Comcast Gunning for NAT Users

phillymjs writes: "A co-worker of mine resigned today. His new job at Comcast: Hunting down 'abusers' of the service. More specifically, anyone using NAT to connect more than one computer to their cable modem to get Internet access- whether or not you're running servers or violating any other Acceptable Use Policies. Comcast has an entire department dedicated to eradicating NAT users from their network. We knew this was coming since this Slashdot article from two months ago, but did anyone think they'd already be harassing people that are using nothing more than the bandwidth for which they are paying? It makes me very happy that my DSL kit arrived yesterday, and I'll be cancelling my Comcast cable modem early next week." Earthlink and Comcast have both been advertising lately their single-household, multi-computer services (and additional fees) -- probably amusing to many thousands of broadband-router owners, at least until the cable companies really crack down.

methods

[po_boy]

So, what are the methods they use, and how can I make it more difficult for them to tell if I have a machine running NAT?

Re:methods

[RC514]

NAT leaves some traces in the datastream. Especially the high port numbers of a Linux system doing masquerading with the default settings could ring a bell. Other options are operating system fingerprinting. If you see a Linux system using the ip but other traffic carries Windows characteristics, that may be a hint.

Meanwhile...

[Mendax Veritas]

...my DSL provider, PacBell Internet, actually wants to sell you a NAT router when you sign up for basic home DSL service.

they can try they wont win.

[Lumpy]

They can catch the scumbags that get the cablemodem and then nat their entire apartment building, or the neighborhood but they will never catch a single family dwelling doing it. the ONLY way to detect it is to watch bandwidth and look for 60-70 connections coming out of that cablemodem. anything less will be false positives as just hitting some websites causes at least 10 connections to other servers for ad's popups, etc...

Besides, how is this going to fly with the AT&T policy of allowing it and even encouraging it? AT&T will gladly sell you a smc or linksys NAT/firewall... that constitutes encouraging it.

Kudos to AT&T

[Anonymous Coward]

I have to congratulate AT&T. I was in the mediaone (originally Highway1) beta in 1996. As they changed to RoadRunner and AT&T, customer service has definitely gone downhill. There are much longer waits on the phone, and there is greater difficulty in reaching knowledgeable support people.

Furthermore, outages are still too common, and performance is still too variable.

However, the basic service is good, and the attitude of AT&T (at least in Eastern MA) is still good. They tolerated NAT, looking the other way, and then (I think) supported it; they don't block ports; and they don't particularly seem to mind members who run servers, as long as those servers are reasonably secure; even though the service agreement disallows servers (last time I checked).

I read about dimwits like Comcast frequently on Slashdot, and I'm thankful that my provider is still reasonable.

I wonder what they plan to do?

[jandrese]

This is interesting. I guess they're going to go after people running those custom firewall/NAT boxes. Now all these people will just have to plug their windows machine directly into the net.

As everybody else is wondering: how do they plan to ferret out NAT users? Go to everyone's home and count the number of computers? ComCast used to be such a nice service, it's a shame what they're doing to it. Lets count the ways they've made the service worse recently:

1. No VPNs. If you want to use a VPN you have to get a special "business" plan. Good luck finding anything about this plan on their website.
2. Upload/Download caps: We used to have wonderful bandwidth, and our local loop isn't even heavily taxed. Now we have an artifical bandwidth cap that does not appear to help us OR our neighbors.
3. No Newsserver. The usenet is a valuble resource, every ISP worth it's salt has usenet access. Comcast customrs (the ones that got switched over) do not.
4. Now this anti-NAT policy. I wondier if you will be able to find anything at all about this "I have a NAT" service on their website...

Still, even with all of these indiscresions, I'm inclined not to believe this story as is. There doesn't appear to be much actual evidence (has anyone been flagged for having a NAT yet?) to support the claims. Also, did the co-worker quit because the job is nigh-impossible? My hoax sense is tingling...

