Comcast Gunning for NAT Users

phillymjs writes: "A co-worker of mine resigned today. His new job at Comcast: Hunting down 'abusers' of the service. More specifically, anyone using NAT to connect more than one computer to their cable modem to get Internet access- whether or not you're running servers or violating any other Acceptable Use Policies. Comcast has an entire department dedicated to eradicating NAT users from their network. We knew this was coming since this Slashdot article from two months ago, but did anyone think they'd already be harassing people that are using nothing more than the bandwidth for which they are paying? It makes me very happy that my DSL kit arrived yesterday, and I'll be cancelling my Comcast cable modem early next week." Earthlink and Comcast have both been advertising lately their single-household, multi-computer services (and additional fees) -- probably amusing to many thousands of broadband-router owners, at least until the cable companies really crack down.

Crack down?

[I_redwolf]

How exactly are they going to do this?? I mean NAT isn't really something you can look at it. The same ip is beind used just by different systems behind the NAT server.

Does anyone have any info on exactly how they plan to do this?

Re:Crack down?

[archnerd]

Here are a few possible giveaways:

1. Accessing several different websites at the time

2. Port forwarding to computers using different operating systems

3. SMTP headers containing references to domain names used only by the LAN

And how do they propose to do this?

[fmaxwell]

How, pray tell, do they propose to determine whether a user has NAT?

How?

[Brandon+T.]

How would they go about doing this, being that NAT makes all data coming in and out look as if it was coming from a single IP? They could try to look at bandwidth, but you could easily make the case that you were just downloading a lot from one pc. What practical techniques can be used to detect NAT, and what can be done to avoid them?

Brandon Tallent

How?

[Score0,+Overrated]

How do you even detect NAT?

There's this which describes a way to find webservers behind NAT, but what about the general case?

The basic nature of NAT makes this impossible

[tweakt]

The whole point of NAT is to obscure and hide the internals of the network, the outside only sees ONE computer. The only possible thing they can look for are signatures (like all connections coming from a source port in the 60,000's range -- Linux defaults to this for ipchains IIRC), but these are adjustable of course, and in no way are proof of NAT being used.

How can they tell?

[scorp1us]

I'd really like to know since all the traffic comes from one MAC address. True, you'd need a properly configured firewall, but you should be able to make any linux system look like a windows one (hint: disable ports or use reject policy in your iptables) It seems to me NAT is impossible to detect.

Can anyone with more 411 clarify?

Thanks

Just how will they know?

[mojotooth]

And exactly how are they going to detect this evil traffic? By monitoring the origination ports of the network traffic? Presumably they're going to look at the port numbers and go "hm, that number's different from the one a few minutes ago. Must be a NAT!"

If that's the case, then I encourage any Comcast customer who uses a single computer, who has the know-how, to write a script that generates arbitrary originating port numbers on all the traffic. That would rule.

Virtual Machines?

[gnovos]

So if somone has a few virutal machines on one box, does this count as more than one machine connected to the network?