Slashdot Mirror
Remotely Counting Machines Behind A NAT Box
Overtone writes "Steve Bellovin of AT&T Labs Research has published a paper showing how to remotely count the number of machines hiding behind a NAT box (in IMW 2002, the
Second Internet Measurement Workshop). Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause. Bellovin explains how to change the NAT software to defeat the measurement scheme, but the fix is complicated and unlikely to appear in commercial home gateways anytime soon."
For 'the man' to stick it you, and your wallet...
this sucks ... i hope that a simpler way comes down the pipe for iptables users soon
members are seeing something, your seeing an ad
Can linux fool these snoopers? Can it
be changed to fool them?
now i'm going to have to go back to being pissed that I had to do this, right when i got used to having it there and was fine with it now that i was safe.
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause.
There are still providers that limit you to only one computer per connection? Wow. I guess the high competition in my area (GTA) has allowed the customers a little bit more freedom. In fact, my provider will give minor tech support for most routers and hubs.
sin(6cos(r)+5A)
so that you have two firewalls back2back and the other boxes behind it? It's a bit extreme, but worth it if your cable company is composed of jackasses.
Most users just want web access, and this technique doesn't work on proxies.
You can't judge a book by the way it wears its hair.
5 -- Via the traditional finger point, coupled with the ever-popular audible counter increment
4 -- Thermal image detection scan
3 -- Utilize the same finger pointing mentioned in 5, but avoid the audible count as an enhanced privacy measure
2 -- Avoid counting and caring about counting altogether; continue browsing Slashdot
1 -- Call the dude with the NAT box and ask him!
Free tech news & blogging for life -- *nix.org
Reply or e-mail; don't vaguely moderate. Ex-O'Reilly/MIT employee, now a full-time Google employee.
i am already using |Cable Modem| - |Netgear Router| - |Linux Firewall| - |clients| and maybe that's still not enough.
Now I've gotta go on the Lam again!
Brendan
What about when I put a NAT machine behind a NAT machine? ;-)
This is similar to the paketto suite. That allowed pinging behind a NAT wall.
"A language that doesn't affect the way you think about programming, is not worth knowing" - Alan Perlis
"Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause."
Yeah, that pretty much sucks. There may be a silver lining, though. The more crap these ISP's pull to push their saavier customers away, the more demand there'll be for an uber geek-friendly ISP to come along. Maybe I'm too optimistic, but tell me it wouldn't be cool for a business to start up in order to cater to those of us that really like to play with networking. "Sure, go ahead and set up a wireless lan in your complex. We'll even let you pay to increase your bandwidth to accomodate all those users! Tell them that for $5 a month, they can each get a mail account or some other fairly interesting service."
...respect to all interested parties, it's a shame to see all this brain power waisted for unimportant things such as stealing your ISP or enforcing such a rule.
It's my darn account and I should be able to do whatever with it.
Sheesh.
Why is it a big deal for some company (broadband provider) whose ToS contract up-front says only X number of machines can use this connection or else additional fees apply to expect their customers to comply with the terms of their contract?
If you want 10 machines to share an internet connection, sign up with a company which doesn't care or charge for how many computers share the connection OR pay for the additional machines for ISPs who do.
It's interesting to note that this would only ID the number of machiens behind NAT boxes -- not those using proxy servers (a la squid). At least from what I read...
-jhon
the cable / DSL operators will soon find out that trying to wage this battle through technical means will result in an arms race they cannot possibly win...
...which will, of course, result in their attempts to find more onerous legal solutions to the problem.
I say - let the games begin!
Everyone will start to cheer when you put on your sailin' shoes.
Well, this sucks. Looks like I'll be flashing my Router soon...
All those single-computer use clauses are evil anyway. A DSL line gives you X bandwidth, so X bandwidth is what you use, regardless of how many machines you multiplex it to. Arbitrary fees for extra machines behind the connection are just more ways to rape^H^H^H^Hmilk the customer.
-ZOD-
The method described decodes packets from the NAT, using the IP header's ID field (which is normally a simple counter) to determine number of nodes behind the NAT. (Find X distinct ID field chains, that is the number of PCs...)
:)
However:
Some hosts take evasive measures. Since the IPid field is used only for fragment reassembly (see below), some Linux kernels use a constant 0 when emitting Path MTU discovery [5] packets, since they cannot be fragmented. Recent versions of OpenBSD and some versions of FreeBSD use a pseudo-random number generator for the IPid field.
Hurray for Linux...
Façam-me todos um ganda broxe seus filhos duma ganda puta negra :)
Please allow me to express the sentiment of most if not all home network users, as well as that of the companies that make routers for home use:
Thanks a lot Steve you PRICK!
"Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause."
Crap! Now I have to worry about my internet conn
At one time the telephone monopoly measured ringer current to locate
"unauthorized" telephones that customers would (gasp!) install without
consulting Bell. People installed phones anyway.
Once everyone has many devices with IP addresses on their home LAN,
there is no way the ISP's can keep up. Just ignore this.
This could be bad for those like me who run a few machines where your supposed only run 1. This could really stink.
I would think NAT producing companies would be quick as the company who figures out another way, gets the market.
Maybe someone can fill us in.
Sigs are bad for your health.
My friend says he has a couple of machines, though.
from .PDF ...
"many locations are connected to the Internet
by means of NAT (Network Adress Translator) [1] boxes.
field is used only for fragment reassembly (see below),"
Most use a simple counter for ipid... except *bsd
If we're clever we can work out how many hosts there are by watching the ipid field change... except for *bsd.
Someone'll patch the linux kernel with a pseudo-random ipid field real soon now, I bet.
Our technique is based on the observation...that the "id" field in the IP header is generally implemented as a simple counter
Recent versions of OpenBSD and some versions of FreeBSD use a pseudo-random number generator for the IPid field.
So my FreeBSD will look like thousands of PCs? LOL, that sure would piss the cable company off.
I'll have something intelligent to add one of these days...
I find it especially interesting that this method works best on home users and small businesses. Interesting and frustrating.
"Slashdotted in 30 comments or less!"
Yes I know it was offtopic, but still.
Any html file around instead of pdf? I just hate pdf files...
does that mean no beowolf clusters? crud...
-You're wasting your time. Alfador only likes me.
`Cuz if it is, strictly speaking, there is only one computer connected to the ISP's network.
there goes my home beowulf cluster!
I can already imagine conversations like this:
ISP: We'll have to cut your net access! We detected several dozen computers simultaneously accesing the net through our service, while the contract only allows you one!
Customer: Uh, I only have one box, I just love to have 30 windows of VMWARE open at once. How better to show off system performance!
ISP: arglllll
I mean, if the customer says he uses VMware, what's the ISP gonna do? Cut off the line without real evidence? I'd assume there are enough people who'd not mind a lawsuit.
Ash nazg durbatulûk, ash nazg gimbatul
ash nazg thrakatulûk, agh burzum-ishi krimpatul.
http://216.239.57.100/search?q=cache:QZA0opGpxtwC: www.research.att.com/~smb/papers/fnat.pdf+&hl=en&i e=UTF-8
http://216.239.57.100/search?q=cache:QZA0opGpxtwC: www.research.att.com/~smb/papers/fnat.pdf+&hl=en&i e=UTF-8
google cache of the article.
Counting boxes is done using the "id" field in the IP header. The id field is relatively unique to each datagram sent between two hosts and is used to reassemble datagram fragments. This scheme depends on the observation that most IP stacks keep this field unique by just incrementing a counter for each datagram. By examining the id field of each packet coming from a NAT box and finding trends in the values you can tell how many boxes are behind the NAT. Each trend you can identify is another box hiding behind the NAT.
But as the article states:
We do not currently attempt to deal with the randomized IPid generator used by OpenBSD and FreeBSD. Cryptanalyzing the generator may be infeasible in any event.
So there you go. Write a patch for your IP stack to randomize the id field instead of incrementing it. I couldn't do it, but I imagine someone else can (and will).
Never approach a vast undertaking with a half-vast plan.
The presentation is here.
/.'ed, there's a cached copy of the HTML of the paper itself available here.
Since the site is
It's already here: SpeakEasy.
Their TOS explicitly states:
"Speakeasy believes in the right of the individual to publish information they feel is important to the world via the Internet. Unlike many ISP's, Speakeasy allows customers to run servers (web, mail, etc.) over their Internet connections, use hubs, and share networks in multiple locations."
Anyone going to post a copy of the artical then?
Let us quick slashdot the server before those "friendly" ISPs get the information and use it to count our machines.
guru in training
After reading the document (something that is rarely done among posters), it appears to me that this wouldn't be TERRIBLY hard to fix. The different machines are recognized by the sequences of IPids that are generated for the packets that are sent out. This field must be unique for each packet with the same protocal, destination, and source. This prevents the NAT from simply mangling the number in the field, making it impossible to track the number of machines.
Someone correct me if I'm wrong, but it seems to me that iptables could be updated to change the IPid of outgoing packets to a single sequence and just keep a table of old ids -> new ids. When necessary, it performs the translation. So basically it acts as a two way filter, packets behind the NAT will all have the correct id, packets beyond it will all appear as a single sequence. Would this work?
