More On Detecting NAT Gateways 551
tcom91 writes "The Slashdot article Remotely Counting Machines Behind A NAT Box described a technique for counting NAT hosts. A recently published paper Detecting NAT Devices using sFlow describes an efficient way of detecting NAT gateways using sFlow, a traffic monitoring technology built into many switches and routers. This technology could be used to enforce single host access policies and eliminate unauthorized wireless access points."
it will never work... (Score:5, Interesting)
still same bandwidth (Score:4, Interesting)
What will the future hold? (Score:5, Interesting)
Go calculate [webcalc.net] something
pf circumvents this still it appears. (Score:2, Interesting)
Re:still same bandwidth (Score:5, Interesting)
The phone company used to care how many phones you had. Then the cable company charged per teleivion, and some ISPs care how many computers you have.
The key difference I see is the two previous mentioned industries had those issues resolved by regulation. Regulating consumer grade ISPs might not be a bad thing and finally set limits on things like number of computers or port restriction. And if not- at least we'll know what "comsumer grade" service is and all switch to "Small Office" connections, which already seem to be the way to go for people who actually want to use thier internet connection at home.
- Serge Wroclawski
Its a war, you break standards. (Score:5, Interesting)
OS fingerprinting was nice, but now some boxes are replying as a tandy coco, its a very amusing battle. Now TTL is being used to determine multiple Nat'ed IPs. I'm sure someone will write a nice nat module for linux/etc to bypass this also. Seems like the endless cycle of control freaks loosing control.
BTW, not sure which ISPs care about NAT, but there are very very large NAT friendly ISP's out there. (Speakeasy for one)
Thanks, sFlow! (Score:5, Interesting)
I just wanted to extend a big thanks to sFlow for posting this paper (and the AT&T people for posting theirs). Despite the fact that DARPA screwed Theo & Co, they are probably already adding a "modulate TTL" setting to pf as we speak.
And of course if you're ultra-paranoid, then just use something like socks or squid to proxy most or all of your TCP connections, and it's 100% indistinguishable from your firewall making the connections out. Because your firewall is making the connections out.
When will they learn?
Kinda irritates me that stuff like this may make my nice all-in-a-box Netgear NAT useless some day, but it's nice to know that people like OpenBSD are there to back us up.
And like someone else said, what exactly does the cable company expect me to do? Expose all of my internal network to the internet? Cha right! They wouldn't even give me more than 3 IPs anyway!
Re:But... (Score:3, Interesting)
Legal? (Score:3, Interesting)
Is it legal for the ISP to sniff your packets? I'm very ignorant when it comes to such things, but this screams privacy issues.
Re:it will never work... (Score:3, Interesting)
After reading the article I've said to myself: hm, I'll have to take care of these things... instead of: hm, I'd better not use NAT.
OTOH, if you have machines wtih different OSes, it may be pretty difficult to make it look like the packets are coming from a single source, even when only passive fingerprinting is used.
Re:Ummm no ... (Score:3, Interesting)
Bandwidth (about $50-130/mb wholesale)
Customer support (additional troubleshooting)
Security (more machines, more chance for trojans, etc)
Repairs (the guy with six people sharing a cable modem is going to expect instant service restoration, whether he's paying for it or not)
And frankly, it ain't your network. If you want to start up an "all the bandwidth you want for free" ISP, knock yourself out.
Multiple NAT Routers (Score:2, Interesting)
you are protected by the DMCA (Score:1, Interesting)
Why do ISPs really care? (Score:2, Interesting)
The cable internet provider has policies restricting servers, etc., but they only seem to care when the bandwidth use causes problems.
Other than bandwidth use causing problems, or open mail relays, I don't see why ISPs would really care about NATs. In a way, it's sort of like the telephone company working itself into a froth over an answering machine when they offer voice mail service. Maybe we need SOME regulatory body that would permit the connection of any network device that does not interfere with the operation and enjoyment of other network users, similar to the regulation of telephone devices.
Just throwing out ideas.
