Slashdot Mirror
Remotely Counting Machines Behind A NAT Box
Overtone writes "Steve Bellovin of AT&T Labs Research has published a paper showing how to remotely count the number of machines hiding behind a NAT box (in IMW 2002, the
Second Internet Measurement Workshop). Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause. Bellovin explains how to change the NAT software to defeat the measurement scheme, but the fix is complicated and unlikely to appear in commercial home gateways anytime soon."
Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause.
There are still providers that limit you to only one computer per connection? Wow. I guess the high competition in my area (GTA) has allowed the customers a little bit more freedom. In fact, my provider will give minor tech support for most routers and hubs.
sin(6cos(r)+5A)
so that you have two firewalls back2back and the other boxes behind it? It's a bit extreme, but worth it if your cable company is composed of jackasses.
Most users just want web access, and this technique doesn't work on proxies.
You can't judge a book by the way it wears its hair.
This is similar to the paketto suite. That allowed pinging behind a NAT wall.
"A language that doesn't affect the way you think about programming, is not worth knowing" - Alan Perlis
Why is it a big deal for some company (broadband provider) whose ToS contract up-front says only X number of machines can use this connection or else additional fees apply to expect their customers to comply with the terms of their contract?
If you want 10 machines to share an internet connection, sign up with a company which doesn't care or charge for how many computers share the connection OR pay for the additional machines for ISPs who do.
It's interesting to note that this would only ID the number of machiens behind NAT boxes -- not those using proxy servers (a la squid). At least from what I read...
-jhon
the cable / DSL operators will soon find out that trying to wage this battle through technical means will result in an arms race they cannot possibly win...
...which will, of course, result in their attempts to find more onerous legal solutions to the problem.
I say - let the games begin!
Everyone will start to cheer when you put on your sailin' shoes.
The method described decodes packets from the NAT, using the IP header's ID field (which is normally a simple counter) to determine number of nodes behind the NAT. (Find X distinct ID field chains, that is the number of PCs...)
:)
However:
Some hosts take evasive measures. Since the IPid field is used only for fragment reassembly (see below), some Linux kernels use a constant 0 when emitting Path MTU discovery [5] packets, since they cannot be fragmented. Recent versions of OpenBSD and some versions of FreeBSD use a pseudo-random number generator for the IPid field.
Hurray for Linux...
At one time the telephone monopoly measured ringer current to locate
"unauthorized" telephones that customers would (gasp!) install without
consulting Bell. People installed phones anyway.
Once everyone has many devices with IP addresses on their home LAN,
there is no way the ISP's can keep up. Just ignore this.
Fron the paper:
;)
We do not currently attempt to deal with the randomized IPid generator used by OpenBSD and FreeBSD. Crypt-analyzing the generator may be infeasible in any event. It should be possible to detect a random background to other, linear sources; the current version of the code does not do that.
So take that BSD bashers [ggg]. Of course, a gateway implementation to mask/randomize the IPids would be better - giving you a site-wide fix at once.
First one to market with one wins
I can already imagine conversations like this:
ISP: We'll have to cut your net access! We detected several dozen computers simultaneously accesing the net through our service, while the contract only allows you one!
Customer: Uh, I only have one box, I just love to have 30 windows of VMWARE open at once. How better to show off system performance!
ISP: arglllll
I mean, if the customer says he uses VMware, what's the ISP gonna do? Cut off the line without real evidence? I'd assume there are enough people who'd not mind a lawsuit.
Ash nazg durbatulûk, ash nazg gimbatul
ash nazg thrakatulûk, agh burzum-ishi krimpatul.
Counting boxes is done using the "id" field in the IP header. The id field is relatively unique to each datagram sent between two hosts and is used to reassemble datagram fragments. This scheme depends on the observation that most IP stacks keep this field unique by just incrementing a counter for each datagram. By examining the id field of each packet coming from a NAT box and finding trends in the values you can tell how many boxes are behind the NAT. Each trend you can identify is another box hiding behind the NAT.
But as the article states:
We do not currently attempt to deal with the randomized IPid generator used by OpenBSD and FreeBSD. Cryptanalyzing the generator may be infeasible in any event.
So there you go. Write a patch for your IP stack to randomize the id field instead of incrementing it. I couldn't do it, but I imagine someone else can (and will).
Never approach a vast undertaking with a half-vast plan.
After reading the document (something that is rarely done among posters), it appears to me that this wouldn't be TERRIBLY hard to fix. The different machines are recognized by the sequences of IPids that are generated for the packets that are sent out. This field must be unique for each packet with the same protocal, destination, and source. This prevents the NAT from simply mangling the number in the field, making it impossible to track the number of machines.
Someone correct me if I'm wrong, but it seems to me that iptables could be updated to change the IPid of outgoing packets to a single sequence and just keep a table of old ids -> new ids. When necessary, it performs the translation. So basically it acts as a two way filter, packets behind the NAT will all have the correct id, packets beyond it will all appear as a single sequence. Would this work?
