Comcast Gunning for NAT Users

phillymjs writes: "A co-worker of mine resigned today. His new job at Comcast: Hunting down 'abusers' of the service. More specifically, anyone using NAT to connect more than one computer to their cable modem to get Internet access- whether or not you're running servers or violating any other Acceptable Use Policies. Comcast has an entire department dedicated to eradicating NAT users from their network. We knew this was coming since this Slashdot article from two months ago, but did anyone think they'd already be harassing people that are using nothing more than the bandwidth for which they are paying? It makes me very happy that my DSL kit arrived yesterday, and I'll be cancelling my Comcast cable modem early next week." Earthlink and Comcast have both been advertising lately their single-household, multi-computer services (and additional fees) -- probably amusing to many thousands of broadband-router owners, at least until the cable companies really crack down.

Re:methods

[sllort]

So, what are the methods they use, and how can I make it more difficult for them to tell if I have a machine running NAT?.

I don't know. But let me take a crack at guessing the methods which an ISP would use to detect NAT.

• O/S Fingerprinting. First and foremost, narrow down your suspect list. Find all the Linux boxes; these will have a higher incidence of NAT because Linux actually packages this feature. Try to develop a fingerprint list for hardware based NAT appliances and any Windows application that can grant NAT ability.
• TCP Sequence Numbers. Many TCP stacks (cough Windows cough) have a predictable or semi-predictable TCP Sequence Number pattern. Running multiple copies of one of these stacks (say, two 98 boxes) behind a NAT box would allow an intelligent hueristic to detect multiple TCP stacks. Most of NAT happens at the IP layer, so sequence numbers are not rewritten.
• TCP Source port. NAT-P (it has a couple names) involves correlating inbound TCP packets to the appropriate local host by port, and then rewriting the port field. There is no attempt made to randomize this source port field selection and a clever heuristic could probably fingerprint it.

i've probably dropped a few details here, so feel free to flame me with corrections. that aside, i can see a new open source project brewing: Stealth NAT. A NAT implementation that will rewrite TCP sequence numbers and randomize anything else that would give the impression that multiple machines were in use.

they'll probably start by O/S fingerprinting the NAT enabled hardware gateways you can get at buy.com for $150.

Re:And how do they propose to do this?

[jandrese]

You know, that might actually work...if the MAC address were stored in the IP packet.

Sheesh, I've seen MAC filtering mentioned 5 times already on this article. Maybe everyone should take a look at The anatomy of an IP packet.

How about SOCKS/ proxies?

[cgleba]

One way around this is use a SOCKS & http proxies and have socks clients on all the computers. Granted it's a pain to set up and use but it's harder to detect:

1) The TCP sequence number thingy is not a problem because your connection terminates at your proxy and then the proxy makes a connection out. All seuquence numbers are that of the proxy.

2) TTL is not an issue; the TTL will be that of the proxy.

3) OS fingerprinting will not be a problem because the fingerprint will be that of the proxy.

The only issue that I see is is port #s -- there's somthing a little fishy about the number of high port numbers used and of course content-relted stuff -- if a Javascript reports your IP.

So thus your "stealth NAT" is just a SOCKS proxy. It's just a pain to set up. . ..

Re:methods

[Frater+219]

i've probably dropped a few details here, so feel free to flame me with corrections. that aside, i can see a new open source project brewing: Stealth NAT. A NAT implementation that will rewrite TCP sequence numbers and randomize anything else that would give the impression that multiple machines were in use.

OpenBSD can actually already do this: it's called the modulate state directive to the pf packet filter. From what I can tell, it works under NAT and bridged filtering as well as straight routing-type filtering.

Basically, what modulate state does is rewrite TCP initial sequence numbers using the same cryptographically strong randomness OpenBSD uses for its own sequence numbers. For more information, check out the "STATE MODULATION" section in the pf.conf manpage.

Re:methods

[pwagland]

Don't you just love it when someone has already done the hard work for you? This package was specifically written to fool O/S fingerprinting, at least at the smartness level of nmap anyway. Start to check the services, and then you can really work out what the box is....

Note that this also lets your own computer impersonate an amiga :-)

Re:they can try they wont win.

[S.+Allen]

but they will never catch a single family dwelling doing it. the ONLY way to detect it is to watch bandwidth and look for 60-70 connections coming out of that cablemodem

Sorry, but this is 100% wrong. My brother-in-law was running NAT on a Linux firewall at home with a few PC's behind it and MediaGeneral shut him down. How? They snooped the User-Agent in the HTTP headers. It gives away quite a lot of information. They basically called him up one day and said, "Hi, we see you're running 2 Linux boxes and a Windows box behind a NAT. This is against our TOS so either a) pay us more money, b) shut them down or c) we will disconnect your service.

There are only a few ways around this and they all involve running a proxy server that can generate fake headers (like squid).

Since there are also other ways of detecting NAT with multiple sources (many enumerated above), I suggest you also take other precautions. Harden your firewall. Drop ALL inbound traffic (UDP and TCP) unless it can be correllated (stateful firewalling). Learn more about your IP stack.

And when they come for you, either lie with a real convincing story or pony up the $6.95/mo.