More On Detecting NAT Gateways 551
tcom91 writes "The Slashdot article Remotely Counting Machines Behind A NAT Box described a technique for counting NAT hosts. A recently published paper Detecting NAT Devices using sFlow describes an efficient way of detecting NAT gateways using sFlow, a traffic monitoring technology built into many switches and routers. This technology could be used to enforce single host access policies and eliminate unauthorized wireless access points."
But... (Score:2, Insightful)
Internet providers. (Score:5, Insightful)
On the bright side, as with nearly all technology that tries to instate a form of checks and balances upon a system, we will soon see ways to fool this check and go back to business (balance) as usual.
Jason
What else are we supposed to do? (Score:4, Insightful)
Why can't they just have a flexible plan where I say, yes, I admit I have 3 boxen behind NAT and agree to pay an extra $5 to $10 a month? Or is this too logical for them to do?
Don't get you knickers in such a twist (Score:5, Insightful)
"The algorithm for detecting NAT routers relies on the observation that switches directly connected to a host, or in the same subnet as a host, will always see packets from the host with a TTL that is characteristic of the host operating system."
So if you play with the OS fingerprinting (and TTL), you can likely fool this method. Don't forget that your NAT is rewriting part of the information in each packet anyway. It would be more expensive (but probably not prohibitively so) to rewrite more of that information. It is, after all, information for moving the payload around, and not the payload.
This just ups the ante a little.
Re:Internet providers. (Score:5, Insightful)
Yep, and then the parties interested in counting NATed machines will go buy a law criminalizing circumvention of their "AUP Enforcement Technology."
After all, only terrorists don't want anyone to know how many machines they've got connected to their cable/DSL modem, right?
~Philly
You don't have to sign the contract (Score:0, Insightful)
If you have agreed to one connection or machine and have multiple connections or machines then you are cheating your ISP. If you want to change it then call your ISP and negotiate, or sign-up with someone else, or move somewhere where you can get an ISP to agree to your terms, or form a buying group, or start a boycott, or picket. Do you think breaking a contract is OK?
ISP care? (Score:4, Insightful)
On internet: For all I'm concerned, I have *ONE* computer connected to my DSL, and other computers connected to the one computer. ISP gonna tell me I can't connect computers to each other? What's next? It'd be illegal to have multiple screen/keyboard/mouse on the ONE computer? (i think this can be done...buddyPC??)
The 'client' computers access resources on the 'gateway', which happens to include the external internet filtered through the firewall. I dont have multiple computers connected directly to the internet, that's just insecure.
And besides, what are they losing anyway from NATs? It's the same connection/bandwidth. 150kbs down on one box is the same as 150 split to 75kbs down on 2 computers. It's still only one IP. Whatever activity (and any responsibility) that goes on is on ONE account.
Ummm no ... (Score:5, Insightful)
Go ahead let them screw their customer base over - sure that'll work! - Good plan!
And another thing
Go ahead and try it - be sure to run BlackICE or something so you can count how many times you get portscanned in an hour
Why should we bother (Score:2, Insightful)
Stupid as it sounds, but it goes thru our senators, it couldn't be wrong.
The little downside is that the only job left for IT is tech support for Windows installation....
Re:not all ISPs care (Score:5, Insightful)
Wish I had that on tape
Re:still same bandwidth (Score:4, Insightful)
If you really want to play word games, I define an idle machine as "a computing platform with an operating system loaded and running, but without a user interacting with the system".
I'm glad you like to run a caching DNS server and diskless workstations. Really. But to most people, computers are just tools to play games and send email. They're purchased at places like Sears and CompUSA, and they automatically download things like windows update, antivirus software, etc.
Last time I checked, a caching DNS server only reduces traffic if you have a large enough, active user base to populate and refresh the cache.
Re:Legal? (Score:2, Insightful)
So yeah, they can sniff packets all they want. You agreed to that when you paid for their service.
Now, using what they find in your packets against you in court, or really doing anything with them other than protecting their own network/contracts...that's different.