In case this gets /.-ed (like it won't =| )...
http://www.public.asu.edu/~jmellen/fnat.pdf. Have at it!!
Producer: NEXT!!
Ralph Wiggum: Chicken necks
There must be some way to make it so that an ISP doing this kind of analysis becomes a DMCA violation of the customer. Any ideas?
It probably annoys the telcos to no end that a connection can be shared - they are more used to the "telephone" model, where there is one line going into the house and if 2 people want to have separate converations then they need two lines.
Contrast that with a high speed connection that can been shared with a bazillion users.
I'm guessing they are not as concerned with people who are running more than one machine at home - the precedent has been set already with telephone extensions, cable TV and satellite TV.
I know of at least one person that is sharing his connection with 5 houses on his block via 802.11, which is a fair chunk of high speed connections that could be sold, and more than likely these are the people they are trying to find.
My prediction - they will either give up once netgear, linksys et al. release rom patches to prevent this, or they will try start charging on a "by data" basis.
This is of course doomed to failure, because the only purpose for a high speed connection is for sharing [censored by the RIAA and MPAA] across the net, and any attempts to change their pricing to this model will be met by massive consumer outcry.
as one of the Top Ten Questions to Kevin Mitnick? :)
Hack the box and ARP!!!
On OpenBSD and FreeBSD, however:
A keyed generator, as is used in OpenBSD and FreeBSD, provides some protection, but one needs to be careful to avoid duplication if the generator is rekeyed periodically.
the article states that openbsd and freebsd are not entirely affected (or at least make it really hard). This is because openbsd's pf has the ability to randomize this field in an effort to prevent a thing just like this from happening.
now who's gonna tell me bsd is dead?
There's every possibility the ISPs and cable companies already know about this. Why do you think they would tell us? This is the same tired argument used to justify security through obscurity...it's specious.
I say, thank you Steve for making me aware of this. Now I have the option to take action, as do the companies that make these home networking devices.
Where is this "here" you speak of?
" the cable / DSL operators will soon find out that trying to wage this battle through technical means will result in an arms race they cannot possibly win..."
Well that depends. Are your financial pockets bigger than their financial pockets? Remember were not talking cold war US vs USSR here, were it was "Who ran out of money?" instead of "My technology is bigger than yours.".
Don't you mean single-user-license?
Because in germany most ISPs don't prohibit to use multiple clients if they are used by one person.
Yeah... from verizon's access policy [http://www2.verizon.net/policies/agreement.asp] section 2.5.b You may connect multiple computers/devices within a single home or office location to your DSL modem and/or router to access the Service , but only through a single DSL account and a single IP address obtained from Verizon Online.
Have you thought for yourself today?
http://216.239.57.100/search?q=cache:QZA0opGpxtwC: www.research.att.com/~smb/papers/fnat.pdf+&hl=en&i e=UTF-8
ATT couldnt handle the /.ing
is lying in the ...
openbsd-pseudo-random number generating packet filterrrrrrrrr
/* oops I accidentally made a comment, sorry */
Is there any snort rules for this? If so I can configure guardian.pl to block the offending host.
Might work.
Your karma whoring is getting pretty damn annoying.
Who'd have geussed that we could Slashdot AT&T?
I never thought much of the Slashdot effect but, now I have to start wondering.
I'll pipe up with the others here & say that Speakeasy has been great for me for about 3 years now - periodically I'm tempted to save the $10-20 per month & go to some other ISP, but I just can't do it.
He could have not published publically......
All my previous sigs now look like this one, I wish they were permanetly recorded when used.
As long as you're sure that packets from your NATed pcs aren't fragmented, the fix is quite easy. You just need to rewrite the ipid of your outgoing packets with an internal counter, as you already need to rewrite ip and port of all outgoing packets, this isn't a problem. The no-fragmentation shouldn't also be a problem. You could also fix that problem by rewriting only the ipids of unfragmented packets, that should be at least 95% of all outgoing packets in common NAT. This should be enough to confuse that analysis technique.
Jan
Sure, we all know that IPV6 will soon be in every home. Until that happens, do we really want to be doling out real addresses to people? If my provider said I couldn't NAT anymore, I'd probably spring for the addresses one way or the other, but is that really the solution?
When I signed up, I signed up for a certain amount of bandwidth. Whether or not that bandwidth is really mine or shared is often unclear to the customer at the time of purchase. It shouldn't matter how many machines I use to eat that bandwidth. I'd prefer a bandwidth guarantee, even if it was less than I take advantage of now, over a loss of ability to NAT.
Goddammit, you are a whore.
No, the article says it can count how many machines are accessing the Internet from behind the NAT.
Even random is random. My nick, too.
I doubt that too many ISP's will expend the resources that would be required to do this analysis for everybody on their network.
If my ISP has the time and resources to implement this then I am paying to much for my service.
It would be silly to expend a lot of time and effort for something that can be circumvented by a sophisticated user.
two firewalls in a row...
pf, the stateful firewall / packet filter for OpenBSD since 3.0 should throw the NAT detection out the window.
While most operating systems increment the IPID, OpenBSD uses a pseudo-random number generator. (And the paper mentions that FreeBSD does this, too, and it causes problems for their method.) pf can substitute the prng IPID for the incremental id from your lamo-OS (if the packet passes through a rule with the modulate state command).
Consequently, checking for variations in IP will be fruitless, because all computers behind pf (not just OBSD and FBSD) will have prng'd IPID's.
Troll Like a Champion Today
According to their FAQ, AT&T lets you connect "four additional computers" to your cable modem.
I'm thinking that even for Slashdot readers, five computers in the house with broadband internet will be sufficient.
Read it here:
Connect Multiple Computers to the AT&T Broadband Internet Service
This paper describes a sampling mechanism. If you take a look at the graphs, they are gathering the IP sequence numbers over a long period of time (60 to 75 minutes.)
I fail to see how this can scale. Will a cable ISP with 10,000 customers really want to spend a year to check for compliance?
The article also states that Intranet traffic can also screw up the results. A simple background process that pings other machines on the network at random intervals should be enough to screw up the sampling mechanism.
Of course this is a non-issue to those of us who use OpenBSD's OpenPF NAT with the modulate state option.
Not that my geek friendly DSL provider (DSLi) could care less.
History does not bode well for the broadband providers on this. If one recalls back in the day, the Telco (MA-Bell/AT&T) user to tack on an additional charge for every actual receiver (that you were forced to rent from them) on the phone line. For those who know POTS (plain old telephone system) an extension can be added but just tapping a wire onto the existing wire in the house. However when MA-bell got broken up in the 70s(?) I believe they did away with this foofah, and you paid for the telephone *service*
CATV (cable) used to be the same way.. you day to pay extra for each TV. And then they stopped doing that and you paid for *service* of the signal.
Now here is where it gets tricky, unlike POTS and analog CATV the line is hot or its not (so to speak), broadband you actually have discrete data you are passing around. This should be the *service*. However it could end up being a pay as you go service (bad for the users, good for the money grubbers) or a limited throughput 'unlimited' service (which is mostly how it is now). Currently I don?t see a metered usage model flying right now and this is why:
Everyone that adopted broadband early wanted it (and could get it) go it. Dialup services are cheap and unlimited. If you start charging for broadband based on usage you aren?t not very attractive to those people you want to take away from dialup who are complacent and will cope with what they have. A metered service is not (in consumers minds) a *NOT* better value than an unmetered service.
As we know there is a mega glut of fiber, broadband should be getting cheaper rather than more expensive.. but that?s another article. Its going to be hard to justify metering people when there is so much capacity unused. (hopefully supply and demand will work out here).
Now this is what is going to happen, when a critical mass of people stop using dialup, and then modems stop coming standard in computers, and then the broadband guys think they have a captive audience they will get everyone in the cartel on board and raise rates and meter usage. What?s worse is that they will claim there is a lack of long haul bandwidth, which probably wont be true, because as the broadband market picks up they will still be doing expansion of the network because of the expectation of even larger amounts of growth.
Conclusion, this are probably good for the short term, *VERY* bad for the long term.
PS the document was spell checked for those with delicate constitutions.
Our expert system has detected that you are sharing a single connection with 4,179 computers.
Sigs are bad for your health.
"There are still providers that limit you to only one computer per connection?"
There are still providers that limit you to only one computer per connection?
more google... beyond the PDF
There's a neat program called nmap that uses this "bug" in TCPIP stacks to do a blind portscan using predictable tcpip sequences.
http://www.insecure.org/nmap/idlescan.html
explains it. Basically, you forge scan packets with the "zombie" hosts return address. Then you probe the zombie host. The response of the host you're trying to attack will cause the IPID field on the zombie host to get incremented different amounts depending on whether the port is opened or closed (1 if it's open 2 if it's closed). You can see this by sending a SYN\ACK packet to the zombie host and checking the response. Pretty clever.
I don't understand why ISP's care how many boxes are connected behind a firewall. All of the services in my area give you a fixed amount of bandwidth, including the cable companies who cap. I get 1.5 Mbps downstream/256k upstream through my DSL provider and it shouldn't matter if I have 1 computer or 10 computers sharing that connection. My contract does prohibit sharing the connection among multiple computers, but the installer said that they only use the provision when somebody is abusing the connection, e.g., reselling.