Re:methods

[mewn]

One of french cable ISP using this method :

on their webpage that can only be accessed when you'r on their network ( a this webpage providing usefull information like your month quota ), there's a client script that send back your browser IP. That's it : if your ip is typical from a home subnet, you'r using NAT.

Re:Firewall

[Anonymous Coward]

Exactly. When Comcast can guarantee that no one will hack into my single computer connection, then I will agree not to use a firewall. Until then I need security, as I get about 5-10 probes per day against my firewall.

Verification of their Policy is in the Comcast FAQ

[dave_aiello]

I don't know how Comcast plans to hunt down residential users who implement NAT on their own. But, the Comcast On-Line FAQ contains their policy on the use of multiple computers [comcastonline.com], including pricing, and how they want to arrange the service.

You'll find more about my experience with Comcast broadband services [ctdata.com] on my company's web site, if you are interested.

Re:Crack down?

[Skuld-Chan]

Your right (and your link doesn't work), but all those headers are trapped at that device (that is if its working properly) - all comcast would see is the mac address of the nat device (in my case a sun mac address)

NAT Detection method and avoidance

[dfranks]

One way they could detect NAT boxes is by looking at the MAC address. I suspect that most/all NAT boxes use MAC addresses in a predictable range based on Manufacturer and model.
To avoid this, get the MAC address from an old NIC, or a machine that will never be connected to the subnet on the cable-modem system, and (assuming your NAT box supports MAC spoofing) configure your NAT box to use that IP address.

More likely than not, the providers are too stupid to do the necessary research, and will look at the high bandwidth users and do a packet sniff to see what their activity looks like.

Re:methods

[Hertog]

This means they are looking INSIDE the packages (to find windows traces there...)

Can they do this without a warrant (Privacy et all?)

Re:methods

[JordoCrouse]

TCP Sequence Numbers

Can you imagine the amount of computing power they would need to maintain to prove something like this? They would need regularlly sniff packets from every connection, try to figure out the OS, store the data, and continue. Thats not to mention that about half the time the OS will come up "unknown". Oh, and by the way, heres an extra $10 on your bill to pay for the army of people to maintain this.

There is no attempt made to randomize this source port field selection and a clever heuristic could probably fingerprint it.

That would probably be a 5 line patch to randomize it.

Seems a little silly

[the_rev_matt]

What if I only have one computer online at a time? I go to work every day, but my wife works from home. Sometimes she's online on her Mac, other times on her PC. When I come home, she's watching TV while I'm on my linux box. How is that a problem?

Privacy?

[marcmac]

How much packet inspection can they do, legally? I realize that they can inspect headers, etc, to their hearts content, but can the ISP really monitor the _contents_ of my packet stream without already having clear evidence of an AUP violation? (I haven't read their AUP, so I don't know).

If they can, then it follows that they may read my email (again, without prior evidence of wrongdoing) in order to enforce their business practices - this seems like a pretty clear violation of privacy.

NOTE - I don't really think that my email is private, nor do I believe that IP traffic is secure - the question I'm asking isn't about the capabilities of the ISP. Rather, I'm curious as to whether or not they have the legal _right_ to monitor my traffic (payload, not headers) without a complaint (or a warrant).

Earthlink doesn't charge more for NAT

[pivo]

As far as I can tell, they only charge more if you buy their home networking kit for $149. Then they want you to pay $9.95 a month more. If you buy someone else's home networking kit, they don't charge you any more money (according to their FAQ, you're allowed to set up your own home network, they won't support it though.) I guess the $9.95/mo is for support then, still it doesn't make too much sense to me.

Re:methods

[Bobs2paksVegaSwirled]

An easy method is for the provider to configure their DNS server so that it periodically does a kind of traceroute in its reply. Then, count the hops back to the requesting machine. Are there any hops beyond the client ip interface? Then they're using NAT.

Did anyone ever consider this?

[acoustix]

...but did anyone think they'd already be harassing people that are using nothing more than the bandwidth for which they are paying?

The reason that broadband cable access is so cheap is because they don't exect you to use it all of the time.

