Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Privacy Wireless Networking Your Rights Online Hardware

More On Detecting NAT Gateways 551

tcom91 writes "The Slashdot article Remotely Counting Machines Behind A NAT Box described a technique for counting NAT hosts. A recently published paper Detecting NAT Devices using sFlow describes an efficient way of detecting NAT gateways using sFlow, a traffic monitoring technology built into many switches and routers. This technology could be used to enforce single host access policies and eliminate unauthorized wireless access points."
This discussion has been archived. No new comments can be posted.

More On Detecting NAT Gateways

Comments Filter:
  • But... (Score:2, Insightful)

    by elixx ( 242653 )
    Will ISPs use it against us?
    • ... if you're paying for a service where you're only supposed to connect one host, it seems reasonable, doesn't it?
      • Re:But... (Score:3, Interesting)

        by realdpk ( 116490 )
        I wonder how much it'd cost per month to have an ethernet card in my TiVo and printer.
        • This is something that cable ISP's need to address.

          Groan. Sorry. I couldn't help myself.

          But they know this is an issue, and that's why they'd rather turn a blind eye to the guy who has an ethernet connected to his canon inkjet printer, and concentrate on the kid who's sharing his connection with two neighbors and a file server.

      • Ummm no ... (Score:5, Insightful)

        by bizitch ( 546406 ) on Wednesday April 23, 2003 @09:42PM (#5795870) Homepage
        How does it cost the ISP more if multiple people share a broadband line? Where is the additional expense to the ISP that needs to be covered?

        Go ahead let them screw their customer base over - sure that'll work! - Good plan!

        And another thing ... do you know how stupid it is to directly connect your box to that cable/dsl modem thing with out at least hiding behind some kind of NAT?

        Go ahead and try it - be sure to run BlackICE or something so you can count how many times you get portscanned in an hour ..
        • Re:Ummm no ... (Score:3, Interesting)

          by mr. methane ( 593577 )
          The additional costs are for:

          Bandwidth (about $50-130/mb wholesale)
          Customer support (additional troubleshooting)
          Security (more machines, more chance for trojans, etc)
          Repairs (the guy with six people sharing a cable modem is going to expect instant service restoration, whether he's paying for it or not)

          And frankly, it ain't your network. If you want to start up an "all the bandwidth you want for free" ISP, knock yourself out.
          • Re:Ummm no ... (Score:4, Informative)

            by Rude Turnip ( 49495 ) <{valuation} {at} {}> on Wednesday April 23, 2003 @10:05PM (#5795984)
            There are no additional costs.

            Bandwidth: You can only suck so much down on a broadband connection at a time. One guy downloading MP3's all day is using more bandwidth than two people in a household with simple needs who want to network their two computers.

            Customer Support: If the service contract says one IP, one system, they're not going to help you solve problems with your network. Comcast refuses to troubleshoot anything for me until I plug my system directly into the cable modem, for example.

            Security: The user bears this cost, not the ISP.

            Repairs: If you pay for "consumer level" service, they're only going to give you "consumer level" service, regardless of how many people use the connection.
            • Re:Ummm no ... (Score:5, Interesting)

              by n3k5 ( 606163 ) on Wednesday April 23, 2003 @10:33PM (#5796111) Journal
              There are no additional costs. [...] You can only suck so much down on a broadband connection at a time.
              You're assuming here that every customer is maxing out his/her bandwith all the time, as if every customer had a P2P client running all the time and enough active downloads that more data is available than he/she can suck down. However, this is not the reality, hence this is not how ISPs calculate their fees. If they did calculate their fees that way, their service would be much more expensive. Just compare with enterprise-level ISPs that sell 24/7 _guaranteed_ bandwidth. So, ISPs are saving costs because their users don't use all that bandwidth -- and this is even true if they charge for the MegaByte instead of a flatt fee! More users means making more use of the available bandwith, means more costs.
              If the service contract says one IP, one system, they're not going to help you solve problems with your network.
              A reasonable contract says one system at a time, they'll let you upgrade your PC, they'll let you run different operating systems, they'll most likely let you plug in your laptop you took home from work. Now if you have trouble setting up the connection on any system, they should help you even if they helped you before with another system.
              • Re:Ummm no ... (Score:4, Interesting)

                by Slime-dogg ( 120473 ) on Thursday April 24, 2003 @01:30AM (#5796796) Journal

                You're assuming here that every customer is maxing out his/her bandwith all the time, as if every customer had a P2P client running all the time and enough active downloads that more data is available than he/she can suck down.

                I think the point is that there is a maximum amount that you can utilize in a day. My cable modem is capped at 1.5 mbps (I hope). That given, I can download a max of 129600 mbits, or 16 GB in a day. I'm never going to see maximum bandwidth usage, we'll say it maxes out at around 800 mbps, which means I'd be able to d/l 8 GB.

                Now, it's definitely possible that I'd do something like that, but I don't need more than one machine to do it. Get it? I have one machine continuously connected, continuously using the maximum amount of bandwidth that I can use, and it's going to be 8-16 GB / day. If I had 2 machines, I'd still be maxing out at 8-16 GB / day.

                Having more machines connected to my gateway does not increase the amount of bandwidth available to my cable bridge. It does affect the amount of bandwidth that each of my machines get individually, in that it goes down with the number of machines. If it went up, then we'd have some interesting physics working in this world.

                I really don't care if Comcast disconnects me for having more than one machine connected to my modem. Sure, it's against my TOS, but I could just as easily sign a contract with a more agreeable company if Comcast boots me. It'd be a small loss of service on my part, a big loss of profit on their part.

