Slashdot Mirror
Remotely Counting Machines Behind A NAT Box
Overtone writes "Steve Bellovin of AT&T Labs Research has published a paper showing how to remotely count the number of machines hiding behind a NAT box (in IMW 2002, the
Second Internet Measurement Workshop). Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause. Bellovin explains how to change the NAT software to defeat the measurement scheme, but the fix is complicated and unlikely to appear in commercial home gateways anytime soon."
"Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause."
Yeah, that pretty much sucks. There may be a silver lining, though. The more crap these ISP's pull to push their saavier customers away, the more demand there'll be for an uber geek-friendly ISP to come along. Maybe I'm too optimistic, but tell me it wouldn't be cool for a business to start up in order to cater to those of us that really like to play with networking. "Sure, go ahead and set up a wireless lan in your complex. We'll even let you pay to increase your bandwidth to accomodate all those users! Tell them that for $5 a month, they can each get a mail account or some other fairly interesting service."
It probably annoys the telcos to no end that a connection can be shared - they are more used to the "telephone" model, where there is one line going into the house and if 2 people want to have separate converations then they need two lines.
Contrast that with a high speed connection that can been shared with a bazillion users.
I'm guessing they are not as concerned with people who are running more than one machine at home - the precedent has been set already with telephone extensions, cable TV and satellite TV.
I know of at least one person that is sharing his connection with 5 houses on his block via 802.11, which is a fair chunk of high speed connections that could be sold, and more than likely these are the people they are trying to find.
My prediction - they will either give up once netgear, linksys et al. release rom patches to prevent this, or they will try start charging on a "by data" basis.
This is of course doomed to failure, because the only purpose for a high speed connection is for sharing [censored by the RIAA and MPAA] across the net, and any attempts to change their pricing to this model will be met by massive consumer outcry.
the cable / DSL operators will soon find out that trying to wage this battle through technical means will result in an arms race they cannot possibly win...
...which will, of course, result in their attempts to find more onerous legal solutions to the problem.
I say - let the games begin!
Why would the telco suddenly be able to impose a different standard on data communications? Just because an AT&T engineer has proposed some (time consuming) method to do something doesn't mean it will be done. A similar attitude about POTS is what got mighty Ma Bell busted lo these many years ago...
Taking this one stumble father, I note that there is only one "computer" attached physically to the Bellsouth DSL line: a little cheap Linksys router, which having a processor & some flash ROM, qualifies as a "computer." Other computers do not connect directly to the DSL line, they connect to that router.
Any telco/ISP that "cracks down" on home networking this way is just plain stupid & needs to go back to the mandatory customer service training workshops! In fact, that's where our dear AT&T enginner needs to be this very afternoon. It's the corporate equivalent of Chinese water torture!
"Obviously, I'm not an IBM computer any more than I'm an ashtray" (Bob Dylan)
I work for an ISP where we enforce a single-machine license clause,and we do it for a very good reason: we aren't a charity. If it costs us more, it costs you more.
We don't conceal this fact, and customers who are not happy with this clause are, almost uniformly, the customers who would cost us money instead of being a source of income.
We are a small mom-and-pop ISP, and we get charged by the telco per kilobyte of traffic. If we charged everyone more to compensate for the bandwidth hogs, it would certainly be unfair to the low or moderate users, so we instead assign static IP's and charge per IP/computer. In other words, every computer attached to the Internet via our services must have a unique IP. We do make exceptions, but we still charge for one-IP but five-PC's connected/downloading from the Internet at the same rate as one-IP/one-PC.
The telcos keep our costs so high that we can't afford to do otherwise.
The customer's cost for five IPs versus one IP is a difference of $12.50, which is quite reasonable.
We let you run servers on your static IP connection, and will host your DNS for free. We aren't money grubbers, in other words. But we are a business which intends to stay solvent.
We do kick people off periodically, usually because they lied when they signed up, indicating that they would have one machine connected and actually had three or four, using IP masquerading. It isn't THAT hard to determine who the dishonest are, using the simple question: you are using twice (or three times) the bandwidth that an average customer would use connected with one PC 24/7. Do you have more than one system connected? If they say yes, we give them opportunity to pay at the increased rate. If they decline, we kick them off. If they answer no, we start investigating where our system might be reporting eroneous data. We don't assume that they are being deceitful. More people than not are telling the truth.
This is also largely why we disallow P2P file sharing applications. After an audit, we discovered that fewer than 5% of our customers were consuming the majority of our bandwidth. It was either raise prices for everyone, or disallow P2P file-sharing. We _do_ allow P2P file-sharing for customers who are sharing their own files; their own songs, etc., as those customers actually consume very little, if any, extra bandwidth.
Whoops. I appear to have gone off-topic. I think it was relevant, as it helps explain the realities why an ISP would need to enforce a single-machine license clause.
Neopets - the best free game on the Int
If someone is routinely monitoring your IP packets like that, how is it different from routinely monitoring your phone calls? Why doesn't this have to be done by a law enforcement agency, with a warrant in hand? Why isn't this covered under the same legal umbrella that affirms our right to have extension telephones? (You might not remember Bell charging monthly for each phone, available only under lease, but I do.)
We should be allowed to have NAT for the same reason we are allowed to have phones, and if the provider has a problem with that, they need to take a hike. Sniffing for this is unquestionably in bad taste, and it is also a violation of my civil rights.
-fb Everything not expressly forbidden is now mandatory.
In a properly-functioning economy, you'd be charging for traffic (tiered or metered) since that drives your cost. Your interest in how your customers are processing their traffic internally is inappropriate, and the IPv4 address space you're squandering should be reassigned to someone more ethical.
And why on earth would you have a metered T1 if you were an ISP? Is a flat-rate T1 simply not available in your area?
I also operate an ISP, and we have a flat-rate T1. We don't care how many computers a customer has connected--we only care how much data is transferred, and we bill accordingly.
I would not use an ISP that placed restrictions on how many computers I could connect, mom-and-pop ISP or not. Life's too short. I live in a house with four computers, and they all get used a good portion of the evening. Why should I have to put up four antennas just so I can hook up four computers?
It would be better (compared to randomizing) if the sequence of IPids for a single machine were chosen to masquerade as N independent counting values. This would fool them into thinking that you have N machines connected, when in fact you only have one! They'd only have to be fooled by this technique a couple of times before they gave up the technique entirely.
This is apples and oranges.
One machine could suck as much bandwidth as 10 machines doing next to nothing.
Also, the idea behind NAT is that it only uses one IP address.
Here at home, I have an army of computers (most junk). My cable modem hooks to a NAT/firewall (Linux). Behind that is my desktop. I also have a wireless access point so when I'm sitting outside in the hammock I can get on from there, or the wired bedroom or living room, or my wireless iPaq.
And regardless of how many machines I have, I am still capped at 512k for all of them. While it is true I could use all of them to saturate that 512k, I could easily do it with just one machine as well.
Sounds like you need to get some equipment that can do rate limiting and just sell bandwidth instead of hasseling customers.