More On Detecting NAT Gateways 551
tcom91 writes "The Slashdot article Remotely Counting Machines Behind A NAT Box described a technique for counting NAT hosts. A recently published paper Detecting NAT Devices using sFlow describes an efficient way of detecting NAT gateways using sFlow, a traffic monitoring technology built into many switches and routers. This technology could be used to enforce single host access policies and eliminate unauthorized wireless access points."
But... (Score:2, Insightful)
Re:But... (Score:2)
Re:But... (Score:3, Interesting)
Re:But... (Score:2)
Groan. Sorry. I couldn't help myself.
But they know this is an issue, and that's why they'd rather turn a blind eye to the guy who has an ethernet connected to his canon inkjet printer, and concentrate on the kid who's sharing his connection with two neighbors and a file server.
Ummm no ... (Score:5, Insightful)
Go ahead let them screw their customer base over - sure that'll work! - Good plan!
And another thing
Go ahead and try it - be sure to run BlackICE or something so you can count how many times you get portscanned in an hour
Re:Ummm no ... (Score:3, Interesting)
Bandwidth (about $50-130/mb wholesale)
Customer support (additional troubleshooting)
Security (more machines, more chance for trojans, etc)
Repairs (the guy with six people sharing a cable modem is going to expect instant service restoration, whether he's paying for it or not)
And frankly, it ain't your network. If you want to start up an "all the bandwidth you want for free" ISP, knock yourself out.
Re:Ummm no ... (Score:4, Informative)
Bandwidth: You can only suck so much down on a broadband connection at a time. One guy downloading MP3's all day is using more bandwidth than two people in a household with simple needs who want to network their two computers.
Customer Support: If the service contract says one IP, one system, they're not going to help you solve problems with your network. Comcast refuses to troubleshoot anything for me until I plug my system directly into the cable modem, for example.
Security: The user bears this cost, not the ISP.
Repairs: If you pay for "consumer level" service, they're only going to give you "consumer level" service, regardless of how many people use the connection.
Re:Ummm no ... (Score:5, Interesting)
Re:Ummm no ... (Score:4, Interesting)
You're assuming here that every customer is maxing out his/her bandwith all the time, as if every customer had a P2P client running all the time and enough active downloads that more data is available than he/she can suck down.
I think the point is that there is a maximum amount that you can utilize in a day. My cable modem is capped at 1.5 mbps (I hope). That given, I can download a max of 129600 mbits, or 16 GB in a day. I'm never going to see maximum bandwidth usage, we'll say it maxes out at around 800 mbps, which means I'd be able to d/l 8 GB.
Now, it's definitely possible that I'd do something like that, but I don't need more than one machine to do it. Get it? I have one machine continuously connected, continuously using the maximum amount of bandwidth that I can use, and it's going to be 8-16 GB / day. If I had 2 machines, I'd still be maxing out at 8-16 GB / day.
Having more machines connected to my gateway does not increase the amount of bandwidth available to my cable bridge. It does affect the amount of bandwidth that each of my machines get individually, in that it goes down with the number of machines. If it went up, then we'd have some interesting physics working in this world.
I really don't care if Comcast disconnects me for having more than one machine connected to my modem. Sure, it's against my TOS, but I could just as easily sign a contract with a more agreeable company if Comcast boots me. It'd be a small loss of service on my part, a big loss of profit on their part.
If I were them, I'd let the users do whatever they want, as long as they don't fuck with the cable bridge. That's all comcast really has to be accountable for. If they can show that any machine on the other end of the network cable that is plugged into the cable bridge is getting a signal, then they are following the terms of their contract. If the machine is not getting a signal, then they are liable. The end user should be liable for anything that occurs within the household that is a third party to the cable network.
Re:Err and that is the USERS problem ?? (Score:5, Insightful)
Consumer bandwidth is oversold to decrease the price, and the ISP expects you to not max out your bandwidth all the time.
Business connections allow you to connect as many people as you want, run servers, max out your bandwidth 24/7, and you pay the price.