                If I were them, I'd let the users do whatever they want, as long as they don't fuck with the cable bridge. That's all comcast really has to be accountable for. If they can show that any machine on the other end of the network cable that is plugged into the cable bridge is getting a signal, then they are following the terms of their contract. If the machine is not getting a signal, then they are liable. The end user should be liable for anything that occurs within the household that is a third party to the cable network.

          • Re:Ummm no ... (Score:5, Insightful)

            by nolife ( 233813 ) on Wednesday April 23, 2003 @10:23PM (#5796069) Homepage Journal

            Bandwidth (about $50-130/mb wholesale)

            Number of computers in a home environment does not automatically mean more BW. It may come in spurts but not more overall. I go online and do certain things every day. I can do this before, after, or during the times the kids are on and use the same exact BW either way. My firewall is reject unless specifically allowed (limits trojans and spurious connections), I use squid and have every PC set to use it via a proxy.pac autoconfig (currently at over a 45% hit rate after 80k requests) and a caching DNS server.

            Customer support (additional troubleshooting)

            Maybe, maybe not, I also think this would reduce support as you can eliminate probles related to your PC as you can try another one, or blame it on the ISP.. I would also suggest that a person with a multipc setup is probably smarter then the average computer user and would call support less.

            Security (more machines, more chance for trojans, etc)

            This is laughable. It would be much safer to have 15 computers behind a NAT box/firewall then one Windows or misconfigured Linux machine directly connected.

            Repairs (the guy with six people sharing a cable modem is going to expect instant service restoration, whether he's paying for it or not)

            So what your saying is everyone with one computer should not expect good service and fast repairs? They just sit back and wait for the ISP to find the problem and they should not expect the service to work when they need it?

            You do have points but those can not be seperated into those with and without NAT.

            And frankly, it ain't your network. If you want to start up an "all the bandwidth you want for free" ISP, knock yourself out.

            What do you mean set one up, they are everywhere. Check the advertisements for Comcast, RR, Verizon, Speakeasy, and many others. They all say pretty much the same... Unlimited internet and connected all the time so your online experience is fast and quick. Maybe they should change their tune. Kind of like my cell phone plan.. Unlimited nights and weekends, free long distance, unlimited phone to phone, and unlimited web access. Do you think I should feel guilty when I use it? I don't, that's what they are advertising and that's what I bought the damn things for. Sure as shit, I browse the web with the phone whenever i want, I call all my relatives after 9:00pm or any time during the weekend, and I call phone to phone just because I can.

          • "And frankly, it ain't your network. If you want to start up an "all the bandwidth you want for free" ISP, knock yourself out."

            In our case, it is. It's a member-owned cooperative. I used to pay for someone else's Hummer and house with a pool, now I get a check back every year, and a vote in the management of the cooperative. I live 55 miles from the city and have excellent DSL service. And I must admit, I have downloaded plenty of Linux ISO's and 'other' big files, even had my "Internet Cafe" with 5 machin

          • Re:Ummm no ... (Score:3, Interesting)

            by epine ( 68316 )

            These extra costs are guilt by association. How does two OpenBSD boxes add up to a greater risk of being trojaned than a single Windows box?

            I suppose the number of hosts could correlate to these cost variables, but many other indicators correspond a lot better, and of those many are negative correlates (power users need less support than novices and are less likely to harbour or spread trojans).

            Do I get a discount from my ISP for configuring rules into my OpenBSD firewall preventing any of my client h

        • by benna ( 614220 )
          Not blackice cause then not only will you be port scanned but also hacked to pieces.
    • Will ISPs use it against us?

      They might. If in their terms of service they specifically disallow connection sharing via NAT, you have no (legal) resource.

      But I think the main purpose would be for corporations and other networks to detect potential security breaches.

      A *lot* of spam comes from insecure proxies that are sometimes installed on end user machines, not on corporate gateways and, as stated in the article, if said proxy has a wireless interface, you just opened a huge hole in your network.
    • If they do, neither Earthlink nor Speakeasy, to name but two ISPs who have fairly extensive coverage throughout the US, have any objection to you using either. Earthlink does stipulate that it will not provide support to someone using NAT or some other form of connection sharing, but that's as in "Ok, before I answer your question about why your connection isn't working, please disconnect everything except a PC with a supported configuration and the DSL modem. Thank you, now..."

      I use Earthlink, hear good

  • by edrugtrader ( 442064 ) on Wednesday April 23, 2003 @09:28PM (#5795773) Homepage
    you build a better detector, and all that will happen is local NATs and gateways and routers will use IP to its fullest extent to make the packets look they they were coming from a single machine. this is another type of "lets stop spam" mission. you can't do it, stop trying.
    • Exactly.

      After reading the article I've said to myself: hm, I'll have to take care of these things... instead of: hm, I'd better not use NAT.

      OTOH, if you have machines wtih different OSes, it may be pretty difficult to make it look like the packets are coming from a single source, even when only passive fingerprinting is used.
    • by lactose99 ( 71132 ) on Wednesday April 23, 2003 @10:31PM (#5796103)
      If you added a second router in between your host and the gateway, you'd have an even TTL leaving your gateway, which would defeat this method. I suspect you might even be able to modify your gateway (if its opensource, that is) to deduct an additional TTL for you.

      You could also defeat the tcp sequence number couinting method by using OpenBSD as a NAT device. Its included packet filter has an option to randomize the sequence numbers of outgoing tcp packets.
    • by Casca ( 4032 ) on Wednesday April 23, 2003 @10:56PM (#5796223) Journal
      Holy crap, I agree with someone else on /.