Oops.. hit submit too fast on last one..
article
I see you can't stop whoring for karma.
How do you earn your real life money?
don't use this patch - it will break your system. rtfm if you want to know why (small tip: random != unique).
:)
just download the grsecurity.net patches and everything should be fine
The cable company can't tell when my cable modem is visible on the network.
And now suddenly they're counting machines behind it?
This is sounding like fantasy and science fiction to me.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
I enjoyed telling the cable people to screw off. They charged me in advance of services rendered (!) and everytime a legislated rate decrease was passed, they would somehow have in increase in operating costs that exceeded it (so rates would go up anyway).
But then I went to DirecTV, and it felt good to not be the hostage of the cable company... until I realized I was still a hostage.
I do have DSL, but we finally booted DirecTV. It was just too much money every month. I tried calling customer service to see if I could step down to a more economical package (maybe with the 10-15 channels I actually watch) but they told me I was already at the lowest level (which has seemingly hundreds of channels). The infuriating part: when I called to cancel they said I could switch to a cheaper package with less channels.
But anyway, this is about IP addresses and NAT; coudln't we have a kernel/netfilter module that will resequence all outgoing packets consecutively and reverse on the return?
-Fzz
My ISP has always had the ability to determine a lot more about my home network that I wanted them to.
By examining HTTP headers originating from my house, they'd see activity from Galeon, Internet Explorer, Mozilla, and Safari.
The HTTP headers also show that I'm running Linux on a Intel box, a Mac, and OS 9 and OS X.
Too late to get scared.
I got a small fright, till I realized that the Surfboard modem my cable provider lets me lease *thanx!* has built in DHCP Server. I found this out from a classmate who was a cable installer. They bitch at me, I say I am just using my connection to the extent of its capabilities offered..
I'm a little tea pot.
"They dont like us and there's a good reason"
Yes, they hate giving us what we pay for.
1.5 down 128 up. I'm paying for it. I'm using it.
Tough titties if they promised something they can't deliver.
Why should an ISP care about the number of computers using a connection behind a NAT? All the ISP should care about is the amount of bandwidth the connection uses. If a user wants 20 computers connected to a single broadband connection with NAT, and finds the Internet access too slow, then the ISP should just offer higher bandwidth at a different price.
Let the user decide how he or she wants to balance the number of computers running through the broadband connection verses how much money the person is willing to spend on the connection.
They do not charge for an extra machine, they charge for the extra IP.
It seems like they would have to probe (invade) private equipment to determine the amount of machines behind the NAT. Is that even legal?
the cable / DSL operators will soon find out that trying to wage this battle through technical means will result in an arms race they cannot possibly win...
...which will, of course, result in their attempts to find more onerous legal solutions to the problem.
I say - let the games begin!
It's people who want streaming audio and video, or massive file sharing. Power users just want to be able to download the data they need, when they need it, without a long wait. I don't say this to put down people who do streaming - I use it too, sometimes. But a power user probably consumes an order of magnitude less bandwidth than a user who has the connection primarily to do streaming media. Personally, I'm exquisitely happy with my broadband DSL connection, and with my ISP (speakeasy).
:'}
My main worry right now is that Congress will kill my ISP by fiat, and I'll be forced to buy service from a baby bell again.
Why would the telco suddenly be able to impose a different standard on data communications? Just because an AT&T engineer has proposed some (time consuming) method to do something doesn't mean it will be done. A similar attitude about POTS is what got mighty Ma Bell busted lo these many years ago...
Taking this one stumble father, I note that there is only one "computer" attached physically to the Bellsouth DSL line: a little cheap Linksys router, which having a processor & some flash ROM, qualifies as a "computer." Other computers do not connect directly to the DSL line, they connect to that router.
Any telco/ISP that "cracks down" on home networking this way is just plain stupid & needs to go back to the mandatory customer service training workshops! In fact, that's where our dear AT&T enginner needs to be this very afternoon. It's the corporate equivalent of Chinese water torture!
"Obviously, I'm not an IBM computer any more than I'm an ashtray" (Bob Dylan)
I never had a problem with that sort of thing. My isp already allows only one ip address per (cable) line. I got around this by buying another nic card and just used internet connection sharing to get the other computers going through a nice fancy chance of servers/clients. Not sure if this thing they're talking about hits around this or not though.
This argument is only valid for DSL, however I think the cable companies should be hauled into court for false advertising.
In my experience, when I get DSL I am paying for a particular guaranteed bandwidth to my ISP. How many machines I choose to hook up to that is purely my business, provided I am not running a neighborhood LAN (fair enough) because the contract is per address.
What an ISP does not like is the fact that their "model" of what you should be doing tends to get blown away by multiple machines. They may not like this, but thats too bad. If you are going to promise bandwidth, then that is what you should deliver. If you don't, it's false advertising. It is a bit like the RIAA because they do not want to adopt methods that give them public relations headaches (ie. they do not like admitting their true intentions) such as:
"Garunteed 650kbs (so long as you only use it less than 2hr out of every day)"
As a side note, I remember reading the contract for my ISP stating that excessive Up/Downloading were grounds for termination of service. However there was no definition for this term and nobody at the company seemed to have a good idea of what this was. Put simply, if I did use enough bandwidth downloading Linux Distro's 20 times a week and they terminated me I could sue them. Frankly I am surprised their lawyers allowed that one to get out the door.
If all else fails, use Slirp. Slirp is a simple ppp 'proxy' service originally intended to turn a shell account into a ppp account (back in the old days). Since it works by replicating the client's socket operations based on the ppp stream, to the outside world, it's just another app running on a single box (or several apps running on a single box for that matter).
The catch is, if you want a listening socket, you'll have to proxy it through ssh since Slirp can't know about those through a normal ppp session.
you completely forgot the obvious:
#2 ... count underpants of hosts behind NAT firewall ... ??? ... PROFIT !
#3
#4
Isn't this how Mitnick spoofed Shimomura's machines, by guessing the next IPID and forging the correct response packet?
So by randomizing your IPID's, you can get a more secure network for free....
Did anyone else notice that one of the other presentations at Internet Measurement Workshop 2002 was Provisioning On-line Games: A Traffic Analysis of a Busy Counter-Strike Server.?
Now THAT is what I call research. I'm not being sarcastic either.
It may bet an IgNobel nomination though.
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-U
For those of you who want to complain that ISPs are going to track you down and charge you double for violating their "multiple machine" policies, let me give you a little hint.
Call them.
Don't call customer service and ask for a supervisor; consult some SEC, BBB, or your state's Department of Corporation records and get the corporate phone number. Get the name of a VP of customer service or other appropriate officer, call, and ask for them. Call early in the morning, early in the week. You'll probably leave a message with voice mail or an assistant. Be extremely professional and let them know how they are making you a dissatisfied customer. I would say 70% of the time, you will get big results. I fought over a $150 bill which was incorrect with customer service for over 6 months, and got it wiped with 1 call to the VP of customer service (huge company). He actually called back and was quite shocked and apologetic that his staff was giving customers this kind of runaround. In another dispute that had gone on with customer service for well over a year, after calling the president and CEO I immediately received callbacks from numerous individuals who actually listened, and worked with me.
the dude's opinion might be unpopular here, but it _is_ true. -1 troll is just dumb
I don't know about you, but I consider my NAT router to be an "Access control device".
I have 2 servers, 10 pcs and 1 notebook. Now tell me again what is sufficient.
---
IMHO, of course.
May the SOURCE be with you.
That is a different number. The number we are talking about is the IP fragment id. You are talking about initial TCP sequence numbers. They are completely different things.
Working for the cable company, I can tell you right now that you being charged for services previous to us giving them to you is nothing new. The movie theater does it every time you go see Star Wars Trek Space Flight XXVII. This would be a bad thing if you were not refunded the difference (the term our customer service reps throw around is 'prorate'. I highly suggest you look it up.)It's a common practice for a lot of different service providers, though it's admittedly a holdover from another time and place (an age when things like telephone calls were made over twisted pairs of copper wire stretching miles! Miles!) I'm not advocating one way or another, I'm simply saying that you're taking it a bit too seriously when you're expressing shock(!) or susprise(!) at it.
I think the "modulate state" only applies to TCP sequence numbers and not the IPid.
because it's simply not a reliable way of couting machines ...
...
...
first there are several kernels out there that can randomize the IPid field - even winXP
second, running multiple OSes inside VMWare sessions on a single machine will have the same effect described in this paper
this paper is a lot of noise for no big deal
"Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause."
Why would a provider prefer to lease me an additional IP for five bucks when they can lease it to a new customer for over forty bucks?
This assumes that IPs are scarce.
The race isn't always to the swift... but that's the way to bet!
This is of course going to be a problem. Most cable/dsl providers have dropped their one computer requirment preferring instead to just refuse to support home network setups.
On the other hand this technology may make especially the cable companies start looking for a way to charge extra for home networks since before now it was assumed it was difficult or impossible to detect how many computer are connected to a NAT device. In other words they now have a way to enforce the one computer per line requirments that we know they all want since they would love to sell us ip addresses for 7 dollars each per month.