If you want business access, buy it cheapskate. Don't rant and rave about your ISP because you don't understand what kind of service you've contracted for. What you really asking for is for them to get rid of the consumer tier and force everyone to pay business tier prices. That would give us all less choices.
My complaint about anti-NAT measures is that though I have multiple computers connected, one is my laptop and one is my fileserver (for stuff that doesn't all fit on my laptop's HD). Only one person ever accesses the internet from my house. Multiple computers != Higher bandwidth usage. If the problem is bandwidth than they should check for excessive bandwidth usage, not NAT hosts.
Re:Err and that is the USERS problem ?? (Score:3, Interesting)
And why is that? Power companies do it (and get roundly bitched out if they fail to live up). Phone companies do it. Airlines do it, though they do allow you to bet that there will be no-shows. Banks are legally required to be fairly well prepared for runs on their accounts. And yes, if an entire bank ran out of money and left their depositers SOL with a simple "Oh well", I would blame them.
I am not sure how old you are (Score:3, Informative)
BTW how does my use of the end product affect ANY OTHER USERS ? we
Re:Ummm no ... (Score:3, Informative)
My sister happens to work technical support for a major US broadband ISP. Do you know what she's been instructed to tell people who call regarding multiple device configurations? Disconnect the NAT device, connect the Internet 'modem' to a single Windows or Macintosh-based computer and call back.
There are no elevated suppo
Re:Ummm no ... (Score:3, Informative)
She also has to tell customers that;
Re:Ummm no ... (Score:5, Insightful)
Bandwidth (about $50-130/mb wholesale)
Number of computers in a home environment does not automatically mean more BW. It may come in spurts but not more overall. I go online and do certain things every day. I can do this before, after, or during the times the kids are on and use the same exact BW either way. My firewall is reject unless specifically allowed (limits trojans and spurious connections), I use squid and have every PC set to use it via a proxy.pac autoconfig (currently at over a 45% hit rate after 80k requests) and a caching DNS server.
Customer support (additional troubleshooting)
Maybe, maybe not, I also think this would reduce support as you can eliminate probles related to your PC as you can try another one, or blame it on the ISP.. I would also suggest that a person with a multipc setup is probably smarter then the average computer user and would call support less.
Security (more machines, more chance for trojans, etc)
This is laughable. It would be much safer to have 15 computers behind a NAT box/firewall then one Windows or misconfigured Linux machine directly connected.
Repairs (the guy with six people sharing a cable modem is going to expect instant service restoration, whether he's paying for it or not)
So what your saying is everyone with one computer should not expect good service and fast repairs? They just sit back and wait for the ISP to find the problem and they should not expect the service to work when they need it?
You do have points but those can not be seperated into those with and without NAT.
And frankly, it ain't your network. If you want to start up an "all the bandwidth you want for free" ISP, knock yourself out.
What do you mean set one up, they are everywhere. Check the advertisements for Comcast, RR, Verizon, Speakeasy, and many others. They all say pretty much the same... Unlimited internet and connected all the time so your online experience is fast and quick. Maybe they should change their tune. Kind of like my cell phone plan.. Unlimited nights and weekends, free long distance, unlimited phone to phone, and unlimited web access. Do you think I should feel guilty when I use it? I don't, that's what they are advertising and that's what I bought the damn things for. Sure as shit, I browse the web with the phone whenever i want, I call all my relatives after 9:00pm or any time during the weekend, and I call phone to phone just because I can.
Re:Ummm Yes, actually... (Score:3, Interesting)
In our case, it is. It's a member-owned cooperative. I used to pay for someone else's Hummer and house with a pool, now I get a check back every year, and a vote in the management of the cooperative. I live 55 miles from the city and have excellent DSL service. And I must admit, I have downloaded plenty of Linux ISO's and 'other' big files, even had my "Internet Cafe" with 5 machin
Re:Ummm no ... (Score:3, Interesting)
These extra costs are guilt by association. How does two OpenBSD boxes add up to a greater risk of being trojaned than a single Windows box?