      I just can't see this working. They are making assumptions based on some arbitrary implementation of a portion of the IP protocol. It doesn't even rely on any RFC type standards as far as I can tell. This could probably be fixed in NAT devices that are capable of having their firmware upgraded, or someone could just write a hack to the IP driver for the source host and be done with it.

      • I just can't see this working. They are making assumptions based on some arbitrary implementation of a portion of the IP protocol. It doesn't even rely on any RFC type standards as far as I can tell. This could probably be fixed in NAT devices that are capable of having their firmware upgraded, or someone could just write a hack to the IP driver for the source host and be done with it.

        Yup, this is a non-event except as an annoyance to people who will require firmware upgrades.

        Every single aspect that

  • still same bandwidth (Score:4, Interesting)

    by boolean0 ( 448844 ) on Wednesday April 23, 2003 @09:28PM (#5795775) Homepage
    people are still using the same amount of bandwidth payed for, no matter how many machines are using it. when will these companies realize that many people have multiple computers in their home?
    • The numbers don't bear this out. Even if two machines are just sitting idle, they both download patches, query DNS, etc.

      ISP's *do* realize that people want to connect more than one machine. This is simply a mechanism for identifying people who violate their agreements.
      • I have more than one machine, but only one has a harddisk, the rest is diskless, hence the patches are downloaded only once. Plus I run my own bind (dns cache), ntpd, etc, so the extra machines don't generate extra traffic, just a higher electricity bill.

        My cablemodem provider allows me to use NAT, they just don't support it.

        Like the other poster said, if someting like this will be used to 'enforce' limiting 'agreements' (if you can call it that, because where was the negotiation that led to the agreement
      • How is that any different than 1 machine doing 24x7 leeching? Plus, the folks most likely to actually DO things like patch their machines, run daily updates, reload /. every 30 seconds, etc, are likely the same folks who'll set up caches, proxies, and local (DNS/mail/web) servers, thereby reducing the load on the network and/or the ISPs' communal servers. (An example: I have anywhere from 3 to 6 machines on my internal network at any one time. All internal machines' DNS queries a caching nameserver, I run
    • by SWroclawski ( 95770 ) <> on Wednesday April 23, 2003 @09:37PM (#5795838) Homepage
      Well every industry goes through this it seems (at least in the US).

      The phone company used to care how many phones you had. Then the cable company charged per teleivion, and some ISPs care how many computers you have.

      The key difference I see is the two previous mentioned industries had those issues resolved by regulation. Regulating consumer grade ISPs might not be a bad thing and finally set limits on things like number of computers or port restriction. And if not- at least we'll know what "comsumer grade" service is and all switch to "Small Office" connections, which already seem to be the way to go for people who actually want to use thier internet connection at home.

      - Serge Wroclawski
      • You Sir, have a great city named after you.
    • by mattyohe ( 517995 ) <matt.yohe@g m a i l . c om> on Wednesday April 23, 2003 @09:39PM (#5795852)
      Try reading your contract agreement.. If it doesn't mention it.. you are in the clear.. if it does, you need to learn how to make your NAT gateway not reveal the IP TTL.

      That is.. if you are actually worried about anything.
  • by SeanTobin ( 138474 ) <> on Wednesday April 23, 2003 @09:29PM (#5795785)
    If isp's tried to use this in any kind of meaningful way, suddenly there would appear dozens of nat gateway scrubbers that would make sure that the output packets are all uniformely generic. It'll probably turn off the evil bit too.
  • by Blaine Hilton ( 626259 ) on Wednesday April 23, 2003 @09:31PM (#5795790) Homepage
    The whole idea of the Internet is a network of networks. Things like this along with certain large ISPs blocking any email from whole blocks of networks without reason leads me to wonder how open the Internet really is, and how closed it could become. ISPs should be selling network connectivity, without restricting what use that connectivity has. I have the same feeling with business phone lines. Businesses are charged more just for being a business, they may use the phone more, but not necessarily.

    Go calculate [] something

    • by emag ( 4640 ) <slashdot AT gurski DOT org> on Wednesday April 23, 2003 @09:47PM (#5795891) Homepage
      The theory (at least it was several years ago) is that business class telephone users aren't actually being charged more for being a business, but that home users are being charged less since they don't typically use the resources at peak times (read: during the daytime) when excess free circuits are at a premium. In other words, the theory is/was that business are *subsidizing* home users.

      Now, in today's modern world, with most of the (modern) phone network being packet-switched, it's probably just another way to eek out extra money from a more or less captive audience. Of course, you just know that if businesses were being charged less, home users would still end up paying more in the end. *sigh*
      • I've never heard it described that way, but it makes me wonder why I didn't go into marketing!
      • Packet switched networks don't magically disappear the problem of congestion during peak hours. It can degrade more gracefully when overloaded, but that doesn't mean the phone company won't try to avoid it, and it doesn't mean they won't still charge more for customers who will tend to use capacity at peak times.
    • No matter how much I would want that too, the sellers don't care about what the "idea of the Internet" is. The sellers are just optimizing their income, and the buyers their expenses. Whenever one of the parties becomes complacent, the other party wins (and throws a quiet party). There will never be an end to this.

    • It's not about technology -- it's about money. They don't care about the physical limitations, they're looking to make an extra dime from you for the same amount of service.
  • by jfisherwa ( 323744 ) <> on Wednesday April 23, 2003 @09:32PM (#5795795) Homepage
    This is going to be used by your ISP to assure you aren't sharing your connection among multiple computers without paying a monthly surcharge for each.