Re:What else are we supposed to do? (Score:2, Interesting)
This network is not realizable by using their IPs, because they don't give more than 5 IP addresses. Besides , since we access thru Comcast and Qwest, whose IPs should we use? What about unintentional leakage of Comcast traffic to Qwest and vice versa?
o/~ What's cost got to do, got to do with it? (Score:2, Interesting)
Pay attention -- this is important. Where is it stated in capitalist doctrine that the sale-price of a product must be determined by it's cost of production?
Market forces dictate that the sale price of a product will be determined by it's VALUE to consumers. Obviously, having multiple computer attached to a DSL/Cablemodem/Whatever connection has value, or /.ers wouldn't bitch about this topic so much.
Now, market pressures being what they are - the price naturally tends to drift TOWARD the cost of production for a commodity item, and as the market for internet service matures - it becomes more of a commodity.
But, as long as having two computers share an internet connection is important to you, someone will be glad to charge you more to do that. And as long as your ISP has a mechanism to offer "one computer, one price" "two computers, different price" products they are going to do it.
And herein lies the beauty of the system: You don't like it? Start Smilin' Bizitch's NAT-Friendly ISP!
Re:Ummm no ... (Score:5, Interesting)
Re:Ummm no ... (Score:2, Interesting)
Re:still same bandwidth (Score:5, Interesting)
While the ISPs may go after a few people- I have serious doubts that the practice will become widespread. Just as the TV splitter was commodity, so are cheap NATs. Heck, some expensive cable modems you can buy in the store come with NAT!
The products are already sold as "Cable Modem Routers".
It is, of course, possible that the ISPs and media publishers would go after home user, but it's likely they'd do it over bandwidth consumption or trading copyrighted material rather than just NATing. Going after them just for NATing wouldn't benefit them. The ISP looses a customer and gets a bad reputation, the home electronics company gets mad at the ISP and the customer looses.
At least with file traders, the ISP is loosing a "bandwidth hog". It may be a weak excuse, but it's something.
What about Virtual Machines? (Score:5, Interesting)
Perhaps it would appear to the outside world that there are more than 1 pc connected, but to prove it, they'd have to have physical access to your home.
Pretty sure they won't get past me...
Re:it will never work... (Score:3, Interesting)
It's about overselling (Score:3, Interesting)
It's not that we care how many computers someone has behind these NAT devices. It's how much of the bandwidth they bought that they are using and how often they're using it.
Our basic ADSL and wireless offerings are 384k/128k. If we had every user maxing out their connection all the time, then we'd have to charge more. Because we're in a remote area, we pay more for our T1 service. We have a T1 that runs about $1k per month and another about $1300 per month (special build for geographic diversity). If 4 of our ADSL or wireless users held their connection maxed out all the time, that would pretty much eat a whole T1. We have just over 300 broadband customers and about 600 dialup on two T1 lines with a third on the way.
Our 384k/128k service is regulated and costs $49.95 per month. If every broadband user insisted on maxing out their connection 24/7, we'd have to charge broadband customers $250 per month just to break even on the T1 costs. That doesn't even count the overhead associated with staff and equipment.
I'm sure there are ISP's out there that are all about the money. We try to be more about service and making sure our customers are happy. But we have to make a living too. I don't think the issue should be if you're using a NAT device or how many computers you have hooked up to it. As I said, we encourage it. I think the issue should be about usage. Sell 3 gig per month. Charge for data over that. (3 gig is a number I pulled out of my head)
My point is, if the ISP is worried about usage, they should charge for that and not for how many computers are behind a NAT box.
Re:Err and that is the USERS problem ?? (Score:3, Interesting)
And why is that? Power companies do it (and get roundly bitched out if they fail to live up). Phone companies do it. Airlines do it, though they do allow you to bet that there will be no-shows. Banks are legally required to be fairly well prepared for runs on their accounts. And yes, if an entire bank ran out of money and left their depositers SOL with a simple "Oh well", I would blame them. They may not be able to prepare for the absolute Armageddon-style worst case scenario, but if they advertise it, they damned well better deliver it and not bitch and moan if their customers actually call the bluff.
