Slashdot Mirror
Remotely Counting Machines Behind A NAT Box
Overtone writes "Steve Bellovin of AT&T Labs Research has published a paper showing how to remotely count the number of machines hiding behind a NAT box (in IMW 2002, the
Second Internet Measurement Workshop). Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause. Bellovin explains how to change the NAT software to defeat the measurement scheme, but the fix is complicated and unlikely to appear in commercial home gateways anytime soon."
Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause.
There are still providers that limit you to only one computer per connection? Wow. I guess the high competition in my area (GTA) has allowed the customers a little bit more freedom. In fact, my provider will give minor tech support for most routers and hubs.
sin(6cos(r)+5A)
so that you have two firewalls back2back and the other boxes behind it? It's a bit extreme, but worth it if your cable company is composed of jackasses.
Most users just want web access, and this technique doesn't work on proxies.
You can't judge a book by the way it wears its hair.
5 -- Via the traditional finger point, coupled with the ever-popular audible counter increment
4 -- Thermal image detection scan
3 -- Utilize the same finger pointing mentioned in 5, but avoid the audible count as an enhanced privacy measure
2 -- Avoid counting and caring about counting altogether; continue browsing Slashdot
1 -- Call the dude with the NAT box and ask him!
Free tech news & blogging for life -- *nix.org
Reply or e-mail; don't vaguely moderate. Ex-O'Reilly/MIT employee, now a full-time Google employee.
What about when I put a NAT machine behind a NAT machine? ;-)
"Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause."
Yeah, that pretty much sucks. There may be a silver lining, though. The more crap these ISP's pull to push their saavier customers away, the more demand there'll be for an uber geek-friendly ISP to come along. Maybe I'm too optimistic, but tell me it wouldn't be cool for a business to start up in order to cater to those of us that really like to play with networking. "Sure, go ahead and set up a wireless lan in your complex. We'll even let you pay to increase your bandwidth to accomodate all those users! Tell them that for $5 a month, they can each get a mail account or some other fairly interesting service."
the cable / DSL operators will soon find out that trying to wage this battle through technical means will result in an arms race they cannot possibly win...
...which will, of course, result in their attempts to find more onerous legal solutions to the problem.
I say - let the games begin!
Everyone will start to cheer when you put on your sailin' shoes.
The method described decodes packets from the NAT, using the IP header's ID field (which is normally a simple counter) to determine number of nodes behind the NAT. (Find X distinct ID field chains, that is the number of PCs...)
:)
However:
Some hosts take evasive measures. Since the IPid field is used only for fragment reassembly (see below), some Linux kernels use a constant 0 when emitting Path MTU discovery [5] packets, since they cannot be fragmented. Recent versions of OpenBSD and some versions of FreeBSD use a pseudo-random number generator for the IPid field.
Hurray for Linux...
"Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause."
Crap! Now I have to worry about my internet conn
Fron the paper:
;)
We do not currently attempt to deal with the randomized IPid generator used by OpenBSD and FreeBSD. Crypt-analyzing the generator may be infeasible in any event. It should be possible to detect a random background to other, linear sources; the current version of the code does not do that.
So take that BSD bashers [ggg]. Of course, a gateway implementation to mask/randomize the IPids would be better - giving you a site-wide fix at once.
First one to market with one wins
Maybe someone can fill us in.
Sigs are bad for your health.
Our technique is based on the observation...that the "id" field in the IP header is generally implemented as a simple counter
Recent versions of OpenBSD and some versions of FreeBSD use a pseudo-random number generator for the IPid field.
So my FreeBSD will look like thousands of PCs? LOL, that sure would piss the cable company off.
I'll have something intelligent to add one of these days...
I can already imagine conversations like this:
ISP: We'll have to cut your net access! We detected several dozen computers simultaneously accesing the net through our service, while the contract only allows you one!
Customer: Uh, I only have one box, I just love to have 30 windows of VMWARE open at once. How better to show off system performance!
ISP: arglllll
I mean, if the customer says he uses VMware, what's the ISP gonna do? Cut off the line without real evidence? I'd assume there are enough people who'd not mind a lawsuit.
Ash nazg durbatulûk, ash nazg gimbatul
ash nazg thrakatulûk, agh burzum-ishi krimpatul.
Counting boxes is done using the "id" field in the IP header. The id field is relatively unique to each datagram sent between two hosts and is used to reassemble datagram fragments. This scheme depends on the observation that most IP stacks keep this field unique by just incrementing a counter for each datagram. By examining the id field of each packet coming from a NAT box and finding trends in the values you can tell how many boxes are behind the NAT. Each trend you can identify is another box hiding behind the NAT.
But as the article states:
We do not currently attempt to deal with the randomized IPid generator used by OpenBSD and FreeBSD. Cryptanalyzing the generator may be infeasible in any event.