Oh well by the time this could possibly affect me I will no longer have a need of CommunistCast's services. Any implementation of this combined with charging for additional computers would send tens of thousands of customers away in search of cheap solutions. For the same 50 bucks a month, 10-20 homes can share a T1 on a community wireless system. T1 lines can be had for less than 500 a month as long as they are being resold.
Let's look at how various operating systems handle the IP ID counter:
1. Linux 2.4.x -- Zeroes out the IP ID field with the DF bit is set. Otherwise it does a pseudo random number on a per session basis. There are patches to make it more similar to *BSD functionality, but either method defeats the idle scan and most likely this NAT scan.
2. OpenBSD uses a 16 bit linear congruential pseudorandom generator.
3. FreeBSD, later versions use exactly what OpenBSD uses.
4. Most other Unix machines uses a simple counter, as do most versions of Windows. (I have only looked at older versions of NT with regards to this.)
It would be rather trivial to change an IP masquerading box to alter the IP ID field for the seriously paranoid.
-Gwizdak.
Under most situations I have encountered, an ISP is more concerned with the number of IP address they need to supply than with the number of machines on your connection. Having 1 or 100 machines behind a router causes little difference to your internet connection and the strain on the isp than someone who leaves kazaa running. The major concern with most ISP's is the number of address they have to lease in order to provide their customers with. I currently work for an ISP that provides 2 IP address and extra's are bout $5.00 a month. If you have a router, we won't support your network setup but we do allow you to have a router with as many devices as you see fit. Your monthly bandwidth may become an issue if you have too many machines on one connection. If that s the case however, you should be using more than one connetion anyway. Most of you ar home users with a linux box and a couple pc's and would use the same bandwidth if you only had one pc. I wouldn't stress to hard about ISP's scanning your NAT box to see how many machines you have in there since it's the number of public IP's they have to own that is the biggest concern.
Isn't this the same story that was up last week? Some AT&T researcher figured out how to make master keys. So now they're just using them to open your door, and count your machines, right?
"Politicians are interested in people. Not that this is always a virtue. Fleas are interested in dogs." P.J. O'Rourke
I got the Vorizon DSL add on this page.
My original Mediaone cable modem contract stated that, but the AT&T contract is a bit more ambiguous. Essentially, it say that it isn't supported unless you pay for it (which is just fine with me - I don't need their support unless the line goes down).
Several DSL providers explicitly prohibited NAT translation when I was considering that as an option, all routing through either Qwest or Covad (the only providers left in my area). I'm not sure if that was because of Qwest/Covad policies, or the actual ISP policies, though. I never considered either seriously because they had expensive, slow connections compared to my old DSL & ISP, Northpoint + PhoenixDSL (Qwest still has slower connections than Northpoint + Phoenix, and nearly 4 years have past since Phoenix sold out and Northpoint went bankrupt - so what does that tell you?).
If the cable company calls me up and says, "We have discovered that you have more than one computer on your connection..." My reply, "Oh, shit someone hacked my wireless router." Click. Old7
he is karma whoring BIG time. Look at his post history.
here's one.
Seems a little arbitrary, but they're small fry. let's go bigger:
here's another.
I think this bit applies to the question at hand (emphasis is mine):
How does this imply that you can't share a DSL connection? OTOH, it explicitly says that sharing a connection is OK.
however, if we look to AT&T DSL TOS, they are somewhat more restrictive:
A little tougher, but it doesn't actually rule out connection-sharing entirely- just requires that AT&T grant you permission, right? So they must have a process for granting the approval, and a list of approved equipment.
Since I'm bored today, I called them up. I pointed the nice lady at their TOS, section 8(a), and asked if she could provide me with a list of AT&T approved equipment, and/or the approval process for home networking. She put me on hold for a bit. When she came back, she told me that AT&T DSL is not the same as AT&T WORLDnet DSL, and i had the wrong phone number- but WORLDnet doesn't allow any kind of connection sharing- and she'd happily transfer me to the REAL AT&T. The second phone monkey had no idea what I was talking about- ditto the 3rd. Neither of them could understand why I would want to ask questions about their TOS if they couldn't even deliver service to my residence. The fourth phone monkey told me that they don't support any kind of multiple connection, and that the "grant you permission" line is in the contract for things like automated security systems that call the police department when someone breaks into your house.
So. Score: SBC +1 (but -1 for their stupid 'frames' patent), AT&T 0. Interesting article, but since I'm on SBC, i won't be changing my NAT settings...
Humpty Dumpty was pushed.
Hint them you may cancel the account if they don't do what you want.
Always works for me.
Something tells me that it is going to be ridiculously easy to circumvent this with OpenBSDs pf.
Please correct me if I got my facts wrong.
Right now the technology is brand new. Within a few days or weeks, most free OS's will have a decent, well-documented solution to this "problem". It'll take MONTHS for a vendor to develop and market a product that cable companies will use to track down TOS violators (or maybe "TOS Pirates", that sounds catchy).
I've made such graphics myself too with tcpdump, perl and gnuplot: Network Graphs
Jurgen Kobierczynski
Where is the causal link that establishes that multiple counts of ID fields indicates multiple machines? What if my ONE machine is just running my own TCP stack, which I refuse to go into detail to unless they'd like to sign my NDA?
....it works both ways. If the fcc says one IP, and the isp cuts you off, they ain't the cops. They've broken the contract in theory and can be sued. If they are smart they would ask first, if they just cut off the service I think they might be liable prettyquickly, but really, contracts have fine print for a reason.
In contract law, every single teeny tiny word and clause has an exact defined definition. what IS *A* computer? Anyone could-in theory anyway and this is how I would address it if challenged- maintain their home LAN constituted a cluster, and as such was just a single distributed model style computer. I don't think there's a description of what a single computer looks like or how it's configured in most peoples net connect contracts. At least I've never seen one besides microsofts EULA with cpu count and etc.
Stop bashing the *BSDs!
I have Cablevision's Optimum Online, and I definaely don't pay $59 a year. More like $49 a month. Obviously, speeds are the same as you. In any case, OOL are very anal about servers. They do portscan, and those who have a buttload of open ports are "watched", (mostly P2P users) and those "watched" users can't upload some magical amount of data before they are capped down to 1megabit/150kilobit.
After reading the entire PDF file, I can say that if they successfully pull it off, more power to 'em.
Ligaguinggligagiggagoogoogwillgo
1) the 16-bit Identification value in the header is only used when the sender (the NAT box) MUST fragment the packet due to packet size restrictions on the route. The ID is used by the receiver to keep track of all incoming fragments. When it sees the MF flag as zero on the last fragment, it then assembles all fragments with common ID's. Fragmentation order is managed by the 13-bit fragment offset counter. 2) For all packets that come in under the MTU, the NAT box can safely change the ID to zero (unless the origonating OS is checking this value... I don't think it is.) 3) for packets that HAVE to be fragmented, just re-assign a random number as the ID. Seems like a simple fix to me... BTW, you can read RFC791 at; http://www.faqs.org/rfcs/rfc791.html - Eddy_D
- I stole your sig.
won't that make it appear as if you have hundreds of users connected?
My company allows multiple users, but strictly denies the right to run your own ISP.
You can't judge a book by the way it wears its hair.
This only leaves the case of packets that arrive at the NAT box pre-fragmented. Not much to do there but keep track of the fragmented packet in one way, or another -- much of the code currently used to re-assemble fragmented packets could probably be used here. The obvious (though slightly problematic) solution would be to always de-fragment outgoing packets.
Once a NAT box is always generating IPids for outgoing packets, it should become difficult, if not impossible to use IPids to identify different boxes behind the NAT. The method of generation is (IMHO) irrelevant.
Randomization only becomes an issue if the NAT box is one of many behind a second-level NAT. Of course, if the second-level NAT is using the same policy, this issue (once again) goes away.
____
In the case of the prime target of this method, (the small business/ home user), fragmantation shouldn't be a problem, should it??? I expect it would be relatively rare for the network behind the NAT of such an entity be so complex that fragmentation would be realistically necessary.
OS Software is like love: The best way to make it grow is to give it away.
Since the IPid field is used only for fragment reassembly (see below), some Linux kernels use a constant 0 when emitting Path MTU discovery [5] packets, since they cannot be fragmented. Recent versions of OpenBSD and some versions of FreeBSD use a pseudo-random number generator for the IPid field. Some versions of Solaris use separate sequence number spaces for each _ source, destination, protocol _ triple, to avoid fragment collisions from busy hosts. All of these complicate (and to some extent block) the analysis.
So its only the OTHER OS's which this can be done with, so it doesn't matter anyway. your ISP is screwed
You tried your best, & you failed miserably,
The lesson is:
Never Try
ATT dsl (at&t) is fine with you setting a home network but they wont give any tech support/info (hint its dhcp but wont work with random IP's and a router so you must enter a static ip which is basically any random ip assigned to you at the moment you set up your router. They honestly dont enforce the IP license experations so you are basically given a static IP. My set up has worked fine now for a month since I got my router even though my IP was supposed to expire 4 times during that month. If they catch you with a open telnet, ftp, http port they cancel your account even Netbios over Tcp/ip is forbidden (only a fool would enable it anyway). But for $39.99 a month nothing beats att dsl except Optimum online in my area and I cant get Optimum since I live in a apartment building and they refuse to support not only my building but the entire complex of buildings around mine. I get 650 down 320 up or around that day or night so Im fairly happy. Verizon caps upload speeds in the 150-190 range and earthlink is both expensive and sucky. Now if only att would get rid of their shitty speadstream modems (they burn out ive gone through 2 already in the 3 months Ive had dsl.
