Slashdot Mirror

← Back to Stories (view on slashdot.org)

Remotely Counting Machines Behind A NAT Box

Posted by ryuzaki0 on from the you-knew-this-was-coming dept.

Overtone writes "Steve Bellovin of AT&T Labs Research has published a paper showing how to remotely count the number of machines hiding behind a NAT box (in IMW 2002, the Second Internet Measurement Workshop). Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause. Bellovin explains how to change the NAT software to defeat the measurement scheme, but the fix is complicated and unlikely to appear in commercial home gateways anytime soon."

6 of 574 comments (clear)

  1. It's already here by ptbarnett · · Score: 5, Informative
    The more crap these ISP's pull to push their saavier customers away, the more demand there'll be for an uber geek-friendly ISP to come along. Maybe I'm too optimistic, but tell me it wouldn't be cool for a business to start up in order to cater to those of us that really like to play with networking.

    It's already here: SpeakEasy.

    Their TOS explicitly states:

    "Speakeasy believes in the right of the individual to publish information they feel is important to the world via the Internet. Unlike many ISP's, Speakeasy allows customers to run servers (web, mail, etc.) over their Internet connections, use hubs, and share networks in multiple locations."

  2. Re:this sucks by arivanov · · Score: 5, Informative

    There are already several simpler ways:

    1. Use proxies instead of NAT and proxy transparently if needed. Yeah, I know, none of the P2P download sucker shit as it does not have proxies but such is life.
    2. Use OSes with better randomisation of IP IDs. This is a tuneable parameter on most OSes and after you have turned it on the graphs are no longer so pretty.

    --
    Baker's Law: Misery no longer loves company. Nowadays it insists on it
    http://www.sigsegv.cx/
  3. Re:what if they are chained? by tjrw · · Score: 5, Informative

    Wouldn't make a jot of difference. The current firewalls aren't rewriting the IPid field anyway, so adding an extra hop would not affect the analysis at all.

    In reading the paper, it is apparent that this is not a particularly cheap thing to attempt. I can't see how it could be easily automated and deployed on a large scale, even assuming someone could be sufficiently bothered to do so.

    If you want protection from this, you're going to need to do some serious work on iptables to add tracking of fragments to the connection tracking code and to rewrite the field on outbound packets to some psuedo-random value. Interestingly this is the "correct" thing to do anyway - otherwise it is theoretically possible to generate two packets with the same id, both fragmented from different internal hosts to the same destination, and screw up the fragmentation reassembly at the receiver.

    Tim

  4. Re:what if they are chained? by stratjakt · · Score: 5, Informative

    "you're going to need to do some serious work on iptables "

    Another user already posted that there's already a patch (or kernel option) for linux to do random ipid's just like BSD does.

    This is more an admin utility than a policing tool. Just kick back, get yourself a beer and watch the knee-jerk reactions and paranoid theories from all the nerds who think the man is out the get 'em.

    --
    I don't need no instructions to know how to rock!!!!
  5. Re:How this works by BlueUnderwear · · Score: 5, Informative
    You are confusing the id field with the TCP sequence counter. TCP sequence counter is already not usable for their purpose, because of miscellaneous anti-spoofing techniques.

    The field they are using is the IP id field, which exists in all IP packets (including UDP, ICMP, whatever), and which is used for low-level packet reassembly. On many OS'es, this is a globally increasing counter, i.e. two distinct connections on the same machine share the same counter, but two connections on different machines do not.

    Workarounds:

    • Use a pseudo-random number generator instead of a simple counter, as the various BSD apparently do.
    • Substitute the counter at the NAT box
    --
    Say no to software patents.
  6. What do these clauses typically look like? by oliphaunt · · Score: 5, Informative
    OK, play lawyer with me for a little bit. What do these licenses actually say?
    here's one.
    Seems a little arbitrary, but they're small fry. let's go bigger:
    here's another.
    I think this bit applies to the question at hand (emphasis is mine):
    3(b) SBC Yahoo! DSL. Your SBC Yahoo! DSL Member Account allows for one DSL connection and one other simultaneous network connection (such as a dial-up line) for a total of two (2) simultaneous network connections to the Internet. SBC reserves the right to prohibit any additional simultaneous network connections. This policy does not prohibit multiple DSL users from connecting to the Internet over the same DSL network connection using customer premise equipment such as a router or home networking equipment.

    How does this imply that you can't share a DSL connection? OTOH, it explicitly says that sharing a connection is OK.
    however, if we look to AT&T DSL TOS, they are somewhat more restrictive:
    8a. Improper Use. You agree to comply with the "ABC's of AT&T Worldnetiquette," which are described in Section 10. You cannot create a network (whether inside or outside of your residence) with AT&T DSL Service using any type of device, equipment, or multiple computers unless AT&T has granted you permission to do so and you use equipment and standards acceptable to AT&T. AT&T may cancel, restrict, or suspend the Services and this Agreement under Section 11 below for violating these provisions.

    A little tougher, but it doesn't actually rule out connection-sharing entirely- just requires that AT&T grant you permission, right? So they must have a process for granting the approval, and a list of approved equipment.

    Since I'm bored today, I called them up. I pointed the nice lady at their TOS, section 8(a), and asked if she could provide me with a list of AT&T approved equipment, and/or the approval process for home networking. She put me on hold for a bit. When she came back, she told me that AT&T DSL is not the same as AT&T WORLDnet DSL, and i had the wrong phone number- but WORLDnet doesn't allow any kind of connection sharing- and she'd happily transfer me to the REAL AT&T. The second phone monkey had no idea what I was talking about- ditto the 3rd. Neither of them could understand why I would want to ask questions about their TOS if they couldn't even deliver service to my residence. The fourth phone monkey told me that they don't support any kind of multiple connection, and that the "grant you permission" line is in the contract for things like automated security systems that call the police department when someone breaks into your house.

    So. Score: SBC +1 (but -1 for their stupid 'frames' patent), AT&T 0. Interesting article, but since I'm on SBC, i won't be changing my NAT settings...
    --




    Humpty Dumpty was pushed.