So there you go. Write a patch for your IP stack to randomize the id field instead of incrementing it. I couldn't do it, but I imagine someone else can (and will).
Never approach a vast undertaking with a half-vast plan.
It's already here: SpeakEasy.
Their TOS explicitly states:
"Speakeasy believes in the right of the individual to publish information they feel is important to the world via the Internet. Unlike many ISP's, Speakeasy allows customers to run servers (web, mail, etc.) over their Internet connections, use hubs, and share networks in multiple locations."
After reading the document (something that is rarely done among posters), it appears to me that this wouldn't be TERRIBLY hard to fix. The different machines are recognized by the sequences of IPids that are generated for the packets that are sent out. This field must be unique for each packet with the same protocal, destination, and source. This prevents the NAT from simply mangling the number in the field, making it impossible to track the number of machines.
Someone correct me if I'm wrong, but it seems to me that iptables could be updated to change the IPid of outgoing packets to a single sequence and just keep a table of old ids -> new ids. When necessary, it performs the translation. So basically it acts as a two way filter, packets behind the NAT will all have the correct id, packets beyond it will all appear as a single sequence. Would this work?
There must be some way to make it so that an ISP doing this kind of analysis becomes a DMCA violation of the customer. Any ideas?
It probably annoys the telcos to no end that a connection can be shared - they are more used to the "telephone" model, where there is one line going into the house and if 2 people want to have separate converations then they need two lines.
Contrast that with a high speed connection that can been shared with a bazillion users.
I'm guessing they are not as concerned with people who are running more than one machine at home - the precedent has been set already with telephone extensions, cable TV and satellite TV.
I know of at least one person that is sharing his connection with 5 houses on his block via 802.11, which is a fair chunk of high speed connections that could be sold, and more than likely these are the people they are trying to find.
My prediction - they will either give up once netgear, linksys et al. release rom patches to prevent this, or they will try start charging on a "by data" basis.
This is of course doomed to failure, because the only purpose for a high speed connection is for sharing [censored by the RIAA and MPAA] across the net, and any attempts to change their pricing to this model will be met by massive consumer outcry.
There are already several simpler ways:
1. Use proxies instead of NAT and proxy transparently if needed. Yeah, I know, none of the P2P download sucker shit as it does not have proxies but such is life.
2. Use OSes with better randomisation of IP IDs. This is a tuneable parameter on most OSes and after you have turned it on the graphs are no longer so pretty.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
With franchise agreements to the cable companies, not necessarily true.
I don't see anything but a poor rationalization in your arguement suggesting that it's not *YOUR* fault that you NEED to break your contract
What about the chance that the contract may be illegal? There's the nice little FCC regulation that the cable company/phone company can't say squat about what happens inside your house provided you don't get services you don't pay for (You're paying for one IP, not one computer in reality) and you don't degrade the service of others.
Even random is random. My nick, too.
History does not bode well for the broadband providers on this. If one recalls back in the day, the Telco (MA-Bell/AT&T) user to tack on an additional charge for every actual receiver (that you were forced to rent from them) on the phone line. For those who know POTS (plain old telephone system) an extension can be added but just tapping a wire onto the existing wire in the house. However when MA-bell got broken up in the 70s(?) I believe they did away with this foofah, and you paid for the telephone *service*
CATV (cable) used to be the same way.. you day to pay extra for each TV. And then they stopped doing that and you paid for *service* of the signal.
Now here is where it gets tricky, unlike POTS and analog CATV the line is hot or its not (so to speak), broadband you actually have discrete data you are passing around. This should be the *service*. However it could end up being a pay as you go service (bad for the users, good for the money grubbers) or a limited throughput 'unlimited' service (which is mostly how it is now). Currently I don?t see a metered usage model flying right now and this is why:
Everyone that adopted broadband early wanted it (and could get it) go it. Dialup services are cheap and unlimited. If you start charging for broadband based on usage you aren?t not very attractive to those people you want to take away from dialup who are complacent and will cope with what they have. A metered service is not (in consumers minds) a *NOT* better value than an unmetered service.
As we know there is a mega glut of fiber, broadband should be getting cheaper rather than more expensive.. but that?s another article. Its going to be hard to justify metering people when there is so much capacity unused. (hopefully supply and demand will work out here).
Now this is what is going to happen, when a critical mass of people stop using dialup, and then modems stop coming standard in computers, and then the broadband guys think they have a captive audience they will get everyone in the cartel on board and raise rates and meter usage. What?s worse is that they will claim there is a lack of long haul bandwidth, which probably wont be true, because as the broadband market picks up they will still be doing expansion of the network because of the expectation of even larger amounts of growth.
Conclusion, this are probably good for the short term, *VERY* bad for the long term.
PS the document was spell checked for those with delicate constitutions.