My ISP doesn't care how many machines I have on my side of teh cable modem. They will give me a maximum of eight IP addresses if I let my systems talk directly to the cable modem. My ISP activley promotes the use of NAT boxes in order to help provide better security for the customers and to decrease the demand for IP addresses.
All they care about is that I pay my bill online, that I don't exceed my bandwidth allowance, and I don't share my connection with other people (ie: run my own ISP).
Boobies never hurt anyone. - Sherry Glaser.
I'm wondering how hard it would be to configure a Linux box to generate all of the necessary traffic to make the number of machines *appear* to the cable company to be ludicrously high... like a few hundred or a thousand machines. Let's see them try to bill you extra for THAT with a straight face (kinda reminds me of my $32,000 Y2K water bill, actually).
The ISPs could also try checking all the TTLs (time to live) of the packets.
Many routers don't set this value to be one specific value, and multiple computers have multiple TTLs. Thus, it is an excellent indication of multiple computers.
Also, if you happen to be using Linux kernel 2.4, netfilter nat modules happen to change the TTL to one certain value.
--agenthh
It was the happy side effect from addressing another problem. The other problem being operating systems with shitty TCP stack implementations (*cough* Windows) that choose initial sequence numbers that weren't exactly random.
What happens when you pick a easily guessed sequence number? Somebody comes along and hijack's your connection.
All editorial writers ever do is come down from the hill after the battle is over and shoot the wounded.
I suspect the techniques discussed in that paper have been used for quite a while by AT&T, but they have been rather secretive about it.
About nine months ago I got into a bit of a sticky situation at work. One of our clients was running three PCs behind a NAT we installed. The DSL provider shut them off repeatedly for having "more than one machine per connection"
Mind you, this was AT&T business-class SDSL. Static IP, 768k/768k. They were certainly paying enough for it.
I talked to the ISP. The very rude and condescending rep told me they have software that can detect multiple machines behind a NAT, and that the customer had been warned and disconnected multiple times for it.
(No, we didn't take responsibility, because the customer didn't inform us the contract precluded NAT usage)
I asked the rep how they could detect this. The rep didn't know but said it was something called Option 82. I'm assuming this is DHCP Option 82, Routed Bridge Encapsulation. I don't see where RBE has anything to do with this, unless they were using it to sniff the connection between the NAT and the DSL router.
i once worked on a website that was behind a nat. basically all the web and mail servers lived in rfc1918 ip space so they could save money on ips. i'm not kidding. they had like 200 servers and 4 ip addresses.
they had other reasons for doing it, like they were able to pretend it made their site secure, but they were adamantly convinced that their architecture was the best way to run a site.
i can't think of why you'd care to count how many servers they had, and they were running mostly freebsd so this wouldn't have worked anyway, but there's no absolute rule for "everyone who uses nat uses it the way i do."
"Mister Potato-head --MISTER POTATO-HEAD! Backdoors are not secrets!" (War Games, 1983)
what is the difference to sharing the bandwidth amongst several computers, or multiple internet applications on the same computer? I don't see what.. linux is multi-user.. run VNC and have everyone surfin' the web in your home off your linux machine.. what is the difference??
What, they are looking at my packets? I'll have you know those packets ARE original works of digital art created by little old ME. As such you, they, them are breaking the law by looking at my packets, or telling others how to look at them or making equipment that will let others look at them.
We should sue AT&T and the authors for publishing the report on how to do it, and any provider even reading it. (note to self: check with RIAA on how to file suit)
I call this, turn about is fair play !!!!! in a World full of GREEDY MORONS
No Really AT&T used to charge for the number of phones on a line, that was blown out of the water long ago. Also they LAST thing my cable company wants to do is piss me or you as a subscriber off. I left out DSL users, due to the reality that the Phone company has already pissed you off to start with, and they can't afford to lose DSL customers, or more than they are now.
As another poster stated "Now days misery not only loves company but demands it" and I'll add "and misery, returns the favor back to the the originator" - By: Barry Ethridge
.....Don't Get Mad, Don't Get Even, Up The Ante.....
"No, I don't have multiple machines, don't you know that your software won't work with BSD..."
You could also do stuff like force all web requests through a proxy, so that all http requests are made by a single machine.
OTOH, the technique makes for yet another tool to be used when spelunking for potential holes into a firewall.
"Everything is adjustable, provided you have the right tools"
If it's examining fragments, maybe this would work:
...but at least my ISP couldn't tell I was running NAT for multiple PCs. :)
iptables -A INPUT -i eth+ -f -j DROP
But that's only for incoming, so maybe you'd need one for outgoing too.
At the moment I have the above rule running on my firewall, and I haven't experienced any problems; perhaps if I set a similar rule for the OUTPUT chain I'd have difficulty making outbound connections.
Paul Russell (ipchains author) described this kind of technique, and at least some countermeasures, about three years ago. I heard him verbally describe it, and I'm fairly sure it's in a FAQ somewhere.
Ok,
u bmit=m anufactory&catalog=28&manufactory=1605&DEPA=0&sort by=14&order=1
Just did a Sprint DSL install this morning and here are some interesting facts from Sprint here in FLA. Who use PPOE routers, before in software now in hardware.
The new sprint routers hand out 10 dynamic IPS if plugged into a hub or switch. Pretty decent of them. And the new router has the ppoe in hardware.
However, I went to the install with a Gigafast DSL router which is also a which is also a 4 port 10/100 switch, plus does PPOE as well.
I pulled the sprint router off, entered my PPOE settings in the router/switch and boom.
It will route up to 253 machines.
Makes a nice home job as SOHO. 50 bucks from new egg.
http://www.newegg.com/app/ViewProduct.asp?s
Puto
The Revolution Will Not Be Televised
Sure, this could be used to count the number of machines behind broadband customers connections. The fact is, though, that it probably won't.
As you know, broadband service providers make money by assuming not everyone is using 100% of their bandwidth all the time. The only way they'll care as to whether you have multiple machines is if you use too much bandwidth. And even then, they'll probably only disconnect you for using too much bandwidth, and not having a shared connection.
I'm sure they won't give up a $50/month source of revenue because Joe has his mom's computer connected to a NAT box. Now, if Joe's mom was running a public FTP server...
if(!toilet_paper) roll.replace(new roll);
I asked Comcast about multiple computers and they didn't mind... they just wouldn't give me support when the router is plugged in (i.e. whenever the thing takes a crap, I have to plug it into a PC directly).
I found a nice old computer with 2 NICs and iptables is a sweet router.
--------
Free your mind.
Ive have often thought that the same companies who are selling me cat food that makes my cats crap a whole heck of alot more than they need to, and makes it stink a whole heck of a lot more that it needs to, and makes them eat a whole heck of a lot more than they need to , are also selling me kitty litter that lasts a whole lot less than it can, covers odor a whole lot less than it can, and aborbs less than it can.
My point is that Im sure alot of these companies, ISP's and hardware manufacturers, probably have money in both ventures and they need to be exposed. My provider, AT&T, seems to have no problem with home networks as long you use hardware purchased from them, thats bull.
Selling you access to a network, while preventing you from having a network is absolutley bull.
At least with some cable providers, service is billed month to month, no contract, so its easy enough to cancel and get a provider who is just that, a provider, and is not all up in my business at home.
They _should_ make this capability built in all the DSL and cable modems anyhow.
Sig: Please try to keep posts on topic. Sure, but which topic?
http://www.grsecurity.net/features.php
This is a must-have patch if you're running Linux 2.4.x
Mark Wahlberg in "The Big Hit"
The article is using Path MTU discovery as an example of DF packets (which were ignored by their analysis anyway). It's not clear to me why they even mention Linux setting the IPid field to 0 in a DF packet, since it's not applicable to their analysis (and, by definition, the IPid field is meaningless in a DF packet anyway).
Since the vast majority of packets are not DF, this really doesn't qualify as scoring another one for linux.
Hmmmm this little module lets onw configure how you want the IP header id generatored, among a bunch of other options to hide identify. Why not just work this into iptables, PF, IPF and no worries about NAT ID'ing.
Well, this comment is going to be so far down that most people wont see it, but I'll try it anyways.
The method described is only one method to count hosts behind a NAT box. Just think how much fun your ISP could have if they utilized a passive nmap-like system. Just by analizing the traffic, they can tell what OS created the packets, among other things.
That said, there are ways around this already in the wild. OpenBSD's PacketFilter (PF) has a "modulate state" keyword that would solve you problem nicely. That tells PF to essentially rewrite the packets, primarily to give them the benefit of OpenBSD's random sequence numbers, but it will also stop any other analysis of the packets.