    On the bright side, as with nearly all technology that tries to instate a form of checks and balances upon a system, we will soon see ways to fool this check and go back to business (balance) as usual.

    • by phillymjs ( 234426 ) <slashdot AT stango DOT org> on Wednesday April 23, 2003 @09:37PM (#5795841) Homepage Journal
      ...we will soon see ways to fool this check and go back to business (balance) as usual.

      Yep, and then the parties interested in counting NATed machines will go buy a law criminalizing circumvention of their "AUP Enforcement Technology."

      After all, only terrorists don't want anyone to know how many machines they've got connected to their cable/DSL modem, right?


      • After all, only terrorists don't want anyone to know how many machines they've got connected to their cable/DSL modem, right?

        Hey, thats a great Idea, lets License every IP! That way the government can get a few billion in tax money! I bet the RIAA/MPAA would love access to a database like that!
    • On the bright side, as with nearly all technology that tries to instate a form of checks and balances upon a system, we will soon see ways to fool this check and go back to business (balance) as usual.

      WTF do you mean by "soon"? Try "years ago". Oooohhh, these uber h4x0rs figured out that a router decreases the TTL, excuse me while I worship their skillz.

      Okay, I feel better now.

      Anyhow, it's insane that they would even try this. First of all, it doesn't have to be NAT... Any router/firewall will do th

    • "There has grown up in the minds of certain groups in this country the notion that because a man or a corporation has made a profit out of the public for a number of years, the government and the courts are charged with the duty of guaranteeing such profit in the future, even in the face of changing circumstances and contrary public interest. This strange doctrine is not supported by statute nor common law. Neither individuals nor corporations have any right to come into court and ask that the clock of hist
  • by shr3k ( 451065 ) on Wednesday April 23, 2003 @09:33PM (#5795807) Homepage
    So, if they don't want me to use NAT, does that mean they want me to connect each box to their internal network? Meaning I (and everyone else) can get access to computer B's contents when I'm trying to access it from Computer A?

    Why can't they just have a flexible plan where I say, yes, I admit I have 3 boxen behind NAT and agree to pay an extra $5 to $10 a month? Or is this too logical for them to do?
    • Why not find an ISP with a clue who allows multiple machines to use the connection. Mine does, but I'm in a different country so that's not much use.

      If you are going to pay extra I'd want IPs not NAT...
    • That is the usual route they take. My local Cable internet provider will sell up to 3 IPs through the same cable modem (marketing or hw/sw limitations don't allow more than 3 per modem)

      Fortunately, I never had to worry about that with the use of a simple Linksys gateway router. Now I don't know how the gateway router changes the bits of packet headers to eliminate host counting (one way to count hosts behind NAT).

  • by 1984 ( 56406 ) on Wednesday April 23, 2003 @09:35PM (#5795816)
    From the article:

    "The algorithm for detecting NAT routers relies on the observation that switches directly connected to a host, or in the same subnet as a host, will always see packets from the host with a TTL that is characteristic of the host operating system."

    So if you play with the OS fingerprinting (and TTL), you can likely fool this method. Don't forget that your NAT is rewriting part of the information in each packet anyway. It would be more expensive (but probably not prohibitively so) to rewrite more of that information. It is, after all, information for moving the payload around, and not the payload.

    This just ups the ante a little.

    • How soon will Linksys have a BIOS update that does not decrement the TTL? I could see money for the first NAT box vendor to have the first flash update on the market.

      Seriously, modifing the TTL on packets could severly degrade a network if placed where a loop is formed. Runaway packets would not die as they are supposed to.

      Most home networks do not have any place to form a loop, so not decrementing the TTL shouldn't make a diffrence to a home network NAT router.
  • by bizitch ( 546406 ) on Wednesday April 23, 2003 @09:35PM (#5795819) Homepage
    .. All those Linksys/Belkin poor man router users that are out there - and one day they're gonna get a bill from they're already expensive broadband provider and ...

    WHAMO! Instantly pissed off customer base!

    (is UWB ready for prime-time yet?)
  • by Anonymous Coward
    Looking at the paper, it doesn't seem to mention any new techniques (ie analyzing something other than the IP ID field) beyond what Bellovin has already posited. As such, I would presume that OpenBSD's pf changes are still a valid way of circumventing this issue. Looking at his charts, the TTL variations did not appear to yield differentiating evidence without also correllating the IP ID field. For more information on the pf techniques at circumvention see:
  • not all ISPs care (Score:3, Informative)

    by brer_rabbit ( 195413 ) on Wednesday April 23, 2003 @09:36PM (#5795834) Journal
    I think most smaller ISPs don't really care if you're using NAT. In fact, I bet lots of ISPs expect you to. Your best bet is to read the terms before signing up and stay away from the AOL/Earthlink conglomerate types.
  • by BrookHarty ( 9119 ) on Wednesday April 23, 2003 @09:38PM (#5795846) Homepage Journal
    Nice, besides an ad for Sflow, just shows some more holes we need to patch, and more standards to break.

    OS fingerprinting was nice, but now some boxes are replying as a tandy coco, its a very amusing battle. Now TTL is being used to determine multiple Nat'ed IPs. I'm sure someone will write a nice nat module for linux/etc to bypass this also. Seems like the endless cycle of control freaks loosing control.