I say that cable is cheap because you can get near T1 performance (~$600/mo) from a cable line. The companies don't want you online all of the time because it costs them more money for the extra bandwidth.

Its kind of like the 56k ISPs. You can have unlimited hours of use, but they don't want you connected if you're not using it. They don't want an idle connection wasting a phone line. Don't get me wrong though. I'm not on their side. I want to be able to run my network on a cable connection as well. We just need to compromise or something...

Re:Adelphia

[jhughes]

I work for Adelphia...and I've yet to see anyone get cut off for this (unless tehy were abusing it). Everyone in my department has a router and multiple PCs....so it's not a big deal:)

Class action suit?

[NanoGator]

At what point do these ISPs stop being 'Internet Providers', and start becoming 'Web Page Providers'? As early as a year ago, an 'Internet Connection' meant that my computer could talk to any other computer that is also on an 'Internet Connection.' Nowadays, though, ISP's are playing games with blocking off what you can do with this connection. It seems like companies like ATTBI really only want to provide you the ability to do what Internet Explorer allows you to do. Anything beyond that and they try to nix it.

They don't want me doing P2P, they don't want me to play games, they don't want me to have more than one computer hooked up, and they don't want me going wireless. How much more can they block off before its no longer really an Internet Connection?

It seems to me that if they are going to behave this way, then they shouldn't be considered Internet Service Providers anymore. They're not! You can't call it an ISP if they're telling you you can't do the things that makes the Internet the Internet. I have two computers on the net at home. One I use just as an email terminal (very low bandwidth), and the other is where I go cruising the web and do IM etc. Until they tell me that I can only use so much bandwidth, they have no business telling me I can't use more than one computer. They advertise "unlimited bandwidth, 24-7", and then they play these silly games with me. It really makes me want to sue for false advertising.

Re:They Wont Win In Court, Anyway

[Anonymous Coward]

Actually, they can't win in court because of precedent. The phone companies tried suing people with home PBXs some time back. The courts decided that what happens with the service after it hits the home is none of the phone company's business and the consumer is allowed to use the service they paid for in any way they see fit.

Comcast Tech Says...

[DaedalusLogic]

I asked: "I have a broadband router / basic firewall connected before my computer do you permit this? Or, do you not want one set up since multiple users can connect through one?"

and I quote: "We don't care, run the firewall, hook up a few computers, we don't really like servers on the network. Just be aware that when you call tech support we're going to ask you to remove the router so that we can test the connection."

If you're really concerned about it... don't run they're browser software... Don't go look at their homepages... I don't think I looked at Excite.com the entire 8 months I was a subscriber before they went down. Just pay your bill in the mail and enjoy the bandwidth when all the easily scared jump ship. If they do knock at your door, phone, e-mail... drop them... there's no contract involved and there are other ISP's out there. Hooray for capitalism!

Run some phone wire to your neighbor's house...

[Scratch-O-Matic]

I got pretty fired up when I read the introduction to this story. Before I got to the end, I had decided that I would switch to DSL if Comcast came-a-knocking, even though DSL is more expensive in my area.

However, I read the linked article and my Comcast agreement.

I doubt most people here have done either.

The effort is clearly aimed at people who are sharing their connections outside their homes. The article even has a diagram showing multiple homes. Take a look at this excerpt:

For example: Neighbor Bob buys cable modem service and a wireless home network. Neighbors Carol, Ted and Alice don't buy cable modem service, but they go out and buy antennas compatible with Neighbor Bob's wireless network. Everybody agrees to share Neighbor Bob's connection.

If you have a problem with trying to stop this type of activity, then you also probably think it would be OK to run phone line from your house to your neighbor's house, since you "pay for the bandwidth and can do whatever you wish with it." You would probably think it's OK to run Cat 5 or fiber all over your neighborhood too.

If Comcast tries to make me pay extra for having three networked computers, I'll be as angry as the next geek. But sheez, let's tone down the hype until that actually happens.

Re:methods

[Dudio]

But what it they rewrite their support pages to require that javascript be enabled? Combined with restricted access by origination network (like the parent mentions), this would allow them to examine everybody who needed to use their online support.