Re:ISP care? (Score:3, Insightful)
The cable company went through the same thing - they wanted to charge you per TV.
In both cases, the govt stepped in. Also, in both of those cases, it really doesn't matter if you have 1 or 100 TV's hooked up - the signal coming into the house ies the same...it does not affect them in any way.
However, with broadband the ISP's have a bad business model - they have x capacity, and sell for more than x on the assumption that not everyone will use it at once.
Like you said, 150kbps on one box or 75kbs on 2 boxes is the same total. However, look at it this way - you download a video (100kbps) and watch it...generally you will deal with that one video stream at a time. So, you use 100kbps. But if you are NATing, you can be watching that stream, junior can be watching one, so can the misses...that's 300k. Basically it becomes more likely that you can keep that 500k connection topped out constantly, thus eroding their business model.
Now, I'm not defending them, just stating why it's not the same.
Two other points: 1) would this make Linux boxes illegal because you could have terminals (serial) hanging off it and multiple people on, like you said with the multiple KVM.
2)I'm surprised after past deregulation the cable modem and dsl/phone companies are doing this.
It's not as easy as fixing NAT's TTL (Score:4, Insightful)
Port numbers are easy to change, but if your ISP wants to do traffic analysis on your IP address, there's not a lot you can do to hide. I'm just very, very glad that I have an ISP [sonic.net] that doesn't suck. In fact, they're pretty damn cool.
Re:Change TTL (Score:5, Insightful)
Get source code. Hack away. Make it set the TTL to 128 when it's in the NAT part of the code. Bingo, problem solved.
Re:Ummm no ... (Score:5, Insightful)
Bandwidth (about $50-130/mb wholesale)
Number of computers in a home environment does not automatically mean more BW. It may come in spurts but not more overall. I go online and do certain things every day. I can do this before, after, or during the times the kids are on and use the same exact BW either way. My firewall is reject unless specifically allowed (limits trojans and spurious connections), I use squid and have every PC set to use it via a proxy.pac autoconfig (currently at over a 45% hit rate after 80k requests) and a caching DNS server.
Customer support (additional troubleshooting)
Maybe, maybe not, I also think this would reduce support as you can eliminate probles related to your PC as you can try another one, or blame it on the ISP.. I would also suggest that a person with a multipc setup is probably smarter then the average computer user and would call support less.
Security (more machines, more chance for trojans, etc)
This is laughable. It would be much safer to have 15 computers behind a NAT box/firewall then one Windows or misconfigured Linux machine directly connected.
Repairs (the guy with six people sharing a cable modem is going to expect instant service restoration, whether he's paying for it or not)
So what your saying is everyone with one computer should not expect good service and fast repairs? They just sit back and wait for the ISP to find the problem and they should not expect the service to work when they need it?
You do have points but those can not be seperated into those with and without NAT.
And frankly, it ain't your network. If you want to start up an "all the bandwidth you want for free" ISP, knock yourself out.
What do you mean set one up, they are everywhere. Check the advertisements for Comcast, RR, Verizon, Speakeasy, and many others. They all say pretty much the same... Unlimited internet and connected all the time so your online experience is fast and quick. Maybe they should change their tune. Kind of like my cell phone plan.. Unlimited nights and weekends, free long distance, unlimited phone to phone, and unlimited web access. Do you think I should feel guilty when I use it? I don't, that's what they are advertising and that's what I bought the damn things for. Sure as shit, I browse the web with the phone whenever i want, I call all my relatives after 9:00pm or any time during the weekend, and I call phone to phone just because I can.
Prove it (Score:3, Insightful)
How can the ISP prove conclusively that you have a dozen boxes hooked up to the connection? Get a search warrant and take pictures? I think not. While the technique described in the paper is certainly clever, I believe it would have little value in nailing users to the wall when it comes to sharing access.
Re:it will never work... (Score:5, Insightful)
You could also defeat the tcp sequence number couinting method by using OpenBSD as a NAT device. Its included packet filter has an option to randomize the sequence numbers of outgoing tcp packets.