    BTW, not sure which ISPs care about NAT, but there are very very large NAT friendly ISP's out there. (Speakeasy for one)

  • Thanks, sFlow! (Score:5, Interesting)

    by frohike ( 32045 ) <bard.allusion@net> on Wednesday April 23, 2003 @09:40PM (#5795854) Homepage

    I just wanted to extend a big thanks to sFlow for posting this paper (and the AT&T people for posting theirs). Despite the fact that DARPA screwed Theo & Co, they are probably already adding a "modulate TTL" setting to pf as we speak.

    And of course if you're ultra-paranoid, then just use something like socks or squid to proxy most or all of your TCP connections, and it's 100% indistinguishable from your firewall making the connections out. Because your firewall is making the connections out.

    When will they learn?

    Kinda irritates me that stuff like this may make my nice all-in-a-box Netgear NAT useless some day, but it's nice to know that people like OpenBSD are there to back us up.

    And like someone else said, what exactly does the cable company expect me to do? Expose all of my internal network to the internet? Cha right! They wouldn't even give me more than 3 IPs anyway!

  • ISP care? (Score:4, Insightful)

    by ejaw5 ( 570071 ) on Wednesday April 23, 2003 @09:41PM (#5795860)
    ISPs sell you connectivity, what right do they have to tell you what you can't do with it? Does your electric company tell you what you can and can't plug in and how many things you can power? Now, if i run extention cord around the neighborhood and charge people for it, then there might be a problem.

    On internet: For all I'm concerned, I have *ONE* computer connected to my DSL, and other computers connected to the one computer. ISP gonna tell me I can't connect computers to each other? What's next? It'd be illegal to have multiple screen/keyboard/mouse on the ONE computer? (i think this can be done...buddyPC??)

    The 'client' computers access resources on the 'gateway', which happens to include the external internet filtered through the firewall. I dont have multiple computers connected directly to the internet, that's just insecure.

    And besides, what are they losing anyway from NATs? It's the same connection/bandwidth. 150kbs down on one box is the same as 150 split to 75kbs down on 2 computers. It's still only one IP. Whatever activity (and any responsibility) that goes on is on ONE account.
    • That doesn't matter to them. If the ISP is interested more in money than satasfaction, then they will care how many computers are behind it. Many computers hints of a home business trying to pass itself off as a private user. And everyone knows that business stuff is more expensive (note sarcasm).

    • Re:ISP care? (Score:3, Insightful)

      by Sabalon ( 1684 )
      The phone company went through the same thing - they wanted to charge you for the phone and each jack.

      The cable company went through the same thing - they wanted to charge you per TV.

      In both cases, the govt stepped in. Also, in both of those cases, it really doesn't matter if you have 1 or 100 TV's hooked up - the signal coming into the house ies the does not affect them in any way.

      However, with broadband the ISP's have a bad business model - they have x capacity, and sell for more than x on t
  • by jsse ( 254124 )
    afaik Super-DMCA will outlaw all attempts to conceal information in all communication devices, that'll illegalize all firewall, NAT and edge routers, etc.

    Stupid as it sounds, but it goes thru our senators, it couldn't be wrong.

    The little downside is that the only job left for IT is tech support for Windows installation....
  • Legal? (Score:3, Interesting)

    by NETHED ( 258016 ) on Wednesday April 23, 2003 @09:45PM (#5795882) Homepage
    Is it legal for the ISP to sniff your packets? I'm very ignorant when it comes to such things, but this screams privacy issues.
    • Re:Legal? (Score:2, Insightful)

      by realmolo ( 574068 )
      They're only "your" packets until they leave your computer. Then they are their packets, since they are on their network.

      So yeah, they can sniff packets all they want. You agreed to that when you paid for their service.

      Now, using what they find in your packets against you in court, or really doing anything with them other than protecting their own network/contracts...that's different.
  • by pjkundert ( 597719 ) on Wednesday April 23, 2003 @09:47PM (#5795892) Homepage
    The technique describes depends on two very simple mechanisms; A) assuming that a NAT router will decrement each packet's Time-To-Live (TTL), thus exposing its presence, and B) searching for independent, incrementing sequences if IP packet ID's, to estimate the number of hosts behind the NAT router.

    The time before there are "fixed" versions of both NAT (which don't decrement TTL), and of IP packet ID's (changing all ID's into a single monotonically increasing order, or randomizing them) will be measured in hours.

    Hopefully the authors of this paper aren't doing research for a living...

  • This will be easy to fix. A hack to your NAT box source code (you are doing NAT with OpenBSD, Linux or some other open source system, right?) to remove the TTL decrement for NAT traffic (or re-increment it where the decrement can't tell the difference) would get around that aspect of the problem. I'd argue that one can NAT in a transparent "switch", which would not decrement TTL, so why not just make the OpenBSD or Linux box do that.

    And for fun, add a randomizer to the initial TTL value. Thus instead of

  • Anyone know if there is a list of Hardware that uses sFlow?
    • Re:Hardware list? (Score:3, Informative)

      by joer ( 75310 )
      Check the sFlow "Participants" page here [].
      And note that ntop [] groks sFlow, too. Open source traffic characterization, with an open standard for instrumentation. Very cool.
  • The described technique works by taking advantage of the fact that NAT forwarders decrement the TTL (Time To Live) field of the packets. So NAT flows

    There's an easy way around this - especially for Linux boxes serving as NAT forwarders via ipchains' MASQ option:

    Modify the software to allow the configuration to specify rewriting the TTL field to a value appropriate for a packet originating in the MASQing box. Apply this (at least) to packets net-bound.