There must be some way to make it so that an ISP doing this kind of analysis becomes a DMCA violation of the customer. Any ideas?
On OpenBSD and FreeBSD, however:
A keyed generator, as is used in OpenBSD and FreeBSD, provides some protection, but one needs to be careful to avoid duplication if the generator is rekeyed periodically.
A geek friendly ISP, that is, one that would want customers that utilize their connections, would be more than happy to sell them all full T1 service for about 400 to 1200 dollars a month, depending on where you happen to live :)
:D
I think in general (not aimed at you, Anonvmous) people tend to not realize that everybody has to share when it comes down to it. Sure, most ISPs cover that fact with a healthy dose of greed, but in the end, a 50 dollar price point is what you get after you trim the 1% of us, the power users. They dont like us and there's a good reason- we cost them money when we use more than the normal user! And I dont blame an ISP for enforcing; it's not a matter of being fair as they are just doing this to make money.. a geek friendly ISP would last all of 10 minutes with similarly priced services as what is regularly available. Oh well. I got my plan all worked out. Another 40 a month and I can have business dsl- full servers, whatever i want, nat, all perfectly cool with the ISP. ah, but i lose cause i gave up the 40 extra a month? not when they make a policy change to the residentials and I'm the only one left with a working web and mail server
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
There's every possibility the ISPs and cable companies already know about this. Why do you think they would tell us? This is the same tired argument used to justify security through obscurity...it's specious.
I say, thank you Steve for making me aware of this. Now I have the option to take action, as do the companies that make these home networking devices.
All those single-computer use clauses are evil anyway. A DSL line gives you X bandwidth, so X bandwidth is what you use, regardless of how many machines you multiplex it to. Arbitrary fees for extra machines behind the connection are just more ways to rape^H^H^H^Hmilk the customer.
If you have two computers, they figure you're going to be using more bandwidth than if you only had one. for example, if you and your wife are both surfing the web at the same time, more bandwidth is being used than if you only had one computer (so only one of you could be surfing at a time). If this is generally true, then the ISP has a higher cost for users with two computers than for users with one (remember that the ISP has to pay for bandwidth from their backbone providers; they don't pay a flat monthly rate like you do).
Of course, in many cases this is not true. I have several computers, and I use far less bandwidth than the guy with only a single PC who leaves Kazaa running 24/7.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
I enjoyed telling the cable people to screw off. They charged me in advance of services rendered (!) and everytime a legislated rate decrease was passed, they would somehow have in increase in operating costs that exceeded it (so rates would go up anyway).
But then I went to DirecTV, and it felt good to not be the hostage of the cable company... until I realized I was still a hostage.
I do have DSL, but we finally booted DirecTV. It was just too much money every month. I tried calling customer service to see if I could step down to a more economical package (maybe with the 10-15 channels I actually watch) but they told me I was already at the lowest level (which has seemingly hundreds of channels). The infuriating part: when I called to cancel they said I could switch to a cheaper package with less channels.
But anyway, this is about IP addresses and NAT; coudln't we have a kernel/netfilter module that will resequence all outgoing packets consecutively and reverse on the return?
any attempts to change their pricing to this model will be met by massive consumer outcry.
But if ALL the high speed isp's start charging "by the bit", then why would they care if their p2p customers start bitching. They are under no legal obligation to provide unlimited bandwidth. And if the p2p people don't like it, they can switch back to dialup is what they'll say. I think that "by the bit" is inevitable. They don't do it now because they are all trying to stay afloat and expand their customer bases. But once they have a nice critical mass built up, then they'll start metering. Makes too much sense. It's "fair" in that those who use the most, pay the most. They wouldn't care how many machines are hiding behind your NAT, because in the end, they'll still get their money (depending on pricing scales of course).
It's people who want streaming audio and video, or massive file sharing. Power users just want to be able to download the data they need, when they need it, without a long wait. I don't say this to put down people who do streaming - I use it too, sometimes. But a power user probably consumes an order of magnitude less bandwidth than a user who has the connection primarily to do streaming media. Personally, I'm exquisitely happy with my broadband DSL connection, and with my ISP (speakeasy).
:'}
My main worry right now is that Congress will kill my ISP by fiat, and I'll be forced to buy service from a baby bell again.
This argument is only valid for DSL, however I think the cable companies should be hauled into court for false advertising.
In my experience, when I get DSL I am paying for a particular guaranteed bandwidth to my ISP. How many machines I choose to hook up to that is purely my business, provided I am not running a neighborhood LAN (fair enough) because the contract is per address.