Interestingly though, check out this page [comcast.net], way down near the bottom:

• How do I configure my home networking equipment to function on the new Comcast network?

Although Comcast doesn't support Home Networking equipment at this time, we recommend that you review your manufacturer's guide for instructions on setting DHCP, a dynamic hosting configuration protocol, and domain names in the setup of any equipment you have connected to our network.

This seems to imply that running a NATed network is ok, though unsupported. I wonder how long before this item mysteriously disappears...

We'll see

[Pedrito]

I just e-mailed ComCast and told them that I have a Linux box set up as a firewall with 2 Windows 2K machines behind it. I look forward to their response.

My justification was as follows:

1: I don't trust Win2K to be directly connected to the internet because of the many security flaws of the past and surely in the future.

2: The 2 Win2K machines I use, 1 is for personal use, and one I use as a database server and to pcAnywhere into work. I never use both at the same time, I can't.

3: They're benefitting from the fact that I'm running Squid on my Linux box and therefore caching web pages and reducing my actual bandwidth usage.

If I get a response soon, I'll post it, but I've basically come straight out and told them the truth. How they react will be a judgement of their character as a company

I chose ComCast for 1 reason: I could get billing for cable and internet from one company. If they wish to deny me that, I'll simply switch to satellite TV and DSL modem, and they lose my business entirely ($100/month for them right now).

Re:They still won't know for sure...

[Anonymous Coward]

b)We're with Comcast. We found that you are using multiple computer over your connection via NAT. Comcast is fining you for TOS violation and your new rate is now $150/mo

My reply: "Fine, I want to cancel the service right now."

When I cancelled AT&T's cable modem service the order droid basically begged me to stay. "I'll even give you 6 months of a special promo pricing." Fe. What good is special pricing when the service no longer works for 7-day stretches 'cause they screwed up something at their end and refuse to even have a look until they can schedule a needless "service call". The loudest message someone can send a company is to quit doing business with them.

Re:Comments

[4mn0t1337]

All outgoing browser connections get labelled as MSIE/5.5

Why skew the stats in MS's favor? Change it to someother company that can use the market share reports. (Opera would be my pick, but I am sure you have your own.)

Re:I wonder what they plan to do?

[ivan256]

No Newsserver. The usenet is a valuble resource, every ISP worth it's salt has usenet access. Comcast customrs (the ones that got switched over) do not.

Actually this is exactly the kind of thing that needs to go away. If ISP's got rid of all the "value added" services and just provided an TCP/IP pipe, their costs would be low, and you wouldn't be locked in to their potentially crappy services. Of course they'd have to lower their prices to compensate...

You can get 2GB/month access to very fast news servers for $7 a month. The service is way better then any ISP's news server too. Doesn't it bother you that you're paying for all those extra services that you might not be using and you could easily provide yourself? I'm talking about things like e-mail and web hosting and news service, and DNS...

Not completely true....

[BeerVarmint]

I have a friend who uses a router with comcast. This concerned him enough to call them (in hopes of making a rightous big-stink!). They said there is NO problem with someone using a router (and using multiple computers). The only (no so) negative thing the tech said was "we offer multiple IP's; if you don't want to buy a router". This went down in SE PA.

My company does technical support for Comcast

[bobdole369]

While I don't work on the phones (my job is to keep the client machines that tech support personnel use for logging calls running) I do end up listening to quite a few calls in that account. In fact I was listening to call today, where a gentleman was trying to get his Linksys four-port NAT-enabled router working with Comcast's service. Not only did the tech not mention anything about not supporting NAT, but the tech support agent helped him set up the router, made it work with one machine, waited while this gentleman went to his other machine, and helped him ensure that his tcp/ip settings were correct. He was using the 192.168 network locally.
Hmmm maybe we're just slow to get the news?

Re:methods

[Molina the Bofh]

Get iptables [samba.org] for Linux, run make patch-o-matic, and install this [optional] target:


TTL - This target is used to modify the time to live field in the IP header. It is only valid in the mangle table.