    (It might also be wise to allow the configuration to
    • The described technique works by taking advantage of the fact that NAT forwarders decrement the TTL (Time To Live) field of the packets. So NAT flows ... show a TTL fingerprint different from a flow originating at the forwarding machine.
  • I doubt we will ever see this technique used by ISP's, at least in the states, because there is simply too much competition. ISP's already have a tough enough time attracting customers, the last thing they want is a reliable $50/month going out the door. Routers are becoming too ubiquitous to start changing pricing policies to squeeze an extra buck out of consumers that already pay too much for broadband.
  • Just change ISP's (Score:3, Informative)

    by _UnderTow_ ( 86073 ) on Wednesday April 23, 2003 @09:55PM (#5795934)
    If you don't like your ISP's policies then change your ISP.

    I get my DSL through, and so far they seem to be about the coolest provider I've heard of. They don't care how many machines you have hooked up to your connection, they don't care if you run servers, they actually encourage you to share your connection via wireless networking. I read in one of their recent newsletters that if you set up an AP they'd like to know so they can tell the other speakeasy customers about it. I'm pretty sure they're available in most large cities (i'm in seattle).

    If you want to sign up and don't mind sending $50 my way use this [] referral link.
  • Multiple NAT Routers (Score:2, Interesting)

    by ArkiMage ( 578981 )
    Linksys and similar NAT devices are cheap now. What if you used 2 in sequence? I've done this before, but not for this type of reason. I know it will physically work but wonder about what it would do to this ability to count machines behind a NAT router?
  • Yawnn.. iptables? (Score:5, Informative)

    by MacroHard ( 107619 ) on Wednesday April 23, 2003 @09:58PM (#5795955) Homepage
    iptables -t mangle -A OUTPUT -i eth0 --ttl-set 64
    • Re:Yawnn.. iptables? (Score:4, Interesting)

      by graf0z ( 464763 ) on Thursday April 24, 2003 @04:46AM (#5797327)
      This will break some things, i.e. traceroutes from NATed boxes to the outsinde world. Better: change default initial TTL on the packet originating box. I read a reply with the according MSwin-registry-entry, this is for linux:
      /sbin/sysctl -w net.ipv4.ip_default_ttl=129

  • Yes, and.... (Score:5, Informative)

    by djupedal ( 584558 ) on Wednesday April 23, 2003 @10:01PM (#5795962)
    I have three computers and a PS2 behind an Airport Base Station on a VDSL connection.

    When my ISP shuts down all the chatter I see, around the clock, from Code Red hits (default.ida requests, etc.), like 12~14 per second, I'll be happy to discuss my 'expanded' bandwidth usage and how it impacts their resources.

    Code Red has little direct impact on my boxes, since I'm MS free, but with the general effect being a load on the network right up against my VDSL modem, this is still a very real issue. If the ISP's want to reduce loads, they can look to stop some of the noise from other sources as well. What other sources? Let me think...ummm...spam mail? Port scan probes....
  • I know ISP's and stuff can find out how many computers are hooked up through your NAT/Router box, but what do they do if I'm running a DHCP server on a computer hooked to a simple hub? Can they still see how many computers are behind it?
  • by Moses Lawn ( 201138 ) on Wednesday April 23, 2003 @10:09PM (#5796012)
    Everybody here is saying "just fix the NAT code to not decrement the TTL and we're cool", but it's not that easy. At the end of the article (you did read the article, right?) it refers to an AT&T research paper (PDF) [] on counting the number of hosts behind a NAT box. This is done by looking at packet sequence numbers, using the fact that each host generates its own sequence. This chart [] shows what happens. If you see one set of packets starting at 20,000 and another at 50,000, all overlapping in time, it's a good bet there are two hosts. It also points out that the default high port numbers NAT uses are another good clue to the presence of NAT.

    Port numbers are easy to change, but if your ISP wants to do traffic analysis on your IP address, there's not a lot you can do to hide. I'm just very, very glad that I have an ISP [] that doesn't suck. In fact, they're pretty damn cool.
    • by pr0ntab ( 632466 ) <> on Wednesday April 23, 2003 @11:32PM (#5796384) Journal
      Well, if you use Win2k, XP, Mac OS X, Linux or Solaris, you're covered because the sequence numbers are already random, and thus you can't use the counting technique.
      And if you have old computers, you won't need to modify anything except for your firewall rules. If you have *BSD, you have the sequence number rewriter, which is also available on linux as the "ippersonality" extension to the iptables firewall. Both of these guys also support ttl mangling too (built-in).

      You have the power to make your network look like whatever you want. It's nice to have an ISP that's cool, but if you're unlucky, they'll never be the wiser. In a way, if you're going through such effort, you're probably helping them out somehow by wrangling your own network into some resemblance of order. ^_^
  • Prove it (Score:3, Insightful)

    by retro128 ( 318602 ) on Wednesday April 23, 2003 @10:30PM (#5796100)
    Be that as it may, the approach to finding computers hiding behind a NAT box is an inexact science. It's probably of more use to crackers than ISP's. Such graphs of the decremented TTL's of suspected NAT boxes can be explained away by anomolies in the user's firewall software, or what have you. If the ISP implemented something like this and started calling people saying "you've violated the terms of service", you can just play the dumb user and say "I don't know what you're talking about, there is just one computer hooked up to the connection. What's this NAT you speak of?"