Of course, that still leaves the posibility of them checking your surfing habbits. However, that would be, not only incredibly intrusive, but quite difficult for them to do on a large scale. Besides, if it every happens, and they say they saw your firewall making connections to 12 different websites at the same time, just tell them it was all from your one machine, and there's nothing they can do to refute it.
Of course, I'm not concerned about this in the least. I'm using Earthlink broadband, who happen to care about customer privacy more than any other. I certainly didn't hear of any other ISPs giving the US government the finger when they wanted to install Carnivore.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Rebooting every 3 minutes should give them the impression that there are multiple id sequences too! :))
"In mathematics, it's not enough to read the words -- you have to hear the music"
When you sign up with an ISP, you're paying for a certain amount of bandwidth on that connection.
Whether you have 1 computer, or 20 computers using that connection, it doesn't matter. The upstream provider should only be worried about whether you are exceeding your bandwidth agreement.
Limiting connections to one computer is like the power company saying you can only have so many devices plugged in at once. It's a draconian and stupid attempt to get more money out of people.
The day my ISP bitches about me using NAT is the day I switch ISPs.
If someone is routinely monitoring your IP packets like that, how is it different from routinely monitoring your phone calls? Why doesn't this have to be done by a law enforcement agency, with a warrant in hand? Why isn't this covered under the same legal umbrella that affirms our right to have extension telephones? (You might not remember Bell charging monthly for each phone, available only under lease, but I do.)
We should be allowed to have NAT for the same reason we are allowed to have phones, and if the provider has a problem with that, they need to take a hike. Sniffing for this is unquestionably in bad taste, and it is also a violation of my civil rights.
-fb Everything not expressly forbidden is now mandatory.
Read the article. There is no problem with linux. All they can do is tell you're using that box as a NAT (possibly) they can't count anything behind a linux box.
Is it just me or are the comments from "PDF Posts" absolutely the worst?
Not true. For at least a couple years now the SonicWall firewall has the option to randomize the IP ID.
The I doubt we really have to worry about it. Cable providers are generally *very cheap* and not terribly competent. (though they do have some competent people working for them)
But this looks easy enough to take care of by adding and properly configuring Squid. Besides, at that point *only one machine* will be accessing the Internet through their service, precisely meeting the letter of the TOS.
The living have better things to do than to continue hating the dead.
Hmm, 99% of my LAN's Internet traffic goes through my caching and filtering web proxy, so it would look like there was only one machine anyway. What little traffic doesn't go through the proxy is probably too scattered to detect a noticible trend. And as someone else mentioned, iptables might have to reassign the IPIDs to prevent collisions anyway. Maybe we'll get random IPIDs like FreeBSD, too :-) In my case, they might be better off looking at TTL, window size, and all the other stuff nmap uses to detect different OSes.
The ocean parts and the meteors come down
Laid out in amber, baby.
I had hacked into the system using the most boring schemes (dictionary attack on /etc/passwd while I had a temporary access), but was just hanging around playing rogue most of the time. I happened to notice the cool way that the mail program made the headers editable, by making it seem like you just typed them in. I though, hmmm, I bet there's a security flaw here.
Sure enough, it turned out that it was relatively easy to use this feature (TIOCSTI) to "take over" somebody else's terminal. (Granted, you did have to have write permission on their terminal device, but everybody left those on for chat-type programs.) There was a bug in 4.1BSD that made it easy to make somebody else's terminal the "control terminal" for your process.
I happened to send an email to Bellovin mentioning there was a security flaw and was he interested in hearing it. He said "do tell!" in what seemed like a snide way (although it's hard to tell in an email). So I took over his terminal and emailed him a few of his private files. Heh, heh, heh.
It only occurred to me a couple of years ago that this was ironic since he became a big security guru in the mean time. I wonder if I had anything to do with that?
NAT your NAT, meaning run two gateways back to back, or since we are talking mostly soho LANs run IPV6 on your inside LAN and an IPV6-IPV4 gateway on your NAT box.
Hide your lan through the masq, and double bonus you get to protect it with the filtering. -n
http://www.remix.net/
It will detect my Amiga with 2 network cards running both AmigaOS and MacOS simultaneously (using a network card each) as two computers incorrectly.
Those damn cops shot Iggy w/ a submachine gun because they though I was growing pot! Damn them!
You can't judge a book by the way it wears its hair.
This Internet Connection Sharing thing you're talking about, my friend, is what is called NAT - Network Address Translation. It is often referred to as the way to connect more than one host through a single IP connection, as the one you have (and most domestic users has). The document here talks about a way to trace over those users which are using a single connection to 'share' to more than one host, and how the ISPs could use it to put an end on their contract with you in case they detect this. I know most users does this, and I don't understand why ISPs prohibit this behavior, further than economical reasons.
Articulos para gente geek: Poleras, linux, libros y mas
France and Germany prove the old maxim "If you owe someone a thousand dollars, you have a problem. If you owe someone a billion dollars, they have a problem."
What if some home networking company came out with a cheap proxy server like device to stand directly before the NAT device. Perhaps with say some ROM for OS/Proxy software, and 256 MB RAM (expandable) to act as a virtual disk for storing cashed content... would be nice.
Computers --> NAT--> Proxy--> Internet
Think it would solve this?
Secondly, would be a real convient device. I would want one, provided it were affordable.
...just explain how those additional MAC addresses belong to a bank of ethernet printers.
So the simple Solution is to run box with 2 NICs (one to a broadband connection, one to a hub/switch) and have it run a proxy server. All the traffic will originate from one machine and be routed to each box via the proxy, eliminating this lovely tracking scheme. Hoooray!
The biggest problem I see with charging per computer (besides the arguable unethicalness) is that really, even I don't know how many computers I have connected all the time. At any given time on my home network I'll have as few as 2 (usually) but as many as 7 or 8. Should I have to pay for 8 licenses when I'm only going to be using 2 or 3 most of the time? I hope not... and if I do, I would probably drop my cable service.
We recently discussed this paper here at UNC-CH because one of our graduate students went to IMW. Something that came up was that they didn't actually get any real data for this experiment. So although the paper's content is sound, it should still be verified before it is taken as a feasible approach.
It would be better (compared to randomizing) if the sequence of IPids for a single machine were chosen to masquerade as N independent counting values. This would fool them into thinking that you have N machines connected, when in fact you only have one! They'd only have to be fooled by this technique a couple of times before they gave up the technique entirely.
Well, any ISP that enforces such limits on their "Unlimted Internet" service isn't your friend.
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Well, then suddenly SBC doesn't seem like such a group of bozos. Multiple computers does not necessarily equal higher BW. For me, when my daughter comes home from college, my BW usage spikes. Now if I have 2 computers connected or 1 computer, it doesn't matter, the cause of the BW usage is not a function of the number of computers.
And I don't like your phrase 'bandwith hogs' anyway. Either commit to a level of BW or an amount of data to transfer, or don't bitch about a subset of users using more than 'their share'. To me, it sounds like a fitness club owner complaining about some of the members who actually come in and use the equipment! The nerve! And they stay for hours too!
If you are charged per KB, then charge your users per KB. McDonalds doesn't charge customers on their cholesterol level, they charge customers on the food that they order. I just don't see how multiple computers are the root cause of your problems.
No, I don't trust in god. He'll have to pay up front, like everybody else.
What do you mean claim I use a BSD?
It's different here in Australia. We get charged by data usage, so the ISPs don't really give a crap what's on the other end of the pipe.
http://melbournephilosophy.com/
I would be much more likely to believe that you have 2.3 machines.
And no girlfriend.
This isn't necessarily directed at you or your ISP, but just an observation about many ISPs.
Your argument is that having multiple machines correlates strongly with high bandwidth usage. I am not going to debate this.
My problem starts when you try to say users shouldn't be using that much bandwidth. When you say that P2P burns bandwidth like popcorn, and you can't support those users.
Here's the thing: I pay for *unlimited* bandwidth. I should be able to saturate my 768/128 pipe 24/7 and no one should be able to complain. That's what my ISP advertised.
Now, if the ISP can't afford to provide unlimited (and they advertised that they would), then they should fix the advertising. Don't cap my bandwidth usage, I pay for unlimited.
I understand that you guys can't afford to allow unlimited access: stop advertising it, then.
O/S Fingerprinting. First and foremost, narrow down your suspect list. Find all the Linux boxes; these will have a higher incidence of NAT because Linux actually packages this feature. Try to develop a fingerprint list for hardware based NAT appliances and any Windows application that can grant NAT ability.
TCP Sequence Numbers. Many TCP stacks (cough Windows cough) have a predictable or semi-predictable TCP Sequence Number pattern. Running multiple copies of one of these stacks (say, two 98 boxes) behind a NAT box would allow an intelligent hueristic to detect multiple TCP stacks. Most of NAT happens at the IP layer, so sequence numbers are not rewritten.
TCP Source port. NAT-P (it has a couple names) involves correlating inbound TCP packets to the appropriate local host by port, and then rewriting the port field. There is no attempt made to randomize this source port field selection and a clever heuristic could probably fingerprint it.
in:
Comcast Gunning for NAT Users
The paper states that the technique doesn't work when there is a particularly large amount of internal network traffic. If you really don't want to be discovered by your cable company, you could set up a box for the sole purpose of sending and receiving internal traffic. Considering that a cable modem doesn't even run at 10Mbps and a typical LAN runs at 100Mbps, the extra traffic shouldn't matter much.
