Remotely Counting Machines Behind A NAT Box

Overtone writes "Steve Bellovin of AT&T Labs Research has published a paper showing how to remotely count the number of machines hiding behind a NAT box (in IMW 2002, the Second Internet Measurement Workshop). Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause. Bellovin explains how to change the NAT software to defeat the measurement scheme, but the fix is complicated and unlikely to appear in commercial home gateways anytime soon."

Not where I'm from

[pi+radians]

Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause.

There are still providers that limit you to only one computer per connection? Wow. I guess the high competition in my area (GTA) has allowed the customers a little bit more freedom. In fact, my provider will give minor tech support for most routers and hubs.

Re:Not where I'm from

Do you live in Liberty City or Vice City?

Re:Not where I'm from

In a properly-functioning economy, you'd be charging for traffic (tiered or metered) since that drives your cost. Your interest in how your customers are processing their traffic internally is inappropriate, and the IPv4 address space you're squandering should be reassigned to someone more ethical.

Re:Not where I'm from

And why on earth would you have a metered T1 if you were an ISP? Is a flat-rate T1 simply not available in your area?

I also operate an ISP, and we have a flat-rate T1. We don't care how many computers a customer has connected--we only care how much data is transferred, and we bill accordingly.

I would not use an ISP that placed restrictions on how many computers I could connect, mom-and-pop ISP or not. Life's too short. I live in a house with four computers, and they all get used a good portion of the evening. Why should I have to put up four antennas just so I can hook up four computers?

what if they are chained?

[SHEENmaster]

so that you have two firewalls back2back and the other boxes behind it? It's a bit extreme, but worth it if your cable company is composed of jackasses.

Most users just want web access, and this technique doesn't work on proxies.

Re:what if they are chained?

[Snork+Asaurus]

if your cable company is composed of jackasses

You mean there are some that aren't?

Re:what if they are chained?

[tjrw]

Wouldn't make a jot of difference. The current firewalls aren't rewriting the IPid field anyway, so adding an extra hop would not affect the analysis at all.

In reading the paper, it is apparent that this is not a particularly cheap thing to attempt. I can't see how it could be easily automated and deployed on a large scale, even assuming someone could be sufficiently bothered to do so.

If you want protection from this, you're going to need to do some serious work on iptables to add tracking of fragments to the connection tracking code and to rewrite the field on outbound packets to some psuedo-random value. Interestingly this is the "correct" thing to do anyway - otherwise it is theoretically possible to generate two packets with the same id, both fragmented from different internal hosts to the same destination, and screw up the fragmentation reassembly at the receiver.

Tim

Re:what if they are chained?

[stratjakt]

"you're going to need to do some serious work on iptables "

Another user already posted that there's already a patch (or kernel option) for linux to do random ipid's just like BSD does.

This is more an admin utility than a policing tool. Just kick back, get yourself a beer and watch the knee-jerk reactions and paranoid theories from all the nerds who think the man is out the get 'em.

What about NAT behind NAT?

What about when I put a NAT machine behind a NAT machine? ;-)

Like the RIAA...

[hndrcks]

the cable / DSL operators will soon find out that trying to wage this battle through technical means will result in an arms race they cannot possibly win...

...which will, of course, result in their attempts to find more onerous legal solutions to the problem.

I say - let the games begin!

Score another one for Linux

[guido1]

The method described decodes packets from the NAT, using the IP header's ID field (which is normally a simple counter) to determine number of nodes behind the NAT. (Find X distinct ID field chains, that is the number of PCs...)

However:
Some hosts take evasive measures. Since the IPid field is used only for fragment reassembly (see below), some Linux kernels use a constant 0 when emitting Path MTU discovery [5] packets, since they cannot be fragmented. Recent versions of OpenBSD and some versions of FreeBSD use a pseudo-random number generator for the IPid field.


Hurray for Linux... :)

FreeBSD

[PunchMonkey]

Our technique is based on the observation...that the "id" field in the IP header is generally implemented as a simple counter

Recent versions of OpenBSD and some versions of FreeBSD use a pseudo-random number generator for the IPid field.

So my FreeBSD will look like thousands of PCs? LOL, that sure would piss the cable company off.

Multiple Systems != Multiple Boxen

[Heghta']

I can already imagine conversations like this:

ISP: We'll have to cut your net access! We detected several dozen computers simultaneously accesing the net through our service, while the contract only allows you one!
Customer: Uh, I only have one box, I just love to have 30 windows of VMWARE open at once. How better to show off system performance!
ISP: arglllll

I mean, if the customer says he uses VMware, what's the ISP gonna do? Cut off the line without real evidence? I'd assume there are enough people who'd not mind a lawsuit.

How this works

[szquirrel]

Counting boxes is done using the "id" field in the IP header. The id field is relatively unique to each datagram sent between two hosts and is used to reassemble datagram fragments. This scheme depends on the observation that most IP stacks keep this field unique by just incrementing a counter for each datagram. By examining the id field of each packet coming from a NAT box and finding trends in the values you can tell how many boxes are behind the NAT. Each trend you can identify is another box hiding behind the NAT.

But as the article states:

We do not currently attempt to deal with the randomized IPid generator used by OpenBSD and FreeBSD. Cryptanalyzing the generator may be infeasible in any event.