Re:Its a war, you break standards. (Score:2, Insightful)
Some universities try to prevent network users from adding routers and wireless APs. Northwestern, for example, has policy [northwestern.edu] to that effect.
The same would go for corporations - I can easily see why a corporation would want to prevent its employees from adding WAPs and routers.
Re:Don't get you knickers in such a twist (Score:1, Insightful)
Ahhh, no. Decrementing the TTL is more expensive than not decrementing the TTL, which is what needs to be done to make the NAT invisible.
The invisible NAT is *less* expensive than the visible NAT.
Err and that is the USERS problem ?? (Score:1, Insightful)
I am curious as to how this differs from the cable companies trying to limit the number of TV's you could have plugged in to cable, or the phone company telling you how many phone extensions you could install ? These practices were struck down before, how can they get away with it now ?
This is like the airlines selling to many seats on a particular flight, and then not understanding why someone is upset when they can't get on board because the 'unthinkable' happened and everyone showed up....
Re:it will never work... (Score:5, Insightful)
I just can't see this working. They are making assumptions based on some arbitrary implementation of a portion of the IP protocol. It doesn't even rely on any RFC type standards as far as I can tell. This could probably be fixed in NAT devices that are capable of having their firmware upgraded, or someone could just write a hack to the IP driver for the source host and be done with it.
Re:Ummm no ... (Score:2, Insightful)
and you are assuming that everyone with 2+ computers on a broadband connection is using more bandwidth then a person with one computer.
you really don't have a logical leg to stand on.
I will cite Eric's Theorem (Score:4, Insightful)
In short, I am sure the open source community (the Openbsd guys and the linux netfilter team) have, or will shortly release mods to fill any nat detection gear. And i am sure the various nat box makers and rebadgers (linksys, netgear, etc) will soon have a tidy check mark with the text label next to it saying "Hide all computers from greedy isp and big brother government agency? (y/n) "
Re:You don't have to sign the contract (Score:1, Insightful)
Security. Not Bandwidth. (Score:3, Insightful)
One purpose of this paper is to provide a tool that can address security concerns. And yes, NAT does make it more difficult to police the machines behind the NAT. One reason: "Wi-Fi is a particular problem since it allows access to the network from a considerable distance, allowing unauthorized access without even entering the building."
This paper never once talks about a problem where NAT users are going to eat up too much bandwidth. Another quote: "In this network the administrative policy is for host computers to be directly connected to the distribution switches, as is shown by Host C. Two hosts, A and B, are connected to the distribution switch through an illicit NAT router." Note the words "administrative policy".
Re:Internet providers. (Score:3, Insightful)
WTF do you mean by "soon"? Try "years ago". Oooohhh, these uber h4x0rs figured out that a router decreases the TTL, excuse me while I worship their skillz.
Okay, I feel better now.
Anyhow, it's insane that they would even try this. First of all, it doesn't have to be NAT... Any router/firewall will do the same thing, which is all you need to tell them you are using. Secondly, the TTL can be arbitrarily set on any OS, and can vary from OS to OS. Tell them your TTL is just set to 253, and you really aren't using NAT, then tell them to fuck off, and cancel your subscription. There are plenty of ISPs (like Earthlink) out there that are happy to let you do whatever the hell you please with the connection YOU PAID FOR! Screw them and their money-grubbing scam.
Bandwidth (Score:2, Insightful)
The only broadband provider in my area just raised their rates by $10/month. I was nice about bandwidth usage before, but now I feel cheated if I don't use it all. I was already paying double what many of my out of state friends pay.
Lucky for them, all versions of the drivers for the cable modem they gave me crash Windows XP if my usage is near the max for several hours.
But they'll soon get what they deserve. Their stock dropped to less 1/20th of last year's price and they're being investigated by the SEC.