What an ISP does not like is the fact that their "model" of what you should be doing tends to get blown away by multiple machines. They may not like this, but thats too bad. If you are going to promise bandwidth, then that is what you should deliver. If you don't, it's false advertising. It is a bit like the RIAA because they do not want to adopt methods that give them public relations headaches (ie. they do not like admitting their true intentions) such as:
"Garunteed 650kbs (so long as you only use it less than 2hr out of every day)"
As a side note, I remember reading the contract for my ISP stating that excessive Up/Downloading were grounds for termination of service. However there was no definition for this term and nobody at the company seemed to have a good idea of what this was. Put simply, if I did use enough bandwidth downloading Linux Distro's 20 times a week and they terminated me I could sue them. Frankly I am surprised their lawyers allowed that one to get out the door.
The ISPs could also try checking all the TTLs (time to live) of the packets.
Many routers don't set this value to be one specific value, and multiple computers have multiple TTLs. Thus, it is an excellent indication of multiple computers.
Also, if you happen to be using Linux kernel 2.4, netfilter nat modules happen to change the TTL to one certain value.
--agenthh
Sure, this could be used to count the number of machines behind broadband customers connections. The fact is, though, that it probably won't.
As you know, broadband service providers make money by assuming not everyone is using 100% of their bandwidth all the time. The only way they'll care as to whether you have multiple machines is if you use too much bandwidth. And even then, they'll probably only disconnect you for using too much bandwidth, and not having a shared connection.
I'm sure they won't give up a $50/month source of revenue because Joe has his mom's computer connected to a NAT box. Now, if Joe's mom was running a public FTP server...
if(!toilet_paper) roll.replace(new roll);
Well, this comment is going to be so far down that most people wont see it, but I'll try it anyways.
The method described is only one method to count hosts behind a NAT box. Just think how much fun your ISP could have if they utilized a passive nmap-like system. Just by analizing the traffic, they can tell what OS created the packets, among other things.
That said, there are ways around this already in the wild. OpenBSD's PacketFilter (PF) has a "modulate state" keyword that would solve you problem nicely. That tells PF to essentially rewrite the packets, primarily to give them the benefit of OpenBSD's random sequence numbers, but it will also stop any other analysis of the packets.
Of course, that still leaves the posibility of them checking your surfing habbits. However, that would be, not only incredibly intrusive, but quite difficult for them to do on a large scale. Besides, if it every happens, and they say they saw your firewall making connections to 12 different websites at the same time, just tell them it was all from your one machine, and there's nothing they can do to refute it.
Of course, I'm not concerned about this in the least. I'm using Earthlink broadband, who happen to care about customer privacy more than any other. I certainly didn't hear of any other ISPs giving the US government the finger when they wanted to install Carnivore.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Hmm, 99% of my LAN's Internet traffic goes through my caching and filtering web proxy, so it would look like there was only one machine anyway. What little traffic doesn't go through the proxy is probably too scattered to detect a noticible trend. And as someone else mentioned, iptables might have to reassign the IPIDs to prevent collisions anyway. Maybe we'll get random IPIDs like FreeBSD, too :-) In my case, they might be better off looking at TTL, window size, and all the other stuff nmap uses to detect different OSes.
The ocean parts and the meteors come down
Laid out in amber, baby.
Seriously, anyone who bitches about these sorts of restrictive policies should put their money where their mouth is and switch to a provider like Speakeasy . Not only are they geek friendly when it comes to multiple machines, but they also have a lot of other good projects including the following:
Not to mention the fact that they offer at least some Linux support (examples here and here). I don't know the extent of it, because honesty I don't ask my ISP for help with my OSs often. Also, when I got DSL they offered static IPs when most of the other providers I looked at in my area only seemed to offer dynamic for residential customers.
You might be asking yourself, "Does this guy work for Speakeasy?" No. But I am a satisfied customer, and I am afraid that good ISPs like this one will be pushed out by bigger companies (*cough*Verizon*cough*) who offer their customers a much more restricted set of options and don't give back to the interenet community (if you beleive in such a thing). All this because these other companies can offer their servies a few bucks cheaper a month or with a little better initial perks, or just because the other companies have better name recognition and more marketing dollars. That and there are many savvy users at these less friendly ISPs who know they can slip by restrictions (at least in the short term), so they opt for convenience and saving a few bucks over promoting the behavior they'd like to see and options all users can take advantage of.
So, if you're concerned by the increasing restrictiveness of ISPs, use your wallet to make a statment by switching to one of the good guys.
"You call it a new way of thinking; I call it regression to ignorance!" -- Operation Ivy
If all you want is web access, why bother with NAT at all? It is an ugly hack, really. You can just set up a proxy server (squid or wwwoffle) and configure browsers to use that. You'll probably get better performance, too, since the proxy server can do caching. Or you could use NAT for ssh connections and an explicit proxy server for http/https/ftp.
OK, I know there are some NATting products which do caching internally, but it's not as clean as just configuring the web browsers to talk directly to a proxy, and it's more likely to break stuff. (At least, some 'transparent' web caches are horribly broken.)
-- Ed Avis ed@membled.com