but only for the inside network. If you're connecting several boxes to your one live IP address, NAT changes the sending address on the packets to be your external address on the way out and changes the receiving address on the responses. The point is, if more than one machine is using the external connection, someone on the other side can potentially tell if they're there.
A few points on NAT's, traffic, and your TOS (Score:3, Informative)
1) Fortunately, my DSL provider (SBC) acknowledges and allows the use of routers to connect multiple home computers to a single DSL router.
2) They disallow users to "forge headers or otherwise manipulate identifiers in order to disguise the origin of any Content transmitted through the Service." That means that, at least with SBC, reconfiguring your NAT routing device to not decrement the TTL on packets could constitute a breech of contract. YMMV.
3) I could not find any clause prohibiting SBC from inspecting the contents of packets it handles. Theoretically then, in addition to considering the IP ids of received packets as mentioned in the sFlow article, your ISP could perform analysis of any unencrypted traffic from your ip. For instance, If you were playing Counterstrike and your housemate was surfing the web, traffic analysis of the packets originating from your ip could correctly identify the existence of multiple hosts.
Obviously, such analysis would be computationally intense, and could not be performed on an ISP's entire customer base simultaneously, but as a random auditing tool, or a followup to previous suspicion, this type of analysis could be an effective tool for ISP's that wanted to outlaw multiple connections.
That said, I agree with the countless comments to the effect that very few ISP's are going to actively pursue any of these measures; the costs seem to greatly outweigh the benefits. Imagine if my ISP did crack down on my four home computers behind my NAT router: I would still be capable of using the same amount of bandwidth with only one computer, I would be pissed off and looking for another provider, and most importantly, I couldn't give SBC any more money if I tried--it's not as though I can get multiple DSL accounts on the same phone number (and believe me, I certainly wouldn't let SBC charge more for "Platnum NAT Service").
Use a Linux box (Score:2, Informative)
All you need to do to defeat this "foolproof" method is to stick a Linux box with 2 network cards between the NAT device and the internet connection. Then you can mess with those TTLs all you want. Common guys get in the game. If it were this easy to detect NATs everyone would have done it by now.
Re:wireless... (Score:2, Informative)
Re:It's not as easy as fixing NAT's TTL (Score:4, Informative)
And if you have old computers, you won't need to modify anything except for your firewall rules. If you have *BSD, you have the sequence number rewriter, which is also available on linux as the "ippersonality" extension to the iptables firewall. Both of these guys also support ttl mangling too (built-in).
You have the power to make your network look like whatever you want. It's nice to have an ISP that's cool, but if you're unlucky, they'll never be the wiser. In a way, if you're going through such effort, you're probably helping them out somehow by wrangling your own network into some resemblance of order. ^_^
Re:Hardware list? (Score:3, Informative)
And note that ntop [ntop.org] groks sFlow, too. Open source traffic characterization, with an open standard for instrumentation. Very cool.
If ISPs use it against us, use PROXY (Score:3, Informative)
Let's face it- before the Cable Router was prevalent, everyone that wanted to share used a machine with (2) NICs. The people smart enough to figure it out will do that with Proxy's (or if you're not smart enough to think of that, now I just thought of it for you). Once the companies realize this is another cheap thing that they can do to make lots of $$$, they'll market an applicance cheap that will do it.
Before the cable router, I used 2 NICs and WinRoute to NAT. Before that, 2 NICs and WinProxy to Proxy.
The ISPs will realize that there is always a way around it, and that the trouble of detecting will cause them so much pain that
My
Not All ISP's Care (Score:4, Informative)
Black Hills Fibercom (in little Rapid City, SD). They offer phone, digital cable, and broadband. Called today on behalf of my Dad who is considering their broadband package. I asked about firewalls - they strongly recommend using one and will even help set up any of the major software firewalls during install. He then proceeded to recommend purchasing a NAT router for additional protection. I damn near fell out of my chair.
We talked a bit about bandwidth and I brought up access for multiple PC's. He then said definately get a router or they would have to charge an additional (though nominal) fee for each additional IP. At that point, I did fall out of my chair.