Re:Err and that is the USERS problem ?? (Score:5, Insightful)
Consumer bandwidth is oversold to decrease the price, and the ISP expects you to not max out your bandwidth all the time.
Business connections allow you to connect as many people as you want, run servers, max out your bandwidth 24/7, and you pay the price.
If you want business access, buy it cheapskate. Don't rant and rave about your ISP because you don't understand what kind of service you've contracted for. What you really asking for is for them to get rid of the consumer tier and force everyone to pay business tier prices. That would give us all less choices.
My complaint about anti-NAT measures is that though I have multiple computers connected, one is my laptop and one is my fileserver (for stuff that doesn't all fit on my laptop's HD). Only one person ever accesses the internet from my house. Multiple computers != Higher bandwidth usage. If the problem is bandwidth than they should check for excessive bandwidth usage, not NAT hosts.
Re:Ummm no ... (Score:2, Insightful)
Yes, supporting larger and more complex setups will mean higher costs... but who said anything about *supporting* such a setup?
If the ISP says that they support only PCs, only certain flavours of Windows, only machines connected directly to the cable modem, fine...
If the ISP says that you can't run servers - or at least run servers that are 'public knowledge' - fine...
If the ISP says that there is a bandwidth limit and you might get chucked off if you exceed that - well, it's not what I pay for (I'm not a 'heavy' user, but there are times when I need to download a large chunk of data in a short space of time, or run the odd VPN connection on the rare occassion that I can't get into the office, and I want to be able to do that without recriminations - but otherwise, fine...
But beyond that, what business is it of the ISP how you set up your machines at home?
Having a couple of machines connected through a gateway doesn't automatically mean that you will exceed a bandwidth limit defined by your ISP... and as long as you don't, what's the problem?
Saying that they expect 'average' users not to approach those limits is *not* a defence... if the ISP sets a bandwidth limit, they are effectively making a contract to provision for that amount of bandwidth being available...
And *supporting* such setups is a non-issue... you don't... anyone has a problem, and a 'complex' network, you tell them to sod off...
It seems bizarre that people defend the activity of ISPs in trying to enforce this on the basis of cost... what about the cost of putting systems in place to sniff out home networks? What about the cost of following up detected cases? What about the loss of income from all the people you chuck of the service, so that you are suddenly left with an over provisioned network for the remaining users?
Seems to me, that it would cost far less for an ISP to lay out the terms under which they provide customer support, and refuse to support people that fall outside of those terms... for an ISP to (possibly) define the amount of bandwidth they expect people to use / agree to make available, and monitor overall bandwidth usage (as they would have to do in all cases), clamping down on people that persistently overuse their connections... but, beyond that, stop harrassing and p*****g off their customers that don't need the support, and in every *practical* sense are well behaved broadband citizens, who may just happen to have a home network...
Re:How soon will... (Score:3, Insightful)
Seriously, modifing the TTL on packets could severly degrade a network if placed where a loop is formed. Runaway packets would not die as they are supposed to.
Most home networks do not have any place to form a loop, so not decrementing the TTL shouldn't make a diffrence to a home network NAT router.
Netfilter (Linux) Already Solves TTL Issue (Score:2, Insightful)
According to The Netfilter HOWTO [netfilter.org] you should be able to just apply the (already existing) TLL patch and then issue a command similar to the following in the appropriate part of your firewall rules:
Gee, that didn't take long :)
pointless (Score:3, Insightful)
Well, they happen to do that right now, mostly because of historical accident. If bogus "NAT detectors" like this proliferate, people will simply move to user-mode NAT. That is, packets from network A are redirected to a user-mode process which then looks at them and sends out a request on network B, and the same in reverse. In that case, the packets sent from the NAT process onto network B are indistinguishable from the packets coming from any other user mode process because they were generated by a user mode process.
The only thing ISPs can do to detect NAT is to look at traffic patterns and accusing you of, say, browsing too many web sites per second. That eventually just amounts to volume-based (or traffic-pattern-based) charges. Sure, they can do that, and they probably should, but at current prices, that's not going to affect you browsing the web from two machines.
