Remotely Counting Machines Behind A NAT Box

Overtone writes "Steve Bellovin of AT&T Labs Research has published a paper showing how to remotely count the number of machines hiding behind a NAT box (in IMW 2002, the Second Internet Measurement Workshop). Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause. Bellovin explains how to change the NAT software to defeat the measurement scheme, but the fix is complicated and unlikely to appear in commercial home gateways anytime soon."

Not where I'm from

[pi+radians]

Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause.

There are still providers that limit you to only one computer per connection? Wow. I guess the high competition in my area (GTA) has allowed the customers a little bit more freedom. In fact, my provider will give minor tech support for most routers and hubs.

Re:Not where I'm from

[Rude+Turnip]

If the cable company thinks they can successfully charge me $10 extra per month for extra IP addresses ($5 per extra address: gf's comp + Tivo), they're crazy. Here is what will happen:

1. Cable gets cut - no more basic + digital package + cable modem: Cable Co will lose $115/mo

2. Mini-dish goes up and DSL comes in.

Re:Not where I'm from

[Karrots]

Ever thought of Bandwidth metering? Thats what the ISP I used to have did something like 12Gig's a week. They mainly did it so they could provide a good level of service to every one. If you wanted more gigs you could purchase more.

Recently they just lifted the Download metering for weekend and night time. Pretty cool I think.

what if they are chained?

[SHEENmaster]

so that you have two firewalls back2back and the other boxes behind it? It's a bit extreme, but worth it if your cable company is composed of jackasses.

Most users just want web access, and this technique doesn't work on proxies.

Like the RIAA...

[hndrcks]

the cable / DSL operators will soon find out that trying to wage this battle through technical means will result in an arms race they cannot possibly win...

...which will, of course, result in their attempts to find more onerous legal solutions to the problem.

I say - let the games begin!

Score another one for Linux

[guido1]

The method described decodes packets from the NAT, using the IP header's ID field (which is normally a simple counter) to determine number of nodes behind the NAT. (Find X distinct ID field chains, that is the number of PCs...)

However:
Some hosts take evasive measures. Since the IPid field is used only for fragment reassembly (see below), some Linux kernels use a constant 0 when emitting Path MTU discovery [5] packets, since they cannot be fragmented. Recent versions of OpenBSD and some versions of FreeBSD use a pseudo-random number generator for the IPid field.


Hurray for Linux... :)

Re:What about Linux?

Fron the paper:

We do not currently attempt to deal with the randomized IPid generator used by OpenBSD and FreeBSD. Crypt-analyzing the generator may be infeasible in any event. It should be possible to detect a random background to other, linear sources; the current version of the code does not do that.

So take that BSD bashers [ggg]. Of course, a gateway implementation to mask/randomize the IPids would be better - giving you a site-wide fix at once.

First one to market with one wins ;)

Re:Is this really a big deal?

[NetDrain]

Yes, it is in fact a big deal. Not every community has multiple options for high speed internet access -- if you're unlucky enough to be stuck in an area with only one ISP that offers cable/DSL and they have the draconian requirement that you have only one machine on the network, you have a problem.

The telephone companies did this a while ago about the number of phones you could have connected to your phone line. They monitored the voltage drop on the line when your phone rang. They eventually gave up trying to enforce it.

Multiple Systems != Multiple Boxen

[Heghta']

I can already imagine conversations like this:

ISP: We'll have to cut your net access! We detected several dozen computers simultaneously accesing the net through our service, while the contract only allows you one!
Customer: Uh, I only have one box, I just love to have 30 windows of VMWARE open at once. How better to show off system performance!
ISP: arglllll

I mean, if the customer says he uses VMware, what's the ISP gonna do? Cut off the line without real evidence? I'd assume there are enough people who'd not mind a lawsuit.

How this works

[szquirrel]

Counting boxes is done using the "id" field in the IP header. The id field is relatively unique to each datagram sent between two hosts and is used to reassemble datagram fragments. This scheme depends on the observation that most IP stacks keep this field unique by just incrementing a counter for each datagram. By examining the id field of each packet coming from a NAT box and finding trends in the values you can tell how many boxes are behind the NAT. Each trend you can identify is another box hiding behind the NAT.

But as the article states:

We do not currently attempt to deal with the randomized IPid generator used by OpenBSD and FreeBSD. Cryptanalyzing the generator may be infeasible in any event.

So there you go. Write a patch for your IP stack to randomize the id field instead of incrementing it. I couldn't do it, but I imagine someone else can (and will).

Possible fix

[entrager]

After reading the document (something that is rarely done among posters), it appears to me that this wouldn't be TERRIBLY hard to fix. The different machines are recognized by the sequences of IPids that are generated for the packets that are sent out. This field must be unique for each packet with the same protocal, destination, and source. This prevents the NAT from simply mangling the number in the field, making it impossible to track the number of machines.

Someone correct me if I'm wrong, but it seems to me that iptables could be updated to change the IPid of outgoing packets to a single sequence and just keep a table of old ids -> new ids. When necessary, it performs the translation. So basically it acts as a two way filter, packets behind the NAT will all have the correct id, packets beyond it will all appear as a single sequence. Would this work?

Can we make it a DMCA violation?

[DoofusOfDeath]

There must be some way to make it so that an ISP doing this kind of analysis becomes a DMCA violation of the customer. Any ideas?

Re:Silver Lining?

[digitalsushi]

A geek friendly ISP, that is, one that would want customers that utilize their connections, would be more than happy to sell them all full T1 service for about 400 to 1200 dollars a month, depending on where you happen to live :)

I think in general (not aimed at you, Anonvmous) people tend to not realize that everybody has to share when it comes down to it. Sure, most ISPs cover that fact with a healthy dose of greed, but in the end, a 50 dollar price point is what you get after you trim the 1% of us, the power users. They dont like us and there's a good reason- we cost them money when we use more than the normal user! And I dont blame an ISP for enforcing; it's not a matter of being fair as they are just doing this to make money.. a geek friendly ISP would last all of 10 minutes with similarly priced services as what is regularly available. Oh well. I got my plan all worked out. Another 40 a month and I can have business dsl- full servers, whatever i want, nat, all perfectly cool with the ISP. ah, but i lose cause i gave up the 40 extra a month? not when they make a policy change to the residentials and I'm the only one left with a working web and mail server :D

Other methods, and solutions

[evilviper]

Well, this comment is going to be so far down that most people wont see it, but I'll try it anyways.

The method described is only one method to count hosts behind a NAT box. Just think how much fun your ISP could have if they utilized a passive nmap-like system. Just by analizing the traffic, they can tell what OS created the packets, among other things.

That said, there are ways around this already in the wild. OpenBSD's PacketFilter (PF) has a "modulate state" keyword that would solve you problem nicely. That tells PF to essentially rewrite the packets, primarily to give them the benefit of OpenBSD's random sequence numbers, but it will also stop any other analysis of the packets.

Of course, that still leaves the posibility of them checking your surfing habbits. However, that would be, not only incredibly intrusive, but quite difficult for them to do on a large scale. Besides, if it every happens, and they say they saw your firewall making connections to 12 different websites at the same time, just tell them it was all from your one machine, and there's nothing they can do to refute it.

Of course, I'm not concerned about this in the least. I'm using Earthlink broadband, who happen to care about customer privacy more than any other. I certainly didn't hear of any other ISPs giving the US government the finger when they wanted to install Carnivore.