    How can the ISP prove conclusively that you have a dozen boxes hooked up to the connection? Get a search warrant and take pictures? I think not. While the technique described in the paper is certainly clever, I believe it would have little value in nailing users to the wall when it comes to sharing access.
  • by serutan ( 259622 ) <> on Wednesday April 23, 2003 @10:48PM (#5796181) Homepage
    See what happens when powerful tools get into the hands of terrorists?
  • by sheddd ( 592499 ) <> on Wednesday April 23, 2003 @10:55PM (#5796218)
    (I'm ignoring the cost of creating/leasing lines and support)

    ISP's costs are based on bandwidth used (this can depend on when the bandwidth is used, and whether it's up or down and out of their netblock or inside it). The # of machines connected has no bearing and it's pretty damn difficult to define a 'connected pc' IMO. Which of these would you include?:

    - A hardware router running embedded linux
    - A hardware router running embedded linux which I've hacked and can surf with
    - A linux router (with no keyboard/monitor)
    - A linux router (with a keyboard/monitor)
    - A palm which is connected 1nce per day to a windows machine behind the router
    - A bloke who's hijacking my WiFi connection
    - A bloke who's hijacking the hijacker's Infared port
    - My laptop which I plug in at night and take to work the next day
    - An x server (Or Windows Terminal Server) serving 50 websurfing clients

    Will I be charged for maximum# concurrent natted boxes, or average# of natted boxes? Or some other sceme?

    I don't see where you could draw a nice precise black line on the definition of internet client; it all looks grey to me.


    I think ISP's don't charge for bandwidth YET because it'd cost them money to measure it. I assume it would cost them more to measure {average or maximum natted boxes}. I think they'll finally see the light and begin charging an amount that has some pretty close correlation to their costs (though I think it'll take 5 years or so before new ISP's begin rolling out nice routers which catalog bandwidth based on what time of day it is, etc.).
  • by spamania ( 633669 ) on Wednesday April 23, 2003 @11:05PM (#5796269)
    I just perused my TOS agreement with my DSL provider and three things struck me:

    1) Fortunately, my DSL provider (SBC) acknowledges and allows the use of routers to connect multiple home computers to a single DSL router.

    2) They disallow users to "forge headers or otherwise manipulate identifiers in order to disguise the origin of any Content transmitted through the Service." That means that, at least with SBC, reconfiguring your NAT routing device to not decrement the TTL on packets could constitute a breech of contract. YMMV.

    3) I could not find any clause prohibiting SBC from inspecting the contents of packets it handles. Theoretically then, in addition to considering the IP ids of received packets as mentioned in the sFlow article, your ISP could perform analysis of any unencrypted traffic from your ip. For instance, If you were playing Counterstrike and your housemate was surfing the web, traffic analysis of the packets originating from your ip could correctly identify the existence of multiple hosts.

    Obviously, such analysis would be computationally intense, and could not be performed on an ISP's entire customer base simultaneously, but as a random auditing tool, or a followup to previous suspicion, this type of analysis could be an effective tool for ISP's that wanted to outlaw multiple connections.

    That said, I agree with the countless comments to the effect that very few ISP's are going to actively pursue any of these measures; the costs seem to greatly outweigh the benefits. Imagine if my ISP did crack down on my four home computers behind my NAT router: I would still be capable of using the same amount of bandwidth with only one computer, I would be pissed off and looking for another provider, and most importantly, I couldn't give SBC any more money if I tried--it's not as though I can get multiple DSL accounts on the same phone number (and believe me, I certainly wouldn't let SBC charge more for "Platnum NAT Service").

  • by Indy1 ( 99447 ) <> on Wednesday April 23, 2003 @11:08PM (#5796285) Homepage
    " For every technology, there is equal and opposite hacker technology".

    In short, I am sure the open source community (the Openbsd guys and the linux netfilter team) have, or will shortly release mods to fill any nat detection gear. And i am sure the various nat box makers and rebadgers (linksys, netgear, etc) will soon have a tidy check mark with the text label next to it saying "Hide all computers from greedy isp and big brother government agency? (y/n) "
  • by BadBlood ( 134525 ) on Wednesday April 23, 2003 @11:38PM (#5796407)
    As someone on slashdot wrote before me, what about 1 singular PC connected to the internet running a couple of sessions of vmware?

    Perhaps it would appear to the outside world that there are more than 1 pc connected, but to prove it, they'd have to have physical access to your home.

    Pretty sure they won't get past me...
  • by Josuah ( 26407 ) on Wednesday April 23, 2003 @11:46PM (#5796431) Homepage
    A lot of the posters have been talking about how this technique would be used to prevent end-users from providing access to multiple machines in an attempt to charge more for bandwidth. But people who have read the actual paper will note this phrase: "Unauthorized NAT (Network Address Translation) devices can be a significant security problem."

    One purpose of this paper is to provide a tool that can address security concerns. And yes, NAT does make it more difficult to police the machines behind the NAT. One reason: "Wi-Fi is a particular problem since it allows access to the network from a considerable distance, allowing unauthorized access without even entering the building."

    This paper never once talks about a problem where NAT users are going to eat up too much bandwidth. Another quote: "In this network the administrative policy is for host computers to be directly connected to the distribution switches, as is shown by Host C. Two hosts, A and B, are connected to the distribution switch through an illicit NAT router." Note the words "administrative policy".
  • by Anonymous Coward on Thursday April 24, 2003 @12:00AM (#5796476)
    Sure, it's not pretty, but if the ISPs decide to use it against us, we'll just have to use PROXY's. Linksys/DLink/NetGear/you name it will have an affordable Proxy appliance out before you know it.

    Let's face it- before the Cable Router was prevalent, everyone that wanted to share used a machine with (2) NICs. The people smart enough to figure it out will do that with Proxy's (or if you're not smart enough to think of that, now I just thought of it for you). Once the companies realize this is another cheap thing that they can do to make lots of $$$, they'll market an applicance cheap that will do it.