I suppose the number of hosts could correlate to these cost variables, but many other indicators correspond a lot better, and of those many are negative correlates (power users need less support than novices and are less likely to harbour or spread trojans).
Do I get a discount from my ISP for configuring rules into my OpenBSD firewall preventing any of my client h
Re:Ummm no ... (Score:3, Funny)
Re:But... (Score:2)
They might. If in their terms of service they specifically disallow connection sharing via NAT, you have no (legal) resource.
But I think the main purpose would be for corporations and other networks to detect potential security breaches.
A *lot* of spam comes from insecure proxies that are sometimes installed on end user machines, not on corporate gateways and, as stated in the article, if said proxy has a wireless interface, you just opened a huge hole in your network.
Re: (Score:2)
it will never work... (Score:5, Interesting)
Re:it will never work... (Score:3, Interesting)
After reading the article I've said to myself: hm, I'll have to take care of these things... instead of: hm, I'd better not use NAT.
OTOH, if you have machines wtih different OSes, it may be pretty difficult to make it look like the packets are coming from a single source, even when only passive fingerprinting is used.
Re:it will never work... (Score:5, Insightful)
You could also defeat the tcp sequence number couinting method by using OpenBSD as a NAT device. Its included packet filter has an option to randomize the sequence numbers of outgoing tcp packets.
Re:it will never work... (Score:3, Interesting)
Re:it will never work... (Score:5, Insightful)
I just can't see this working. They are making assumptions based on some arbitrary implementation of a portion of the IP protocol. It doesn't even rely on any RFC type standards as far as I can tell. This could probably be fixed in NAT devices that are capable of having their firmware upgraded, or someone could just write a hack to the IP driver for the source host and be done with it.
Re:it will never work... (Score:3, Interesting)
Yup, this is a non-event except as an annoyance to people who will require firmware upgrades.
Every single aspect that
Re:it will never work... (Score:4, Interesting)
still same bandwidth (Score:4, Interesting)
Re:still same bandwidth (Score:2)
ISP's *do* realize that people want to connect more than one machine. This is simply a mechanism for identifying people who violate their agreements.
Re:still same bandwidth (Score:2)
My cablemodem provider allows me to use NAT, they just don't support it.
Like the other poster said, if someting like this will be used to 'enforce' limiting 'agreements' (if you can call it that, because where was the negotiation that led to the agreement
Re:still same bandwidth (Score:2)
Re:still same bandwidth (Score:4, Insightful)
If you really want to play word games, I define an idle machine as "a computing platform with an operating system loaded and running, but without a user interacting with the system".
I'm glad you like to run a caching DNS server and diskless workstations. Really. But to most people, computers are just tools to play games and send email. They're purchased at places like Sears and CompUSA, and they automatically download things like windows update, antivirus software, etc.
Last time I checked, a caching DNS server only reduces traffic if you have a large enough, active user base to populate and refresh the cache.
Re:still same bandwidth (Score:5, Interesting)
The phone company used to care how many phones you had. Then the cable company charged per teleivion, and some ISPs care how many computers you have.
The key difference I see is the two previous mentioned industries had those issues resolved by regulation. Regulating consumer grade ISPs might not be a bad thing and finally set limits on things like number of computers or port restriction. And if not- at least we'll know what "comsumer grade" service is and all switch to "Small Office" connections, which already seem to be the way to go for people who actually want to use thier internet connection at home.
- Serge Wroclawski
Re:still same bandwidth (Score:2)
Re:still same bandwidth (Score:5, Interesting)
While the ISPs may go after a few people- I have serious doubts that the practice will become widespread. Just as the TV splitter was commodity, so are cheap NATs. Heck, some expensive cable modems you can buy in the store come with NAT!
The products are already sold as "Cable Modem Routers".
It is, of course, possible that the ISPs and media publishers would go after home user, but it's likely they'd do it over bandwidth consumption or trading copyrighted material rather than just NATing. Going after them just for NATing wouldn't benefit them. The ISP looses a customer and gets a bad reputation, the home electronics company gets mad at the ISP and the customer looses.