San Jose California here. Our SBC Yahoo (formerly SBC formerly Pacbell) ISP even sells NAT boxes!
I think in reality ISPs do not want to provide tech support for home networks. The technical support is expensive. The extra use of internet bandwidth used by an extra computer behind a NAT does not cost the ISP very much.
If the ISP says you can not put multiple computers there then the do not have to provide technical support for it.
Religion is the main cause of atheism.
Fact is, U comcast-loving whore,
you get NOTHING for that extra $10 per month except another comca$t e-mail address.
It would be waay different if you got 5x the bandwidth for the extra cash.
Yeah, I can't do that because of the PPPoA (the PPP connection sits directly on the ATM device). I have a few DSL modems sitting in my drawer that are useless now, and my old router that I used with my previous DSL connections now sits behind the new router they sent to me and I had to turn almost everything off on it (my old router is basically just a 7 port switch with a print server now).
Thats ok because the new router has a better firewall, and almost all of the features that my old router used to have (I kind of miss the DMZ feature, though- quick and dirty way to get something running).
"The defense of freedom requires the advance of freedom" - George W Bush
because it cost $39 /mo. for ONE person
there are five machines. I don't think my network should have to be exposed to *everyone* by a comcast dhcp server.
39 + (4 * 10) = $79 for the right to expose 5 fucking machines to skript kidz, haxors, etc. And the performance is waay less than a single connection going thru a NAAT box.
I know, we did it for two months and cancelled.
mackbolan
Dell offers services in which they will have us come out and setup a home network (wireless or ethernet) and connect it up to your DSL or cable connection. I know AT&T Broadband and TimeWarnerRoadrunner bend over backwards to help us set this up for these customers.
I put on my robe and wizard hat.
I'm pretty sure that the following are both true:
If this is the case, can't the gateway simply discard the IPIDs from the originating hosts and substitute its own? Internet hosts should still be able to reassemble any packets that are fragmented between the gateway and their final destination.
Am I missing something?
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
There are still providers that offer Internet connections, yet they do the bait-n-switch to single machine subscription. In otherwords, the Internet is about one or more networks that connect with another set of one or more networks. DSL service providers want to limit that so only the consumer's one and only network connects only to the providers multi-networks. DSL providers want to monopolate the consumer's network.
If the consumer wanted a connection to XYZ, and a connection to ZYX, and a connection to YZX, then the DSL providers would say "no way," and the provider would point to the service agreement which is a front to the "conflict of interest" statement.
The NAT technology is only implemented on a simple protocol so far. The technology could advance and do much more.
Disclaimer: I worked not too long ago for a Mom & Pop ISP, and I'm still a customer, so I'll be anonymous this once to avild giving away my domain name and hence the ISP itself).
The ISP I'm with gives out static IP's only and does DNS for four domains and 3 mail servers, and not only allows hooking up routers, but sometimes assists. Our CTO goes onsite occasionally to help network 5 offices to a Cisco-terminated T1 or SDSL line. It's encouraged, because it brings in business.
Everyone knows that 5 or 10% of ISP's customers use 80% of the bandwidth, it should be no shock to anyone in the industry by now. But frankly, it's none of the ISP's business how many PC's I have hooked up internally. My one roomate on one PC can quadruple the average bandwidth you see on an individual line. My bandwidth is pitance in comparison. How can you tell this apart? I can have 5 PC's connected and use only a fraction of bandwith this guy uses.
What's your definition of a PC anyways? It's just packets and bits, why does it matter from what NIC/MAC address it comes from? Is 500mbps from 5 pc's so much more criminal than 500mbps from one PC? I have a wireless access point as well, so now the line blurs a bit. Five are hard-wired, but does the occasional laptop or PDA count as a PC? A LAN party one weekend? Every weekend? The ISP's involvement should stop at the IP/MAC address. After that, it's just invasive.
I guess the answer would be to not use you as an ISP, but to get another ISP. You know that no ISP can make money solely on DSL, right? The profit margins of ANY ISP are going to be bigger on web hosting and dialup. PB takes $x per loop twice (once for the dialtone and the other for the DSL signal). I'm sure they'll be glad to take your customers as well. And I'm not a big fan of the RBOC's, but that's how it is. No, you can't be competitive at the same price, but raise your prices a bit, your business customers know when they've got a good deal and then your other services come into play (such as MUCH better tech support, faster turn around times, and people who you can visit and consult in the same city in person).
It's sad that you have to operate this way to stay in business, and I'm sympathetic. The real problem is the RBOC's, the other ISP's shouldn't be competing with each other (are you a part of CISPA?)
Okay - I see a lot of discussion about going to metered usage (not really sure if it's offtopic or not -but I want to comment on all the tangent disucssion on this topic I do see).
It seems to me the trend for most telecom services is away from metered service to flat rate service (or practically flat rate - i.e. where the metered rate is so ridiculously low that maximum monthly metered usage is reasonable for those who truly use it). Interesting thing about internet connections - they are starting off as flat rate - and everyone predicts they'll go to metered service. The additional benefit of flat rate pricing is it's very easy and less costly to implement for the service provider and provides simplicity to the end user.
One may use the argument that voice connections monopolize the connection and thus it's not easily sharable - but I just argue that voice connections use longer and larger packets...the behavior is the same of any other data network - only one person can talk at any time....computers just do this faster to appear like there is simultaneous use.
So Why would there be any difference in the pricing models or their future trends? Even cell phones are rapidly approaching the point where "flat rate" usage is becoming the norm (how many people actually exceed the 1200 minutes (not including promotionall off peak) in most of the big companies $80 plans? and that price point is dropping monthly). As a matter of fact, most of the companies make money banking on the fact that the avg user uses far less than the allotted amount and thus their actual meter charge is very high. At critical masses, they gain the benefits of flat pricing (reduced cost in terms of monitoring and billing complexity) as well as taking advantage of user's tendancies to use less than they actualy _think_ they need (thus inflating the price and margin per minute). Ensure you baseline costs are covered, and everything else is gravy. Find a way to squeeze down idle capacity and voila - profitable business (hmmm....sounds like that's what supply chain mgmt is about, no?)
Anyways, I'll go against the grain and posit the following:
1) Flat rate pricing will continue to be the norm.
2) ISPs will eventually be talked out of the restrictions on the number of "computers" (esp as smart appliances come online - since consumers won't be likely to use those portions of the service if there's a charge per device).
3) They will find another way to make money - value added services for instance (the equivalents of caller id - but in the internet, security monitoring, unwanted spam blocking, etc).
Anyways - just some rambling thoughts from someone who can't figure out why isp's aren't making money hand over fist right now;)
So they check the packet ID's on incoming packets. Basically, they count the number of external connections. These ivory-tower academics amaze me with their lack of consideration of the real world.
1) I have one machine online now. I'm listening to an oldies station on live365 whilst reading Slashdot. And if Redhat had a new distro out, I could be downloading it in the background. How do they differentiate between me doing 3 things on one machine simultaneously, versus doing one thing on each of 3 machines simultaneously ?
2) Tabbed browsing to multiple sites that do HTTP refreshes bumps up the connection count. What gets *REALLY* hysterical is a typical luser running Windows with half-a-dozen spyware applets calling home all the time. It'll easily pass off as a home network.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
what if I have a dual processor? should they be able to charge me per processor? per NIC? or per chairs in my study? The bottom line is that it's unreasonable to put an arbitrary condition on the service, particularly when there is no real reason to.
in soviet russia, internet logs onto you!!!!
How about machines with 2, or more NIC's will they be counted as several machines if this technique is used?
IANAIPE (IP Expert) so forgive me if this is a trivial question...
Enig? Det alt for hot det smor!
Similar mindset, a wee bit cheaper as well. Great customer service.
If your line was cut when you were writing your message then how could you 'send' it?
Preserve old classics: copy your collection onto all hard drives.
Might want to invest in a grammar checker too. That?s just my opinion.
EGG, the Electronic Gamers Guild
As mentioned in the article, Solaris uses per destination ipid groups. (ipid sequences use distinct counters per destination IP). I was curious to see if a single Solaris box would show up as multiple systems because of this in their analysis. Unfortunately there was no further mention of it in the article, so i guess i'll find out when my provider starts using this..
It would help ISPs to check how many computers are behind a NAT ? So what ?
:
I've my Linux NAT (let's call it N) connected to the wire of my ISP (cable), and I've a few computers (let's call them U) networked behind that NAT.
Let says that my ISP says I can't use a NAT. (It does not. They are not THAT stupid.)
A few cases come in mind
A) What if the U computers ask to the N one to download stuff so they can download the datas from it later ? Is it wrong ?
B) What if the data is fully downloaded (cached) by N before a U download it ? Is it wrong ??
C) What if I do B, but between the request to N and the recovery of the data from N I remove the N-U wire ? Is it wrong ???
