Slashdot Mirror
More On Detecting NAT Gateways
tcom91 writes "The Slashdot article Remotely Counting Machines Behind A NAT Box described a technique for counting NAT hosts. A recently published paper Detecting NAT Devices using sFlow describes an efficient way of detecting NAT gateways using sFlow, a traffic monitoring technology built into many switches and routers. This technology could be used to enforce single host access policies and eliminate unauthorized wireless access points."
Will ISPs use it against us?
No, Beowulf clusters can't imagine in Soviet Russia.
people are still using the same amount of bandwidth payed for, no matter how many machines are using it. when will these companies realize that many people have multiple computers in their home?
The only wireless network I could find while war driving... were ones without WEP turned on.. I could find the other ones but if the WEP is turned on... of course I couldnt access them... theres a reason for IT!... try using it sometime..
If isp's tried to use this in any kind of meaningful way, suddenly there would appear dozens of nat gateway scrubbers that would make sure that the output packets are all uniformely generic. It'll probably turn off the evil bit too.
Karma: SELECT `karma` FROM `users` WHERE `userid`=138474;
Go calculate something
This is going to be used by your ISP to assure you aren't sharing your connection among multiple computers without paying a monthly surcharge for each.
On the bright side, as with nearly all technology that tries to instate a form of checks and balances upon a system, we will soon see ways to fool this check and go back to business (balance) as usual.
Jason
So, if they don't want me to use NAT, does that mean they want me to connect each box to their internal network? Meaning I (and everyone else) can get access to computer B's contents when I'm trying to access it from Computer A?
Why can't they just have a flexible plan where I say, yes, I admit I have 3 boxen behind NAT and agree to pay an extra $5 to $10 a month? Or is this too logical for them to do?
To the greedy rich: We, the working class, want to resolve this without dusting off the ol' guillotine. Honestly, we do. Please don't corner us.
I think most smaller ISPs don't really care if you're using NAT. In fact, I bet lots of ISPs expect you to. Your best bet is to read the terms before signing up and stay away from the AOL/Earthlink conglomerate types.
will it work?
Put a Transparent Proxy behind a NAT behind a NAT.
/
[Slashdot.org]
|
[Slashdot.org's pathetic ISP]
|
|
| [Pathetic poor little guy Slashdot hurts]
|
[Internet/Root_Servers]
|
[Your ISP's Network, and some idiot trying to eavesdrop]
|
[ISP's Router]
|
[Your NAT]
\
[Your next NAT]
\
[Your Transparent Proxy services]
\
[Application/ie YOU!]
They're providing the bandwidth anyway.
Are they concerned that people will host thousands of computers (at a major cost to the ISP's bandwidth) if people are allowed to do this?
Nice, besides an ad for Sflow, just shows some more holes we need to patch, and more standards to break.
OS fingerprinting was nice, but now some boxes are replying as a tandy coco, its a very amusing battle. Now TTL is being used to determine multiple Nat'ed IPs. I'm sure someone will write a nice nat module for linux/etc to bypass this also. Seems like the endless cycle of control freaks loosing control.
BTW, not sure which ISPs care about NAT, but there are very very large NAT friendly ISP's out there. (Speakeasy for one)
Does that means a userland HTTP proxy or SOCKS proxy would be more undetectable?
I just wanted to extend a big thanks to sFlow for posting this paper (and the AT&T people for posting theirs). Despite the fact that DARPA screwed Theo & Co, they are probably already adding a "modulate TTL" setting to pf as we speak.
And of course if you're ultra-paranoid, then just use something like socks or squid to proxy most or all of your TCP connections, and it's 100% indistinguishable from your firewall making the connections out. Because your firewall is making the connections out.
When will they learn?
Kinda irritates me that stuff like this may make my nice all-in-a-box Netgear NAT useless some day, but it's nice to know that people like OpenBSD are there to back us up.
And like someone else said, what exactly does the cable company expect me to do? Expose all of my internal network to the internet? Cha right! They wouldn't even give me more than 3 IPs anyway!
Cryptic Allusion - New Mac and Dreamcast Games!
If you sign a contract saying no NAT, or no multiple machines on your connection then you have agreed to it. My wife and I pay an extra 7 bucks/mo for two connections instead of one.
If you have agreed to one connection or machine and have multiple connections or machines then you are cheating your ISP. If you want to change it then call your ISP and negotiate, or sign-up with someone else, or move somewhere where you can get an ISP to agree to your terms, or form a buying group, or start a boycott, or picket. Do you think breaking a contract is OK?