At least with file traders, the ISP is loosing a "bandwidth hog". It may be a weak excuse, but it's something.
Re:still same bandwidth (Score:4, Informative)
That is.. if you are actually worried about anything.
Its of no real use to isp's (Score:4, Funny)
What will the future hold? (Score:5, Interesting)
Go calculate [webcalc.net] something
Re:What will the future hold? (Score:4, Informative)
Now, in today's modern world, with most of the (modern) phone network being packet-switched, it's probably just another way to eek out extra money from a more or less captive audience. Of course, you just know that if businesses were being charged less, home users would still end up paying more in the end. *sigh*
Re:What will the future hold? (Score:2)
Re:What will the future hold? (Score:3, Informative)
Re:What will the future hold? (Score:2)
Re:What will the future hold? (Score:3)
Internet providers. (Score:5, Insightful)
On the bright side, as with nearly all technology that tries to instate a form of checks and balances upon a system, we will soon see ways to fool this check and go back to business (balance) as usual.
Jason
Re:Internet providers. (Score:5, Insightful)
Yep, and then the parties interested in counting NATed machines will go buy a law criminalizing circumvention of their "AUP Enforcement Technology."
After all, only terrorists don't want anyone to know how many machines they've got connected to their cable/DSL modem, right?
~Philly
Re:Internet providers. (Score:2)
After all, only terrorists don't want anyone to know how many machines they've got connected to their cable/DSL modem, right?
Hey, thats a great Idea, lets License every IP! That way the government can get a few billion in tax money! I bet the RIAA/MPAA would love access to a database like that!
Re:Internet providers. (Score:3, Insightful)
WTF do you mean by "soon"? Try "years ago". Oooohhh, these uber h4x0rs figured out that a router decreases the TTL, excuse me while I worship their skillz.
Okay, I feel better now.
Anyhow, it's insane that they would even try this. First of all, it doesn't have to be NAT... Any router/firewall will do th
Re:Internet providers. (Score:3, Interesting)
What else are we supposed to do? (Score:4, Insightful)
Why can't they just have a flexible plan where I say, yes, I admit I have 3 boxen behind NAT and agree to pay an extra $5 to $10 a month? Or is this too logical for them to do?
Re:What else are we supposed to do? (Score:2)
If you are going to pay extra I'd want IPs not NAT...
Re:What else are we supposed to do? (Score:2)
Fortunately, I never had to worry about that with the use of a simple Linksys gateway router. Now I don't know how the gateway router changes the bits of packet headers to eliminate host counting (one way to count hosts behind NAT).
robi
Re:What else are we supposed to do? (Score:3, Funny)
"But all I want to know is if your lines are down!"
"I'm sorry, you need to disconnect your DSL router and start WinPoet before we can help you."
"Are you a recording?"
"I'm sorry, you need to disconnect your DSL router and start WinPoet before we can help you."
Don't get you knickers in such a twist (Score:5, Insightful)
"The algorithm for detecting NAT routers relies on the observation that switches directly connected to a host, or in the same subnet as a host, will always see packets from the host with a TTL that is characteristic of the host operating system."
So if you play with the OS fingerprinting (and TTL), you can likely fool this method. Don't forget that your NAT is rewriting part of the information in each packet anyway. It would be more expensive (but probably not prohibitively so) to rewrite more of that information. It is, after all, information for moving the payload around, and not the payload.
This just ups the ante a little.
Re:How soon will... (Score:3, Insightful)
Seriously, modifing the TTL on packets could severly degrade a network if placed where a loop is formed. Runaway packets would not die as they are supposed to.
Most home networks do not have any place to form a loop, so not decrementing the TTL shouldn't make a diffrence to a home network NAT router.
Wow - Just think of it (Score:4, Funny)
WHAMO! Instantly pissed off customer base!