They won't support your home network nor will they help set up your router. They will, however, walk a user through disconnecting it during a support call if it's necessary for them to see their computer over the network to resolve an issue.
Almost makes me wish I still lived there.
Re:Ummm no ... (Score:3, Informative)
My sister happens to work technical support for a major US broadband ISP. Do you know what she's been instructed to tell people who call regarding multiple device configurations? Disconnect the NAT device, connect the Internet 'modem' to a single Windows or Macintosh-based computer and call back.
There are no elevated support costs because they don't support it, period. The telcos support their lines as far as the demarc point, the ISP supports it as far as the end of your ethernet cable connected to a single NIC of a single PC running an approved operating system for which they have complete sets of canned support instructions on their websites and in the manuals on the desks of their technical support representitives.
You were right about one thing; you don't have a logical leg to stand on.
I am not sure how old you are (Score:3, Informative)
BTW how does my use of the end product affect ANY OTHER USERS ? we are not talking token ring here what hits my house ends there cable TV speaking ?
!!!"But that doesn't mean they should plan for an event in which all users want all their bandwidth simultaneusly." !!! Why not ? Fail to plan for a viable worst case and you are a FOOL, and generally a bankrupt one.
As an employee of a major bank, I'd suggest you read your account agreement, they HAVE thought of that and you will be stuck with a Cashiers check if the manager decides the case warrants it.
As an Aside I do have a business class SDSL connect with redundency and a rate for redress if they are down outside SOW for more than 2 hours, and it is quite a bit steeper 149.00 for 384 sdsl.
Re:Not All ISP's Care (Score:3, Informative)
Hell one time I helped someone configure a DSL router from Netgear that terminated the dsl itself (not using a Cisco 67x or other products like Actiontecs). I didn't even know Netgear made these things. Of course I work for a really really really cool ISP and I get all my networking needs for free like dsl, dns, e-mail, web, colocation, t-1 (can't afford the local loop to the phone company for a t-1 otherwise you know I would have a one!). Back to my point anyways... ISPs like this do exist as I work for one.
Re:it will never work... (Score:1, Informative)
Re:it will never work... (Score:1, Informative)
If you're using a NAT box its a much better idea to set the TTL to a standard TTL as they leave your NAT box. ie
$IPTABLES -A POSTROUTING -t mangle -j TTL --ttl-set 128
Then you don't get the different TTLs if you have different OSs inside, also one can't get an idea of your network structure by looking at how much TTLs are decremented before the appear outside your network.
If you want to play around with your packets even more you can use http://ippersonality.sourceforge.net/
Crg.
Re:You don't have to sign the contract (Score:1, Informative)
You probably know me, I'm Attorney John Ashcroft.
I was browsing Slashdot this morning and stumbled upon your wonderfully written, and highly objective post. I'm hoping, my dear friend, that you would contact me. You seem to have the right attitude for helping my colleagues and I with our pursuit of Total Information Awareness.
Just five minutes ago I spoke with Condoleezza and she agreed you have what it takes: absolute submission to authority and belief in the morality of bureaucracy, regardless of any thought or self-reasoning. After 9/11 this is preciously the people we've been looking for, and I'm hoping you can join our team, including such members as Colin Powel, Donald Rumsfield, and Dick, or as we nickname him around the office "Killa" Cheney.
Waiting to hear from you!
Sincerely,
John
PS: Colin and Condy asked if I could post a help wanted ad too. They're looking for a person to bring them tea, as well as coffee, and clean up the offices. Preferably the person to fill this position should be black, and willing to be referred to as "boy" on numerous occasions.
Re:Ummm no ... (Score:3, Informative)
She also has to tell customers that;
And any number of other inane requests that come across her phone queue on a daily basis. Such short, canned, automatic responses are a part of running a call centre and are completely expected. There are upwards of 1000 phone operators working in her call centre on that project at any given time, and it only takes one of them 2 minutes to inform a customer of this policy.
Please don't be so pedantic.