Slashdot Mirror
Comcast Gunning for NAT Users
phillymjs writes: "A co-worker of mine resigned today. His new job at Comcast: Hunting down 'abusers' of the service. More specifically, anyone using NAT to connect more than one computer to their cable modem to get Internet access- whether or not you're running servers or violating any other Acceptable Use Policies. Comcast has an entire department dedicated to eradicating NAT users from their network. We knew this was coming since this Slashdot article from two months ago, but did anyone think they'd already be harassing people that are using nothing more than the bandwidth for which they are paying? It makes me very happy that my DSL kit arrived yesterday, and I'll be cancelling my Comcast cable modem early next week." Earthlink and Comcast have both been advertising lately their single-household, multi-computer services (and additional fees) -- probably amusing to many thousands of broadband-router owners, at least until the cable companies really crack down.
Adelphia has it as part of their service agreement that you can have multiple devices on the network and the cable modem install techs will actually configure your linksys router for you when you sign up for the service.
If you choose not to decide, you still have made a choice. RUSH
If you don't like it, don't sign up. If you try to cheat on the policy with your l33tness and get caught, don't complain.
Look, I have my Road Runner connected to a firewall that routes my internal machine to it. Therefore I have more than one machine (technically) hooked up to Road Runner.
The firewall uses NAT for my internal box. My firewall is a custom Linux box I setup myself, but I imagine any firewall would behave similarly.
If they're basically saying you have to have just the one machine directly connected to their service...they're saying YOU ARE NOT ALLOWED TO RUN A FIREWALL.
How can they possibly suggest that I'm NOT ALLOWED to run a firewall? Especially seeing as how the freaking cable networks some of the worst offenders on portscans etc...
Freaking morons.
I don't know. But let me take a crack at guessing the methods which an ISP would use to detect NAT.
i've probably dropped a few details here, so feel free to flame me with corrections. that aside, i can see a new open source project brewing: Stealth NAT. A NAT implementation that will rewrite TCP sequence numbers and randomize anything else that would give the impression that multiple machines were in use.
they'll probably start by O/S fingerprinting the NAT enabled hardware gateways you can get at buy.com for $150.
You know, that might actually work...if the MAC address were stored in the IP packet.
Sheesh, I've seen MAC filtering mentioned 5 times already on this article. Maybe everyone should take a look at The anatomy of an IP packet.
I read the internet for the articles.
My service was bought by Comcast so I am now one of their subscirbers. First the sent a letter with a broken CD that said run the CD by the end of the year of lose internet access. I got this in the mail as I was leaving for Christmas vacation and wasn't going to be back until January. No explaination of what was on the CD or the settings that need to be changed for email and whatever else. I also recieved a new email address that I will never remember. And when I got back, I got a letter informing me that due to all the new services (I'm not sure what those are) my rates are going up!
And now this? If they call me about my router (unless the kittens are surfing while I'm at work, I'm the only one that uses the access), I need to find another provider. Anybody have any recommendatiosn for a provider in the Detroit area?
One way around this is use a SOCKS & http proxies and have socks clients on all the computers. Granted it's a pain to set up and use but it's harder to detect:
..
1) The TCP sequence number thingy is not a problem because your connection terminates at your proxy and then the proxy makes a connection out. All seuquence numbers are that of the proxy.
2) TTL is not an issue; the TTL will be that of the proxy.
3) OS fingerprinting will not be a problem because the fingerprint will be that of the proxy.
The only issue that I see is is port #s -- there's somthing a little fishy about the number of high port numbers used and of course content-relted stuff -- if a Javascript reports your IP.
So thus your "stealth NAT" is just a SOCKS proxy. It's just a pain to set up. .
OpenBSD can actually already do this: it's called the modulate state directive to the pf packet filter. From what I can tell, it works under NAT and bridged filtering as well as straight routing-type filtering.
Basically, what modulate state does is rewrite TCP initial sequence numbers using the same cryptographically strong randomness OpenBSD uses for its own sequence numbers. For more information, check out the "STATE MODULATION" section in the pf.conf manpage.
Note that this also lets your own computer impersonate an amiga :-)
MAC addresses don't stay the same across IP routing. When a gateway forwards a packet, the source MAC address is the address of the gateway's interface, and the destination address, if the destination host is not directly on that network, is the next gateway's MAC address.
...when you're writing a game...tweak the difficulty of "Easy" to something [your mother] can cope with. -- onion2k
You could do the same abuse with less elegant solutions than NAT. Simply running a simple Proxy server for your neighbors would provide them access. Only 1 machine is on the Internet, the rest aren't. Hell, if you are running MS's busted proxy, the rest don't even need TCP/IP, they could run IPX/SPX. (Lousy program, NEAT configuration options, I never want to go near it again...)...
Myself, I have a $90/month DSL connection. Why? If I need to get a VNC connection through the VPN to a work machine, I want the 384K uplink.
We have a NAT box with wireless, and technically, 4 computers there. I live with my fiancee. She web browses from her iBook, and I work from home on the weekends. We barely use the bandwidth.
However, I pay the premium so it is there when I need it.
Ban NAT and I lose Wireless. If that is the case, I drop DSL. I can't run Wires all over my apartment, so I use Wireless to send the signals around.
Find the abusers, by all means. However, leave those of us that don't abuse it alone.
Alex
but they will never catch a single family dwelling doing it. the ONLY way to detect it is to watch bandwidth and look for 60-70 connections coming out of that cablemodem
Sorry, but this is 100% wrong. My brother-in-law was running NAT on a Linux firewall at home with a few PC's behind it and MediaGeneral shut him down. How? They snooped the User-Agent in the HTTP headers. It gives away quite a lot of information. They basically called him up one day and said, "Hi, we see you're running 2 Linux boxes and a Windows box behind a NAT. This is against our TOS so either a) pay us more money, b) shut them down or c) we will disconnect your service.
There are only a few ways around this and they all involve running a proxy server that can generate fake headers (like squid).
Since there are also other ways of detecting NAT with multiple sources (many enumerated above), I suggest you also take other precautions. Harden your firewall. Drop ALL inbound traffic (UDP and TCP) unless it can be correllated (stateful firewalling). Learn more about your IP stack.
And when they come for you, either lie with a real convincing story or pony up the $6.95/mo.