(is UWB ready for prime-time yet?)
pf circumvents this still it appears. (Score:2, Interesting)
not all ISPs care (Score:3, Informative)
Re:not all ISPs care (Score:5, Insightful)
Wish I had that on tape
Its a war, you break standards. (Score:5, Interesting)
OS fingerprinting was nice, but now some boxes are replying as a tandy coco, its a very amusing battle. Now TTL is being used to determine multiple Nat'ed IPs. I'm sure someone will write a nice nat module for linux/etc to bypass this also. Seems like the endless cycle of control freaks loosing control.
BTW, not sure which ISPs care about NAT, but there are very very large NAT friendly ISP's out there. (Speakeasy for one)
Thanks, sFlow! (Score:5, Interesting)
I just wanted to extend a big thanks to sFlow for posting this paper (and the AT&T people for posting theirs). Despite the fact that DARPA screwed Theo & Co, they are probably already adding a "modulate TTL" setting to pf as we speak.
And of course if you're ultra-paranoid, then just use something like socks or squid to proxy most or all of your TCP connections, and it's 100% indistinguishable from your firewall making the connections out. Because your firewall is making the connections out.
When will they learn?
Kinda irritates me that stuff like this may make my nice all-in-a-box Netgear NAT useless some day, but it's nice to know that people like OpenBSD are there to back us up.
And like someone else said, what exactly does the cable company expect me to do? Expose all of my internal network to the internet? Cha right! They wouldn't even give me more than 3 IPs anyway!
ISP care? (Score:4, Insightful)
On internet: For all I'm concerned, I have *ONE* computer connected to my DSL, and other computers connected to the one computer. ISP gonna tell me I can't connect computers to each other? What's next? It'd be illegal to have multiple screen/keyboard/mouse on the ONE computer? (i think this can be done...buddyPC??)
The 'client' computers access resources on the 'gateway', which happens to include the external internet filtered through the firewall. I dont have multiple computers connected directly to the internet, that's just insecure.
And besides, what are they losing anyway from NATs? It's the same connection/bandwidth. 150kbs down on one box is the same as 150 split to 75kbs down on 2 computers. It's still only one IP. Whatever activity (and any responsibility) that goes on is on ONE account.
Re:ISP care? (Score:2)
robi
Re:ISP care? (Score:3, Insightful)
The cable company went through the same thing - they wanted to charge you per TV.
In both cases, the govt stepped in. Also, in both of those cases, it really doesn't matter if you have 1 or 100 TV's hooked up - the signal coming into the house ies the same...it does not affect them in any way.
However, with broadband the ISP's have a bad business model - they have x capacity, and sell for more than x on t
Re:ISP care? (Score:3, Informative)
No, the ISP does not own the portion of the network from my NAT box to my computers. Per my contract with my ISP, I have exactly one machine connected to their network. That machine happens to be a Linksys router, and it happens to forward requests sent to it over *my* network, but that's none of their business.
Why should we bother (Score:2, Insightful)
Stupid as it sounds, but it goes thru our senators, it couldn't be wrong.
The little downside is that the only job left for IT is tech support for Windows installation....
Legal? (Score:3, Interesting)
Is it legal for the ISP to sniff your packets? I'm very ignorant when it comes to such things, but this screams privacy issues.
Re:Legal? (Score:2, Insightful)
So yeah, they can sniff packets all they want. You agreed to that when you paid for their service.
Now, using what they find in your packets against you in court, or really doing anything with them other than protecting their own network/contracts...that's different.
Bzzzt! Sorry; Close, but no cigar! (Score:4, Informative)
The time before there are "fixed" versions of both NAT (which don't decrement TTL), and of IP packet ID's (changing all ID's into a single monotonically increasing order, or randomizing them) will be measured in hours.
Hopefully the authors of this paper aren't doing research for a living...
Easy to fix (Score:2)
This will be easy to fix. A hack to your NAT box source code (you are doing NAT with OpenBSD, Linux or some other open source system, right?) to remove the TTL decrement for NAT traffic (or re-increment it where the decrement can't tell the difference) would get around that aspect of the problem. I'd argue that one can NAT in a transparent "switch", which would not decrement TTL, so why not just make the OpenBSD or Linux box do that.