I never ever saw a pricing scheme in which a cable company would sell you additional connections for additional TVs
I bet you a whole dollar that we will start to see exactly this kind of nonsense over the next few years in states that have passed the super-DMCA laws. Cable is a communications line and it would be perfectly legal for Time Warner to demand that I account for every device connected. Hell, they could demand that I'm not allowed to use Sony TVs or Panasonic VCRs if they so wanted to. And don't think for a minute that some tin-pot PHB won't try it.
because that would degrade the signal's quality for other users
Huh? Care to provide some support for that little gem?
For phone extensions, on the other hand, applicable arguments are similar to the ISP story. Which also is an area in which you're not so very much in touch with reality, as we've already seen.
I suggest you bone up on your tele-history before you start bandying about insults about ridiculous corporate activities. Ma Bell used to do exactly this. If you wanted another phone on the same line, you had to pay for it. There are plenty of accounts right here on /. by people who, before the breakup, had to hide their 'illicit phones' whenever repairmen came by. It got rightly busted down because it was a bullshit practice.
Re:it will never work... (Score:4, Interesting)
Easy Windows Fix (Score:4, Interesting)
In W2K:
HKEY_LOCAL_MACHINE\System\CurrentControlSet
Just set to 129 if you have a NAT between your PC and the modem.
This way all the packets seem to come directly from a Windows box, and you don't have the (potential) sideeffects of getting the NAT to change the TTL.
Re:Internet providers. (Score:3, Interesting)
Quite simply, they're not entitled to charge for services that I have been providing for myself for several years now, despite what they may want. I'm not using any more bandwidth than joe average. Less, in fact. I don't allow peer-to peer clients. Too much security risk for my internal network. I do insist upon being able to access the services I have paid for from whatever computer I happen to be nearest to (I live alone, did I mention that?). I have enabled MYSELF using my OWN hardware to do that. I owe the ISP ZERO. There is NO net difference between my usage and the next guy on the block. My wireless network is blocked from internet access at the firewall. I use my wireless network for remote control purposes. My wireless network is none of my ISP's business. If they probe it, I'll take THEM down under the patriot act. There's no connection between my wireless network and their connection. I can prove it. They can't prove otherwise.
Re:Ummm no ... (Score:4, Interesting)
You're assuming here that every customer is maxing out his/her bandwith all the time, as if every customer had a P2P client running all the time and enough active downloads that more data is available than he/she can suck down.
I think the point is that there is a maximum amount that you can utilize in a day. My cable modem is capped at 1.5 mbps (I hope). That given, I can download a max of 129600 mbits, or 16 GB in a day. I'm never going to see maximum bandwidth usage, we'll say it maxes out at around 800 mbps, which means I'd be able to d/l 8 GB.
Now, it's definitely possible that I'd do something like that, but I don't need more than one machine to do it. Get it? I have one machine continuously connected, continuously using the maximum amount of bandwidth that I can use, and it's going to be 8-16 GB / day. If I had 2 machines, I'd still be maxing out at 8-16 GB / day.
Having more machines connected to my gateway does not increase the amount of bandwidth available to my cable bridge. It does affect the amount of bandwidth that each of my machines get individually, in that it goes down with the number of machines. If it went up, then we'd have some interesting physics working in this world.
I really don't care if Comcast disconnects me for having more than one machine connected to my modem. Sure, it's against my TOS, but I could just as easily sign a contract with a more agreeable company if Comcast boots me. It'd be a small loss of service on my part, a big loss of profit on their part.
If I were them, I'd let the users do whatever they want, as long as they don't fuck with the cable bridge. That's all comcast really has to be accountable for. If they can show that any machine on the other end of the network cable that is plugged into the cable bridge is getting a signal, then they are following the terms of their contract. If the machine is not getting a signal, then they are liable. The end user should be liable for anything that occurs within the household that is a third party to the cable network.
Re:pointless (Score:1, Interesting)
Nonetheless, Sflow is so trivially overcome it's laughable. Just have the nat gateway reset the TTL to 255, and forward the packet. End of story.