Re:But... (Score:2, Insightful)
machine. (not some app running under your windows).
anyone who desires real security suddenly has a NAT
situation and in violation of the one-machine ISP
rules. (one host? 'host' is a loaded term best
avoided). and most modern cheap retail router
boxes for consumers places them into this situation.
but of course removing the ability for individuals
to have real security is a modern day goal anyway.
if checking consistency of TTL is the method, then
obviously someone will implement a twittering TTL.
(small variances near but not always at 128 say)
does the industry REALLY want to encourage protocol
mangling just so they can say you cant run a firewall?
How is this anyone's business? (Score:5, Insightful)
And when are we going to rise up and tell the greedy, small-minded busy-bodies to take a flying leap? I am beginning to think it isn't even about greed but more about control for the sake of control.
Re:Ummm no ... (Score:1, Insightful)
Take the common "We can change anything at any time" term. Why should this be a fair term for a Large Company to include? I've put enough time into researching internet plans or cell phone plans by that point that I have a legitimate interest in not having to do so again if the terms change.
As far as sharing electricity or telephones, I don't know but I doubt anyone would care. If you run an extension cord to your neighbor's house, you get to pay for their elecitricity for them! If you ran a telephone line, all their long distance charges show up on your bill.
My main reason for annoyance with the ISPs and the attitude that it's okay to throw in whatever terms you like, is that out here there are very few options. We can't get DSL, and there's one dinky little local cable company. They only offer one "business-level" package, which is just the residential package + $60. We don't need _much_ bandwidth - a "real" connection would be overkill (both in terms of speed and price). Why is it so hard to find an ISP that has static IPs, lets you run a very-low-volume server (probably wouldn't even get a hit on an average day), doesn't mind NAT, and doesn't cost an arm and a leg? It's because it's become far too easy to write unnecessarily restrictive rules in a Terms of Service.
Re:Prove it (Score:3, Insightful)
Let's take spam as an example. Most ISP's will cut off spammers at the drop of a dime. But let's say I'm running a mail server (we will assume I'm using an ISP that allows servers) but I was stupid and left relaying open. Now spam starts spewing forth from my connection and pretty soon the ISP hears about it. Snip snip. Then I'd call the ISP and explain what happened, and most likely get my connection restored. YMMV with strike 2, though
Now let's consider the topic at hand: NAT. The same thing could happen here, but instead of a dozen pieces of spam with your IP on it, they have a table with suspicious TTL's. Two words here: Plausible denial.
Besides this, the ISP has to make some decisions here:
1) Am I willing to cut off paying customers for traffic patterns that may or may not be from a NAT box?
2) Will the users be comfortable if they know I am sniffing their outbound packets?
3) Will they be alienated when they receive my call that tells them they are not allowed to run their already paid-for NAT box and if they continue they will be disconnected.
If an ISP decided to take up these policies, word would spread quick. Most (smart) ISP's know that techies' opinions of them are important. How many times have you been asked "What is the best ISP? Who should I go with?". On my worst day, I wouldn't recommend any ISP who sniffs any kind of traffic or dictates what kind of hardware you are allowed to run in your house.
Re:Err and that is the USERS problem ?? (Score:2, Insightful)
EVERY ISP OVER-SUBSCRIBES THEIR BANDWIDTH. They always have and always will. Not so many years ago, it was about 5:1 up to 7:1. Today, the margins are lower and it's much harder get money out of people. So, now it's more like 10:1, 12:1, and even higher.
The speed they push is "burst" speed. Nowhere in your contract do they say you have 384k in both directions all the time. And they certainly won't promise any speed beyond their own network -- once your traffic is handed to UUNet (or whomever), your ISP has no control.
Sales people around here contantly "lie" to people. When you buy a 256k frame connection, 256k is the *port speed*. CIR is extra. (we default to 1/2 port speed but others default to 0 unless you buy more.) But the sales monkeys don't mention this or specifically speak to the contrary.