Our expert system has detected that you are sharing a single connection with 4,179 computers.
Sigs are bad for your health.
The cable company can't tell when my cable modem is visible on the network.
And now suddenly they're counting machines behind it?
This is sounding like fantasy and science fiction to me.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
"I dont agree. It's not your local ISPs fault that there aren't multiple providers in your area (assuming we are talking about you) or multiple service options. If there was enough money to be made in an area, there would most likely be more providers."
I'm not sure what world you're living in. It IS MOST ASSUREDLY my local ISP's fault that there are not multiple provider's in my area.
Verizon ran every dirty trick in the book to stop me from getting access through DSLi (out of Florida, who had an EXCELLENT TOS) instead of buying Verizon's restricted, overpriced DSL in North Carolina. I fought with them for over 14 months. I called the friggin' Utilities Commission on them. Unfortunately, by the time that bore fruit, every intelligently run provider had read the writing on the wall -- there's no way to make a profit when every single customer has to fight through the SUC for over a year, for God's sake.
The reason I am stuck with crappy TOS is because of Verizon, straight and simple. Verizon covers something like 20% of the country. Most of the Baby Bells aren't any better.
I'm not saying everyone who has a NAT fought with a Baby Bell for a year. But most of them have been cheated out of a decent, affordable TOS by one.
Since virtually none exist because of illegal behavior, you shouldn't be so surprised or indignant that many folks choose to get around them.
Who is RTFM and when will he help me with Unix?
the cable / DSL operators will soon find out that trying to wage this battle through technical means will result in an arms race they cannot possibly win...
...which will, of course, result in their attempts to find more onerous legal solutions to the problem.
I say - let the games begin!
Why would the telco suddenly be able to impose a different standard on data communications? Just because an AT&T engineer has proposed some (time consuming) method to do something doesn't mean it will be done. A similar attitude about POTS is what got mighty Ma Bell busted lo these many years ago...
Taking this one stumble father, I note that there is only one "computer" attached physically to the Bellsouth DSL line: a little cheap Linksys router, which having a processor & some flash ROM, qualifies as a "computer." Other computers do not connect directly to the DSL line, they connect to that router.
Any telco/ISP that "cracks down" on home networking this way is just plain stupid & needs to go back to the mandatory customer service training workshops! In fact, that's where our dear AT&T enginner needs to be this very afternoon. It's the corporate equivalent of Chinese water torture!
"Obviously, I'm not an IBM computer any more than I'm an ashtray" (Bob Dylan)
here's one.
Seems a little arbitrary, but they're small fry. let's go bigger:
here's another.
I think this bit applies to the question at hand (emphasis is mine):
How does this imply that you can't share a DSL connection? OTOH, it explicitly says that sharing a connection is OK.
however, if we look to AT&T DSL TOS, they are somewhat more restrictive:
A little tougher, but it doesn't actually rule out connection-sharing entirely- just requires that AT&T grant you permission, right? So they must have a process for granting the approval, and a list of approved equipment.
Since I'm bored today, I called them up. I pointed the nice lady at their TOS, section 8(a), and asked if she could provide me with a list of AT&T approved equipment, and/or the approval process for home networking. She put me on hold for a bit. When she came back, she told me that AT&T DSL is not the same as AT&T WORLDnet DSL, and i had the wrong phone number- but WORLDnet doesn't allow any kind of connection sharing- and she'd happily transfer me to the REAL AT&T. The second phone monkey had no idea what I was talking about- ditto the 3rd. Neither of them could understand why I would want to ask questions about their TOS if they couldn't even deliver service to my residence. The fourth phone monkey told me that they don't support any kind of multiple connection, and that the "grant you permission" line is in the contract for things like automated security systems that call the police department when someone breaks into your house.
So. Score: SBC +1 (but -1 for their stupid 'frames' patent), AT&T 0. Interesting article, but since I'm on SBC, i won't be changing my NAT settings...
Humpty Dumpty was pushed.
If someone is routinely monitoring your IP packets like that, how is it different from routinely monitoring your phone calls? Why doesn't this have to be done by a law enforcement agency, with a warrant in hand? Why isn't this covered under the same legal umbrella that affirms our right to have extension telephones? (You might not remember Bell charging monthly for each phone, available only under lease, but I do.)
We should be allowed to have NAT for the same reason we are allowed to have phones, and if the provider has a problem with that, they need to take a hike. Sniffing for this is unquestionably in bad taste, and it is also a violation of my civil rights.
-fb Everything not expressly forbidden is now mandatory.
It would be better (compared to randomizing) if the sequence of IPids for a single machine were chosen to masquerade as N independent counting values. This would fool them into thinking that you have N machines connected, when in fact you only have one! They'd only have to be fooled by this technique a couple of times before they gave up the technique entirely.