--ttl-set ttl Set the TTL to the given value.

--ttl-dec ttl Decrement the TTL by the given value.

--ttl-inc ttl Increment the TTL by the given value.

A few comments.

[omega9]

Everyone seems to be making some great points that have sparked a few questions:

• What if I only have one computer but decide to put it behind a NAT box? Will a service tech have to come by my house to verify this?
• What about the whole new wave of broadband capable consumer devices like component MP3\MPEG-4 players that can stream internet radio? Would I have to pay $N more for each device I purchase?
• You can't argue against installing a firewall for security reasons. And it's much easier to drop a specially made hardware component in then configure your OP system to do it. My grandmother could install a Linksys router, but will never be able to truely configure a firewall. This would seem like they are disallowing easy\basic ways of safeguarding yourself.
• I have six machines behind my NAT box. Each is configured to tripple-boot with Solaris, Windows or Linux so I can test different network environments and combinations. Thats a total of 18 static IPs assigned inside the LAN and potentially 18 different outgoing browser headers. I am a single guy in a one room appartment who actually downloads very little. I am also crazy and have vastly different browsing habbits durring different parts of the day. How do you suggest I be charged?
• If they really want to do this right they're going to have to packet sniff. That means they'll be able to tell when (and what) you're IMing, FTPing, browsing, and they'll know any clear-text passwords you happen to use. I do not trust Comcast with this information.

Ok, new list with some other points:

• Running a proxy to mask your traffic is fine, but only for applications that support a proxy.
• When I picked up my home install kit the guy stated NAT boxes were fine.
• I didn't sign up to have an "internet desk", I signed up to have an "internet house". As in, one day I will have that wireless webpad on my couch.
• If I'm being pulled into an "oversubscription" model, it's not my fault. I.E. - I'm being given a ton of bandwidth, but they don't expect me to use it, and when I do I don't think I should be punished.

I've been a Comcast customer for some time and have had relatively no problems with them to date. I am a little concened that since my IP changed on the 22nd (our area's cutover) I'm unable to ping it from work. Something to do tonight I guess.

Re:NAT Detection method and avoidance

[dfranks]

Yes, but the vendor and product code are encoded into that MAC address. If you don't change the MAC address on the upsteam port of your NAT box, it is possible that the ISP can determine that you are using a NAT box.

This (of course) only applies to Broadband routers. If you are using a linux or windows box for NAT, then the MAC address will be one associated with a standard NIC. Most cablemodem users that are using NAT are using broadband routers, and unless the cable modem infrastructure is dispensing DHCP addresses by MAC address, those routers have the default MAC address. These are the people companies like Comcast will focus on (unless they just look at traffic levels and packet sniff to get an idea what you are up to).

The biggest bandwidth hogs on most ISP systems are alt.binaries.whatever downloaders, and PTP filesharing. Eliminating technical users with linux NAT boxes would not have a significant effect on their total bandwidth utilization.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:methods

[Another MacHack]

There are two kinds of cable customers, the kind who's looking to download as much as humanly possible, and the kind who don't pass more traffic than they would with dialup, they just get what they do get more quickly.

Two computers sharing a connection in a household of the latter kind of user means twice the bandwidth, and the cable company doesn't really WANT the first kind of customer.

Two leaches sharing a connection won't pull more data than a single leach, but two casual web browsers sharing a connection will use twice as much as a single casual web browser.

Devising Methods is Straightforward

[Anonymous Coward]

So, what are the methods they use, and how can I make it more difficult for them to tell if I have a machine running NAT?

Quite likely they had no particular technical approach in mind and planned on just waiting until the Slashdot crowd surveyed the possible techniques for them. That has been accomplished.

Talking to tech support, 101

[Splat]

I repeat: this is RUMOUR. Why is it on Slashdot? This is not responsible journalism.

But, since everyone else seems to be hopping on the bandwagon taking this as fact I'll chime in anyways.

The solution is to play it smart and don't ever ever tell tech support you're using more then one computer. If they accuse you of using more then one, deny it. They're going to have fun proving that one.