So there you go. Write a patch for your IP stack to randomize the id field instead of incrementing it. I couldn't do it, but I imagine someone else can (and will).

Re:How this works

[BlueUnderwear]

You are confusing the id field with the TCP sequence counter. TCP sequence counter is already not usable for their purpose, because of miscellaneous anti-spoofing techniques.

The field they are using is the IP id field, which exists in all IP packets (including UDP, ICMP, whatever), and which is used for low-level packet reassembly. On many OS'es, this is a globally increasing counter, i.e. two distinct connections on the same machine share the same counter, but two connections on different machines do not.

Workarounds:

• Use a pseudo-random number generator instead of a simple counter, as the various BSD apparently do.
• Substitute the counter at the NAT box

It's already here

[ptbarnett]

The more crap these ISP's pull to push their saavier customers away, the more demand there'll be for an uber geek-friendly ISP to come along. Maybe I'm too optimistic, but tell me it wouldn't be cool for a business to start up in order to cater to those of us that really like to play with networking.

It's already here: SpeakEasy.

Their TOS explicitly states:

"Speakeasy believes in the right of the individual to publish information they feel is important to the world via the Internet. Unlike many ISP's, Speakeasy allows customers to run servers (web, mail, etc.) over their Internet connections, use hubs, and share networks in multiple locations."

Re:this sucks

[arivanov]

There are already several simpler ways:

1. Use proxies instead of NAT and proxy transparently if needed. Yeah, I know, none of the P2P download sucker shit as it does not have proxies but such is life.
2. Use OSes with better randomisation of IP IDs. This is a tuneable parameter on most OSes and after you have turned it on the graphs are no longer so pretty.

AT&T can't stand slashdotting?

[random_nick]

Not even an AT&T host can stand slashdotting?

Attention Customer:

[Snork+Asaurus]

We are terminating your 28.8kbps dial-up service due to the following violation of the TOS:

Our expert system has detected that you are sharing a single connection with 4,179 computers.

"the telephone model"

[djeaux]

For about the last 20 years or so, unless one takes out a service contract, the telco is responsible only for the line to the outside of the building. I am responsible for the interior wiring & any extension phones that split off internally from the gray box outside.

Why would the telco suddenly be able to impose a different standard on data communications? Just because an AT&T engineer has proposed some (time consuming) method to do something doesn't mean it will be done. A similar attitude about POTS is what got mighty Ma Bell busted lo these many years ago...

Taking this one stumble father, I note that there is only one "computer" attached physically to the Bellsouth DSL line: a little cheap Linksys router, which having a processor & some flash ROM, qualifies as a "computer." Other computers do not connect directly to the DSL line, they connect to that router.

Any telco/ISP that "cracks down" on home networking this way is just plain stupid & needs to go back to the mandatory customer service training workshops! In fact, that's where our dear AT&T enginner needs to be this very afternoon. It's the corporate equivalent of Chinese water torture!

What do these clauses typically look like?

[oliphaunt]

OK, play lawyer with me for a little bit. What do these licenses actually say?
here's one.
Seems a little arbitrary, but they're small fry. let's go bigger:
here's another.
I think this bit applies to the question at hand (emphasis is mine):

3(b) SBC Yahoo! DSL. Your SBC Yahoo! DSL Member Account allows for one DSL connection and one other simultaneous network connection (such as a dial-up line) for a total of two (2) simultaneous network connections to the Internet. SBC reserves the right to prohibit any additional simultaneous network connections. This policy does not prohibit multiple DSL users from connecting to the Internet over the same DSL network connection using customer premise equipment such as a router or home networking equipment.

How does this imply that you can't share a DSL connection? OTOH, it explicitly says that sharing a connection is OK.
however, if we look to AT&T DSL TOS, they are somewhat more restrictive:

8a. Improper Use. You agree to comply with the "ABC's of AT&T Worldnetiquette," which are described in Section 10. You cannot create a network (whether inside or outside of your residence) with AT&T DSL Service using any type of device, equipment, or multiple computers unless AT&T has granted you permission to do so and you use equipment and standards acceptable to AT&T. AT&T may cancel, restrict, or suspend the Services and this Agreement under Section 11 below for violating these provisions.

A little tougher, but it doesn't actually rule out connection-sharing entirely- just requires that AT&T grant you permission, right? So they must have a process for granting the approval, and a list of approved equipment.

Since I'm bored today, I called them up. I pointed the nice lady at their TOS, section 8(a), and asked if she could provide me with a list of AT&T approved equipment, and/or the approval process for home networking. She put me on hold for a bit. When she came back, she told me that AT&T DSL is not the same as AT&T WORLDnet DSL, and i had the wrong phone number- but WORLDnet doesn't allow any kind of connection sharing- and she'd happily transfer me to the REAL AT&T. The second phone monkey had no idea what I was talking about- ditto the 3rd. Neither of them could understand why I would want to ask questions about their TOS if they couldn't even deliver service to my residence. The fourth phone monkey told me that they don't support any kind of multiple connection, and that the "grant you permission" line is in the contract for things like automated security systems that call the police department when someone breaks into your house.

So. Score: SBC +1 (but -1 for their stupid 'frames' patent), AT&T 0. Interesting article, but since I'm on SBC, i won't be changing my NAT settings...