Predicatably, the ATT labs article presents a more complex detection method, using the ID field used in keeping track of IP fragments. again, my NAT gateway, can just change the ID of each IP packet to something sequential. It doesn't matter, if the ID of the packet changes, just so long as all packets change consistently. Example - I sent a 6K packet (that must be fragmented) with an ID of 50. The NAT gateway can change all fragments of this packet to 100, just as it changed all fragments of the previous packet to 99. IP doesn't care. Delivery is controlled by the IP address, not the ID.
There is no system that I can think of that will properly detect a NAT gateway. If ISPs want to charge by the connection, they should simply start counting the open TCP sessions. So you'd buy a DSL line, but have to commit to 8 TCP sessions for your connection.
Of course, that would totally suck.
Erich Trowbridge
ccie 4653
Re:Ummm Yes, actually... (Score:3, Interesting)
In our case, it is. It's a member-owned cooperative. I used to pay for someone else's Hummer and house with a pool, now I get a check back every year, and a vote in the management of the cooperative. I live 55 miles from the city and have excellent DSL service. And I must admit, I have downloaded plenty of Linux ISO's and 'other' big files, even had my "Internet Cafe" with 5 machines running off it, and never a complaint.
I'll say it again: Member Owned Cooperative.
DNA based encryption with software developed [xnewswire.com]
blah (Score:2, Interesting)
Re:Yawnn.. iptables? (Score:4, Interesting)
Re:Ummm no ... (Score:3, Interesting)
These extra costs are guilt by association. How does two OpenBSD boxes add up to a greater risk of being trojaned than a single Windows box?
I suppose the number of hosts could correlate to these cost variables, but many other indicators correspond a lot better, and of those many are negative correlates (power users need less support than novices and are less likely to harbour or spread trojans).
Do I get a discount from my ISP for configuring rules into my OpenBSD firewall preventing any of my client hosts from *sending* packets on known virus ports? I didn't think so.
It's totally bogus to paste someone with extra costs on the implication of a correlate that can be directly disproven for the case in hand.
Actually there are shades of the Laffer curve here. "If we had no hosts, our costs would be nill. Therefore, every extra host is an extra cost."
Oh my god! This guy doesn't get it either: Laffer curve diatribe [vistech.net].
The problem with the Laffer curve is that *even when* the tax rates are above the value of maximum tax revenue, lowering the tax rate isn't guaranteed to move you toward maximum revenue. You could be caught in some local sworl.
The problem here: the Laffer curve is a curve, not a function, and there is no justification from the premises given for assuming the Laffer curve isn't self crossing.
NAidT (Score:2, Interesting)
Another option is the SSHd option of TCP forwarding; once the connection hits the router box, that is running a SSHd server, the packets would be pulled out, decrypted, and sent out an entirely new connection to the Internet. In that respect there would be only one machine accessing the Internet and all of the others on the LAN would be accessing it.
Another option would be to have the NAT box, if it was done on a real computer that could be programmed instead of a dedicated box such as those from D-link, Netgear, etc., check for bandwidth consumption and when there is a lot of excess it could just make its own requests and deliver them to /dev/null. This would add a great deal of garbage to the data that must be analyzed
It seems that the simplest solution for actually cloaking the number of boxen that sit behind a NAT/firewall is simply to get the initial IPid of a connection out of a random number generator like one of the BSD flavors did in the article.
Just my $0.02...
Re:it will never work... (Score:3, Interesting)
Yup, this is a non-event except as an annoyance to people who will require firmware upgrades.
Every single aspect that the sFlow guy described can easily be hidden by the NAT box. It can keep its own TTL tables and can assign ports from anywhere in the 0-65535 range that it wants.
The instant anyone uses these techniques to deny service to any NATters, someone will come out with Linux and BSD patches to allow them to NAT more transparently. And then the hardware vendors won't be far behind.
This stuff only works because nobody cared enough to be more sneaky before.
If they want to actually catch people, they need to move up to the application layer. The same computer just sent HTTP-User-Agents for Safari and IE6? Aha! The same computer claims to be running software that only runs on Linux and software that only runs on Windows? Aha!
The first of these can be handled by using a proxy that normalizes HTTP-User-Agent and similar strings, though that will come at some cost to functionality. There is no solution to the second.