    Before the cable router, I used 2 NICs and WinRoute to NAT. Before that, 2 NICs and WinProxy to Proxy.

    The ISPs will realize that there is always a way around it, and that the trouble of detecting will cause them so much pain that ... well, they probably won't do it (if they're smart, which they aren't always...).

    My .02
  • Not All ISP's Care (Score:4, Informative)

    by Guido69 ( 513067 ) on Thursday April 24, 2003 @12:44AM (#5796629) Homepage
    I'm sure there are many ISP's throughout the world that don't really care if you've got a little Linksys router with a few PC's behind it. I found one today that encourages it.

    Black Hills Fibercom (in little Rapid City, SD). They offer phone, digital cable, and broadband. Called today on behalf of my Dad who is considering their broadband package. I asked about firewalls - they strongly recommend using one and will even help set up any of the major software firewalls during install. He then proceeded to recommend purchasing a NAT router for additional protection. I damn near fell out of my chair.

    We talked a bit about bandwidth and I brought up access for multiple PC's. He then said definately get a router or they would have to charge an additional (though nominal) fee for each additional IP. At that point, I did fall out of my chair.

    They won't support your home network nor will they help set up your router. They will, however, walk a user through disconnecting it during a support call if it's necessary for them to see their computer over the network to resolve an issue.

    Almost makes me wish I still lived there.
    • Well I have news for you buddy. I work as top level technical support for an ISP and we support any kind of situation that we are able to. NAT, real IPs network, wireless, etc. If we don't know how to configure a nat/router (or can't figure it out over the phone) we send them to the manufacturer.

      Hell one time I helped someone configure a DSL router from Netgear that terminated the dsl itself (not using a Cisco 67x or other products like Actiontecs). I didn't even know Netgear made these things. Of course I
  • by Anonymous Coward on Thursday April 24, 2003 @12:52AM (#5796660)
    I work for a small ISP in northern California. We don't have any policies against our users using NAT. We provide NAT routers to our ADSL customers and recommentd cable/dsl routers to our DSL customers on our older system. We also help our users setup ICS if they're running windows. We have sold systems running linux to our wireless customers.

    It's not that we care how many computers someone has behind these NAT devices. It's how much of the bandwidth they bought that they are using and how often they're using it.

    Our basic ADSL and wireless offerings are 384k/128k. If we had every user maxing out their connection all the time, then we'd have to charge more. Because we're in a remote area, we pay more for our T1 service. We have a T1 that runs about $1k per month and another about $1300 per month (special build for geographic diversity). If 4 of our ADSL or wireless users held their connection maxed out all the time, that would pretty much eat a whole T1. We have just over 300 broadband customers and about 600 dialup on two T1 lines with a third on the way.

    Our 384k/128k service is regulated and costs $49.95 per month. If every broadband user insisted on maxing out their connection 24/7, we'd have to charge broadband customers $250 per month just to break even on the T1 costs. That doesn't even count the overhead associated with staff and equipment.

    I'm sure there are ISP's out there that are all about the money. We try to be more about service and making sure our customers are happy. But we have to make a living too. I don't think the issue should be if you're using a NAT device or how many computers you have hooked up to it. As I said, we encourage it. I think the issue should be about usage. Sell 3 gig per month. Charge for data over that. (3 gig is a number I pulled out of my head)

    My point is, if the ISP is worried about usage, they should charge for that and not for how many computers are behind a NAT box.
  • Easy Windows Fix (Score:4, Interesting)

    by Winter ( 87716 ) on Thursday April 24, 2003 @01:06AM (#5796705)
    Since the method relies on knowing the default TTL, (128 for windows), just set the default TTL to something higher...

    In W2K:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Servic es\Tcpip\Parameters\DefaultTTL (DWORD)

    Just set to 129 if you have a NAT between your PC and the modem.

    This way all the packets seem to come directly from a Windows box, and you don't have the (potential) sideeffects of getting the NAT to change the TTL.
  • pointless (Score:3, Insightful)

    by g4dget ( 579145 ) on Thursday April 24, 2003 @01:27AM (#5796790)
    NAT devices or gateways decrement the TTL on packets that they forward.

    Well, they happen to do that right now, mostly because of historical accident. If bogus "NAT detectors" like this proliferate, people will simply move to user-mode NAT. That is, packets from network A are redirected to a user-mode process which then looks at them and sends out a request on network B, and the same in reverse. In that case, the packets sent from the NAT process onto network B are indistinguishable from the packets coming from any other user mode process because they were generated by a user mode process.

    The only thing ISPs can do to detect NAT is to look at traffic patterns and accusing you of, say, browsing too many web sites per second. That eventually just amounts to volume-based (or traffic-pattern-based) charges. Sure, they can do that, and they probably should, but at current prices, that's not going to affect you browsing the web from two machines.

  • by samantha ( 68231 ) on Thursday April 24, 2003 @05:09AM (#5797385) Homepage
    I pay for 384k bi-directional. Why is it anyone's business if I run a subnet in my home to tie my cluster together? I am still not getting any more bandwidth, I am simply subdividing the bandwidth among machines. Same argument holds for making the subnet wireless. What exactly is there to object to? What am I supposed to be ripping off?

    And when are we going to rise up and tell the greedy, small-minded busy-bodies to take a flying leap? I am beginning to think it isn't even about greed but more about control for the sake of control.

If it's not in the computer, it doesn't exist.