And for fun, add a randomizer to the initial TTL value. Thus instead of
Hardware list? (Score:2)
Re:Hardware list? (Score:3, Informative)
And note that ntop [ntop.org] groks sFlow, too. Open source traffic characterization, with an open standard for instrumentation. Very cool.
Easy fix (Score:2)
There's an easy way around this - especially for Linux boxes serving as NAT forwarders via ipchains' MASQ option:
Modify the software to allow the configuration to specify rewriting the TTL field to a value appropriate for a packet originating in the MASQing box. Apply this (at least) to packets net-bound.
(It might also be wise to allow the configuration to
Oops. Missing text. (Score:2)
competition (Score:2)
Just change ISP's (Score:3, Informative)
I get my DSL through speakeasy.net, and so far they seem to be about the coolest provider I've heard of. They don't care how many machines you have hooked up to your connection, they don't care if you run servers, they actually encourage you to share your connection via wireless networking. I read in one of their recent newsletters that if you set up an AP they'd like to know so they can tell the other speakeasy customers about it. I'm pretty sure they're available in most large cities (i'm in seattle).
If you want to sign up and don't mind sending $50 my way use this [speakeasy.net] referral link.
Multiple NAT Routers (Score:2, Interesting)
Yawnn.. iptables? (Score:5, Informative)
Re:Yawnn.. iptables? (Score:4, Interesting)
Yes, and.... (Score:5, Informative)
When my ISP shuts down all the chatter I see, around the clock, from Code Red hits (default.ida requests, etc.), like 12~14 per second, I'll be happy to discuss my 'expanded' bandwidth usage and how it impacts their resources.
Code Red has little direct impact on my boxes, since I'm MS free, but with the general effect being a load on the network right up against my VDSL modem, this is still a very real issue. If the ISP's want to reduce loads, they can look to stop some of the noise from other sources as well. What other sources? Let me think...ummm...spam mail? Port scan probes....
Can software base routing be traced? (Score:2)
It's not as easy as fixing NAT's TTL (Score:4, Insightful)
Port numbers are easy to change, but if your ISP wants to do traffic analysis on your IP address, there's not a lot you can do to hide. I'm just very, very glad that I have an ISP [sonic.net] that doesn't suck. In fact, they're pretty damn cool.
Re:It's not as easy as fixing NAT's TTL (Score:4, Informative)
And if you have old computers, you won't need to modify anything except for your firewall rules. If you have *BSD, you have the sequence number rewriter, which is also available on linux as the "ippersonality" extension to the iptables firewall. Both of these guys also support ttl mangling too (built-in).
You have the power to make your network look like whatever you want. It's nice to have an ISP that's cool, but if you're unlucky, they'll never be the wiser. In a way, if you're going through such effort, you're probably helping them out somehow by wrangling your own network into some resemblance of order. ^_^
Prove it (Score:3, Insightful)
How can the ISP prove conclusively that you have a dozen boxes hooked up to the connection? Get a search warrant and take pictures? I think not. While the technique described in the paper is certainly clever, I believe it would have little value in nailing users to the wall when it comes to sharing access.
Re:Prove it (Score:3, Insightful)
Let's take spam as an example. Most ISP's will cut off spammers at the drop of a dime. But let's say I'm running a mail server (we will assume I'm using an ISP that allows servers) but I was stupid and left relaying open. Now spam starts spewing forth from my connection and prett
Just Proves a Point (Score:3, Funny)
Detecting machines behind NAT is useless (Score:4, Informative)
ISP's costs are based on bandwidth used (this can depend on when the bandwidth is used, and whether it's up or down and out of their netblock or inside it). The # of machines connected has no bearing and it's pretty damn difficult to define a 'connected pc' IMO. Which of these would you include?:
- A hardware router running embedded linux
- A hardware router running embedded linux which I've hacked and can surf with
- A linux router (with no keyboard/monitor)
- A linux router (with a keyboard/monitor)
- A palm which is connected 1nce per day to a windows machine behind the router
- A bloke who's hijacking my WiFi connection
- A bloke who's hijacking the hijacker's Infared port
- My laptop which I plug in at night and take to work the next day
- An x server (Or Windows Terminal Server) serving 50 websurfing clients
Will I be charged for maximum# concurrent natted boxes, or average# of natted boxes? Or some other sceme?