Adelphia Powerlink flipped their freaking lid when the guy was trying to troubleshoot my connection by pinging it and I told him I'd gotten his ping.

"How do you know that? It's coming up as host unreachable here."
"Yeah I know I'm running a firewall on my machine."
"What?! You're not allowed to use a firewall on our network!"
"Uhm, why not? Oh maybe I should turn it off so all these people trying to DoS me can mess up your network a little more?"

So remember, when calling tech support:
1) You are using 1 computer.
2) You are using Windows.
3) Never mention the words: firewall, router, linux, server. They are verboten.

Always "follow" their absurd troubleshooting suggestions no matter how stupid they sound. Hey.. sometimes they do work, but otherwise just take what they tell you and translate the steps into your OS of choice. Or if you already tried it give them the answer they're looking for.

Re:Run some phone wire to your neighbor's house...

[stmfreak]

For example: Neighbor Bob buys cable modem service and a wireless home network. Neighbors Carol, Ted and Alice don't buy cable modem service, but they go out and buy antennas compatible with Neighbor Bob's wireless network. Everybody agrees to share Neighbor Bob's connection.

Yea, I have a problem with an ISP trying to stop this sort of behavior. It's a matter of retroactively trying to solve a bad pricing model with more stupid, unenforceable rules.

If one shares one's phone line with the neighbors, one is restricted from use when others are using it. Presumably, someone is going to get sick of the inconvenience and buy their own line.

Same with bandwidth. There is a finite amount. If I share TOO MUCH, my pipe to the internet will suck. Not to mention the poor saps on a metered plan. However, when it comes to Cable service broadband there are interesting differences:

1. The cable tv model doesn't work this way, sharing doesn't hurt MY TELEVISION signal, but does hurt cable company revenue. Sounds unfair and thus illegal. Anyone wonder why cable broadband thinks they can enforce similar rules on their ISP customers?

2. But sharing cable broadband DOES impact the service... with a catch: Whether I share via NAT or the cable company signs up my neighbors direct doesn't matter, it still hurts my bandwidth.

So the instinct is to screw the company and share with your neighbors for a split of the fee. The fallout of which is that the cable company might not install a fatter pipe to your neighborhood (a questionable scenario even if everyone was honest).

The answer of course is to support the ISP/service with the plan you like. I hate big conglomerates and am fortunate enough to have a few choices, some of them pleasant.

Re:Uhh...

[Frater 219]

Wouldn't the randomness itself indicate an intent to deceive?

On the contrary. Having a bunch of nodes behind an OpenBSD NAT firewall with state modulation should, it seems to me, look the same to an outside observer as having a single OpenBSD node.

Nevertheless, the documented point of state modulation isn't to hide the fact that you're doing NAT. It's to correct for the fact that many operating systems pick initial sequence numbers poorly, and are thus vulnerable to sequence prediction attacks [bindview.com]. So there may well be ways to tell the difference -- though it would surprise me.

In the end, though, I agree with the sentiment expressed elsewhere under this topic: that ISPs are misguided in trying to penalize intelligent use of their services, but also that users are misguided in playing hide-and-seek with bad ISPs' policy enforcement rather than choosing more honest and professional ISPs.

Free cable?

[underworld]

How many people do you know that have free cable TV? Wouldn't it make more sense for these idiots to spend their time trying to bill people the $30/month for cable tv rather than $6.95 for an extra IP address? I guess prioritizing business goals is not a characteristic of cable broadband providers (see "Excite@Home").

Re:TTL?

[Paladin128]

Not all broadband providers suggest a firewall. I believe comcast explicitly forbids it, as their method of having multiple computers on a network is:

1) Purchase a 5-port hub
2) Plug cable modem into it.
3) Plug up to four computers into it
4) Pay $5 for each additional IP used

You are explicitly NOT allowed to have anything in front of those boxen, thus they would not be able to assign you IP's, and you would not pay them extra. The cap of 4 PC's is too low as well.