D) What if I recover the data using a floppy ? Or a CDRW ? It's a kind of "connection" isn't it ? After all, this can be even faster than a small 10Mbs lan.
E) What if I says N is NOT a "computer", but only a firewall (after all, most firewall are just packaged computers) ? May they prove I'm wrong ? Beside, why would I be wrong ? Because the N box contains a CPU, RAM and an OS ?? How many firewalls would not be firewalls then ???
F) What if I say N and the U are only computer components and that the computer is in fact the whole stuff ?
That "just one computer" connected is just plain wrong.
"Network is the computer", isn't it ?
Irrelevant news and morons using moderation to mod down what they disagree on. 2018 resolution: so long.
The paper is based on an interesting observation and is a cool hack.
But its not nearly as earth shaking as the authors make it out to be. (All authors have to make their conference papers seem earth shaking in order to get them in the conference, but that's not the point)
The whole paper is based on whether IPid is random or predictable. The simple fix happens when either
1. people switch to ipv6 (if at all; that's a whole new debate)
2. the tcp stacks on windows, mac and linux are fixed to randomize IPid in some fashion. This isn't as hard as it seems, if the stacks were replaced in one of the kernel patches in linux and the next service releases of windows and OS X, things would be dandy.
That said, I don't really believe anyone would care a damn, because the ISPs wouldn't care a damn. All they care about is the bandwidth consumption and its far easier to look at bandwidth consumption of hosts and yell at people about that or charge them differently than it is to go about implementing such algorithms in the backend, thus spawning a slew of OS fixes and/or new NAT equipment or firmware upgrades.
ISDN. ;-)
If all you want is web access, why bother with NAT at all? It is an ugly hack, really. You can just set up a proxy server (squid or wwwoffle) and configure browsers to use that. You'll probably get better performance, too, since the proxy server can do caching. Or you could use NAT for ssh connections and an explicit proxy server for http/https/ftp.
OK, I know there are some NATting products which do caching internally, but it's not as clean as just configuring the web browsers to talk directly to a proxy, and it's more likely to break stuff. (At least, some 'transparent' web caches are horribly broken.)
-- Ed Avis ed@membled.com
Why are you charging per IP? Charge these people by the traffic they use. I also fail to understand how having two machines behind a NAT can use twice as much bandwidth. I would assume you cap the bandwidth already, but if not-- a single machine with a 100MBps ethernet card could saturate a whole stack o' T1 connections. There is no need for more than one box running 24/7 to eat all of your bandwidth and then some.
I understand the need to make money-- you are a business after all. But don't charge based on how people use the bits after they get there (whether they all go to the same PC or get split up by a router)-- charge them based on how many bits they use. If they want extra IPs for $12, that's cool too. But don't enforce it on everyone. That's a massive waste of IP space.
Linux calls it masquerading, the rest of the universe calls it NAT. NAT can be used to perform mapping, be it N to N (bimapping or symmetric to use your term) or N to M IP numbers. Doesn't matter if N or M equals 1 or 1,000.
My home computing setup involves my G3 in my office and my wife's iBook, which she usually uses from the living room.
I have an Airport Base Station in the basement with a wire up to my computer and hers on the wireless.
So, when I want to use the 'net, I click connect - when she wants to use it she clicks connect. We rarely have any need to use the connection simultaneously (and are far too impatient to deal with the added latency), but even if we did, odds are the data would be relatively regularly interleaved, and the total transfer volume would be the same whether we used it parallel or in serial.
She could come back to the office and use my system, but it's simply more convienient for both of us if she uses her iBook.
So, if you were my ISP, you would incur no additional costs with my setup, but you would charge me extra money, ostensibly taxing my convienience.
So, I'm curious: How can you defend this policy?
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
I only have one computer connected to their broadband drop -- and it's my router . My router, of course, is connected to multiple devices... but once you pass MY router, we're no longer talking about THEIR network, we're talking about MINE.
As long as I'm paying for the 1 IP address the cable/telco provides me, if I want to set up an internal network, I can assign whatever private IP addresses to as many machines sitting behind my firewall as I want -- that's MY network, not theirs. I'm only connecting ONE computer to THEIR network, so they can't very well take issue with me on that.
I could see them wanting to charge me for it if I wanted support in configuring and connecting these machines, but I'm not. I'm doing it all myself.
I could also see it if I was trying to hook up a CATV splitter and using amplifiers to split their drop to several computers, as that could have an effect on the signal quality for other cable customers on the same circuit, but I'm not doing that either.
There's a very clear border, and on one side of it there's my property, on the other side their's the ISP's property. I'm paying for service to 1 point in my HomeLAN, and once it comes in to my house, I should be able to do absolutely anything I want with it so long as it doesn't affect the outside.
So why should they care, as long as I stay under their bandwidth cap and don't do anything that disrupts service to other customers?
You see? You see? Your stupid minds! Stupid! Stupid!
Vendors bury their heads in the sand whenever emulation/virtualization comes up.
Back in the day, a Claris rep was on campus, showing off the latest FileMaker. New in that version was the Windows and Mac versions shipping on the same CD. He made sure to tell us that a license was required for each computer, so if you had a Mac and a PC that was two licenses if the software was installed concurrently, but you could buy the box for either, and switch back and forth.
I was developing FMP solutions at that time, and regularly tested the solutions on Windows with VirtualPC. So, I asked if that was one computer or two, and should I have to buy two licenses for one physical computer. After much hemming-and-hawing he was going to check with Corporate and get back to me. After a couple months, being a nudge, I asked him what they concluded. He never got back to me.
They stopped shipping both versions on the same disc, though.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
I never understood how could ISPs enforce a 'no home network' rule. Technically in a NAT setup there is only one computer (the NAT box) connected to the provider. Packets never travel directly from any other computer to the ISP. Now the fact that the NAT box may be "delegated" some traffic from another machine in the home network is none of the ISPs concern, i.e. they should have no control of what I do to my bits once they reach the only machine connected to them, whether I save those bits, send them to /dev/null or change headers and send them to another box.
I don't think this is an issue we need to really worry about.
1. My DSL provider sells routers for home use.
2. The issue of having more than one box on the same DSL line had to do with DHCP and idiots connecting those boxes to the net via a HUB; each and every one of those boxes requested and got an IP address from the ISP. This created a problem not in terms of bandwidth, but in terms of managing a limited poole of IP addresses. With the inseption of PPPOE standardization from the ISP this problem went away - and so too the need to track how many boxen we have riding on the other side of our DSL gateway.
Okay, I admit I got a bit worked up about this, until I opened my eyes and saw the truth behind this.
Now, I am not saying that all ISPs are as forward thinking as this - you may in fact be under contractual limitations on the number of devices you can connect to the DSL connection. However, I would worry more about a cracker analysing this information, rather than the ISP (unless you fall into that 1% who have a bogus ISP - in which case, time to find another ISP...)
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
The phone company does monitor your voice calls.
See, your voice calls are digitized soon after they leave you house, and sent along the ATM network. The ATM network examines its data bits, routing the call where it needs to go and ensuring Quality of Service for your virtual circuit.
So, the phone company is constantly examining the data that's integral to your voice call.
What they aren't doing is examining the content of your phone call, but, similarly, this proposal only looks at the packet header data, not the packet payload.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Curious, and probably off base, but I figured it could be twisted in this manor. Would it be possible to claim that packets originating from my computer are my copyright (not the info in the packets but the packets themselves)and thus monitoring said things could violate my Digital Copyright and thus violate the DMCA??
I use road runner in San Antonio, Texas from Time Warner Cable. They allow multiple computer per line to be hooked up.
2000-3000kbits/s down all the time and 45kBytes/s up
They provide the option of getting multiple IPs in case you want each machine to have its own...
I have had a very good relation with this company. It surprised me when i first got the service because i was always reading stuff online about ISPs not allowing NAT ect...
It's interesting that you can get a better perspective on the broadband situation from the fiancial pages than from a lot of these posts.
A 1 mbps always on connection -vs- a rarely used 256K connection is not the issue for the ISPs. Wholesale bandwidth is not a scarcity at the carrier level which is where your DSL and cable providers are operating. The bandwidth of a cable modem or DSL connection is financially irrelevant at these levels, it's the customer service that keeps the bills high. In fact, a huge part of your monthly bill is paying for the billing infrastucture itself. This has jack shit to do with how much bandwidth you use, that's just a marketing ploy.
I have Qwest phone service and AT&T cable. I have been thinking I'd rather go DSL (private line service, so to speak, and not tithing the Death Star also has an appeal) but I didn't think the price for DSL would be as high as you're paying.
John
God you guys are stupid. You would charge a guy who has one machine serving tons of pr0n less than someone who has a few computers behind a router for his family. Mister family guy would probably use much less bandwidth, yet he gets charged more. More computers doesn't equal more bandwidth! One guy downloading a new Linux distro per month would probably eat up more bandwidth than an entire family who only browses the web occasionally and sends emails to gramma.
And you use this as an explanation of why charging per-computer is a good idea. Dumbass.
Microsoft DNS service terminates abnormally when it recieves a response
to a DNS query that was never made. Fix Information: Run your DNS
service on a different platform.
-- bugtraq
- this post brought to you by the Automated Last Post Generator...