I don't see where you could draw a nice precise black line on the definition of internet client; it all looks grey to me.
Speculation:
I think ISP's don't charge for bandwidth YET because it'd cost them money to measure it. I assume it would cost them more to measure {average or maximum natted boxes}. I think they'll finally see the light and begin charging an amount that has some pretty close correlation to their costs (though I think it'll take 5 years or so before new ISP's begin rolling out nice routers which catalog bandwidth based on what time of day it is, etc.).
A few points on NAT's, traffic, and your TOS (Score:3, Informative)
1) Fortunately, my DSL provider (SBC) acknowledges and allows the use of routers to connect multiple home computers to a single DSL router.
2) They disallow users to "forge headers or otherwise manipulate identifiers in order to disguise the origin of any Content transmitted through the Service." That means that, at least with SBC, reconfiguring your NAT routing device to not decrement the TTL on packets could constitute a breech of contract. YMMV.
3) I could not find any clause prohibiting SBC from inspecting the contents of packets it handles. Theoretically then, in addition to considering the IP ids of received packets as mentioned in the sFlow article, your ISP could perform analysis of any unencrypted traffic from your ip. For instance, If you were playing Counterstrike and your housemate was surfing the web, traffic analysis of the packets originating from your ip could correctly identify the existence of multiple hosts.
Obviously, such analysis would be computationally intense, and could not be performed on an ISP's entire customer base simultaneously, but as a random auditing tool, or a followup to previous suspicion, this type of analysis could be an effective tool for ISP's that wanted to outlaw multiple connections.
That said, I agree with the countless comments to the effect that very few ISP's are going to actively pursue any of these measures; the costs seem to greatly outweigh the benefits. Imagine if my ISP did crack down on my four home computers behind my NAT router: I would still be capable of using the same amount of bandwidth with only one computer, I would be pissed off and looking for another provider, and most importantly, I couldn't give SBC any more money if I tried--it's not as though I can get multiple DSL accounts on the same phone number (and believe me, I certainly wouldn't let SBC charge more for "Platnum NAT Service").
I will cite Eric's Theorem (Score:4, Insightful)
In short, I am sure the open source community (the Openbsd guys and the linux netfilter team) have, or will shortly release mods to fill any nat detection gear. And i am sure the various nat box makers and rebadgers (linksys, netgear, etc) will soon have a tidy check mark with the text label next to it saying "Hide all computers from greedy isp and big brother government agency? (y/n) "
What about Virtual Machines? (Score:5, Interesting)
Perhaps it would appear to the outside world that there are more than 1 pc connected, but to prove it, they'd have to have physical access to your home.
Pretty sure they won't get past me...
Security. Not Bandwidth. (Score:3, Insightful)
One purpose of this paper is to provide a tool that can address security concerns. And yes, NAT does make it more difficult to police the machines behind the NAT. One reason: "Wi-Fi is a particular problem since it allows access to the network from a considerable distance, allowing unauthorized access without even entering the building."
This paper never once talks about a problem where NAT users are going to eat up too much bandwidth. Another quote: "In this network the administrative policy is for host computers to be directly connected to the distribution switches, as is shown by Host C. Two hosts, A and B, are connected to the distribution switch through an illicit NAT router." Note the words "administrative policy".
If ISPs use it against us, use PROXY (Score:3, Informative)
Let's face it- before the Cable Router was prevalent, everyone that wanted to share used a machine with (2) NICs. The people smart enough to figure it out will do that with Proxy's (or if you're not smart enough to think of that, now I just thought of it for you). Once the companies realize this is another cheap thing that they can do to make lots of $$$, they'll market an applicance cheap that will do it.
Before the cable router, I used 2 NICs and WinRoute to NAT. Before that, 2 NICs and WinProxy to Proxy.
The ISPs will realize that there is always a way around it, and that the trouble of detecting will cause them so much pain that
My
Not All ISP's Care (Score:4, Informative)
Black Hills Fibercom (in little Rapid City, SD). They offer phone, digital cable, and broadband. Called today on behalf of my Dad who is considering their broadband package. I asked about firewalls - they strongly recommend using one and will even help set up any of the major software firewalls during install. He then proceeded to recommend purchasing a NAT router for additional protection. I damn near fell out of my chair.
We talked a bit about bandwidth and I brought up access for multiple PC's. He then said definately get a router or they would have to charge an additional (though nominal) fee for each additional IP. At that point, I did fall out of my chair.
They won't support your home network nor will they help set up your router. They will, however, walk a user through disconnecting it during a support call if it's necessary for them to see their computer over the network to resolve an issue.
Almost makes me wish I still lived there.
Re:Not All ISP's Care (Score:3, Informative)
Hell one time I helped someone configure a DSL router from Netgear that terminated the dsl itself (not using a Cisco 67x or other products like Actiontecs). I didn't even know Netgear made these things. Of course I
It's about overselling (Score:3, Interesting)
It's not that we care how many computers someone has behind these NAT devices. It's how much of the bandwidth they bought that they are using and how often they're using it.
Our basic ADSL and wireless offerings are 384k/128k. If we had every user maxing out their connection all the time, then we'd have to charge more. Because we're in a remote area, we pay more for our T1 service. We have a T1 that runs about $1k per month and another about $1300 per month (special build for geographic diversity). If 4 of our ADSL or wireless users held their connection maxed out all the time, that would pretty much eat a whole T1. We have just over 300 broadband customers and about 600 dialup on two T1 lines with a third on the way.
Our 384k/128k service is regulated and costs $49.95 per month. If every broadband user insisted on maxing out their connection 24/7, we'd have to charge broadband customers $250 per month just to break even on the T1 costs. That doesn't even count the overhead associated with staff and equipment.
I'm sure there are ISP's out there that are all about the money. We try to be more about service and making sure our customers are happy. But we have to make a living too. I don't think the issue should be if you're using a NAT device or how many computers you have hooked up to it. As I said, we encourage it. I think the issue should be about usage. Sell 3 gig per month. Charge for data over that. (3 gig is a number I pulled out of my head)
My point is, if the ISP is worried about usage, they should charge for that and not for how many computers are behind a NAT box.
Easy Windows Fix (Score:4, Interesting)
In W2K:
HKEY_LOCAL_MACHINE\System\CurrentControlSet
Just set to 129 if you have a NAT between your PC and the modem.
This way all the packets seem to come directly from a Windows box, and you don't have the (potential) sideeffects of getting the NAT to change the TTL.
pointless (Score:3, Insightful)
Well, they happen to do that right now, mostly because of historical accident. If bogus "NAT detectors" like this proliferate, people will simply move to user-mode NAT. That is, packets from network A are redirected to a user-mode process which then looks at them and sends out a request on network B, and the same in reverse. In that case, the packets sent from the NAT process onto network B are indistinguishable from the packets coming from any other user mode process because they were generated by a user mode process.
The only thing ISPs can do to detect NAT is to look at traffic patterns and accusing you of, say, browsing too many web sites per second. That eventually just amounts to volume-based (or traffic-pattern-based) charges. Sure, they can do that, and they probably should, but at current prices, that's not going to affect you browsing the web from two machines.
How is this anyone's business? (Score:5, Insightful)
And when are we going to rise up and tell the greedy, small-minded busy-bodies to take a flying leap? I am beginning to think it isn't even about greed but more about control for the sake of control.
Re:You don't have to sign the contract (Score:2)
Re:Why do ISPs care about NAT? (Score:2)
If a whole family gets on at once, they might just consistently max out their connection. The ISP's erlang calculation is based on a one-user model...thus NATs screw up their formulas and they can no longer oversell bandwidth and maintain advertised performance.
Re:Change TTL (Score:5, Insightful)
Get source code. Hack away. Make it set the TTL to 128 when it's in the NAT part of the code. Bingo, problem solved.