Open source development is my way of competing with the low-cost programmers in India...
ISPs sell you connectivity, what right do they have to tell you what you can't do with it? Does your electric company tell you what you can and can't plug in and how many things you can power? Now, if i run extention cord around the neighborhood and charge people for it, then there might be a problem.
On internet: For all I'm concerned, I have *ONE* computer connected to my DSL, and other computers connected to the one computer. ISP gonna tell me I can't connect computers to each other? What's next? It'd be illegal to have multiple screen/keyboard/mouse on the ONE computer? (i think this can be done...buddyPC??)
The 'client' computers access resources on the 'gateway', which happens to include the external internet filtered through the firewall. I dont have multiple computers connected directly to the internet, that's just insecure.
And besides, what are they losing anyway from NATs? It's the same connection/bandwidth. 150kbs down on one box is the same as 150 split to 75kbs down on 2 computers. It's still only one IP. Whatever activity (and any responsibility) that goes on is on ONE account.
$cat
http://ippersonality.sourceforge.net/ can defeat these types of attacks, and also it can screw up nmap. I wish Linus would add ippersonality into 2.5 because it's becoming more important to have this type of tool.
How does it cost the ISP more if multiple people share a broadband line? Where is the additional expense to the ISP that needs to be covered?
... do you know how stupid it is to directly connect your box to that cable/dsl modem thing with out at least hiding behind some kind of NAT?
..
Go ahead let them screw their customer base over - sure that'll work! - Good plan!
And another thing
Go ahead and try it - be sure to run BlackICE or something so you can count how many times you get portscanned in an hour
---- "Logoff! That cookie shit makes me nervous!" - A. Soprano
Perhaps more importantly, your cable modem is running NAT also (check out traceroute some time) so this would all have to happen on board your modem (unlikely)
afaik Super-DMCA will outlaw all attempts to conceal information in all communication devices, that'll illegalize all firewall, NAT and edge routers, etc.
Stupid as it sounds, but it goes thru our senators, it couldn't be wrong.
The little downside is that the only job left for IT is tech support for Windows installation....
NOT FLAMEBAIT:
Is it legal for the ISP to sniff your packets? I'm very ignorant when it comes to such things, but this screams privacy issues.
--sig fault--
so anyone know if this can be blocked using pf or iptables or some other packet filter?
The time before there are "fixed" versions of both NAT (which don't decrement TTL), and of IP packet ID's (changing all ID's into a single monotonically increasing order, or randomizing them) will be measured in hours.
Hopefully the authors of this paper aren't doing research for a living...
-- -pjk Perry Kundert perry@kundert.ca http://kundert.2y.net
This will be easy to fix. A hack to your NAT box source code (you are doing NAT with OpenBSD, Linux or some other open source system, right?) to remove the TTL decrement for NAT traffic (or re-increment it where the decrement can't tell the difference) would get around that aspect of the problem. I'd argue that one can NAT in a transparent "switch", which would not decrement TTL, so why not just make the OpenBSD or Linux box do that.
And for fun, add a randomizer to the initial TTL value. Thus instead of it starting at say 128, it could be a randomly chosen value between 100 and 140 (just to pick some arbitrary numbers).
now we need to go OSS in diesel cars
What if the line connecting you to the ISP can't be split? AFAIK you can only run one DSL connection over one physical copper wire. In most houses you can only have 2 or 4 at the most before you need redo the entire wiring in the house, possibly even pull extra wires from the main trunk etc etc etc... So in those cases, you'd have to sign up for N-additional regular phone lines, and if you run over the physical limits your wiring supports, you're just plain outta luck? You can only connect 4 computers at the most to the net? Am I missing something...
I doubt we will ever see this technique used by ISP's, at least in the states, because there is simply too much competition. ISP's already have a tough enough time attracting customers, the last thing they want is a reliable $50/month going out the door. Routers are becoming too ubiquitous to start changing pricing policies to squeeze an extra buck out of consumers that already pay too much for broadband.
If you don't like your ISP's policies then change your ISP.
I get my DSL through speakeasy.net, and so far they seem to be about the coolest provider I've heard of. They don't care how many machines you have hooked up to your connection, they don't care if you run servers, they actually encourage you to share your connection via wireless networking. I read in one of their recent newsletters that if you set up an AP they'd like to know so they can tell the other speakeasy customers about it. I'm pretty sure they're available in most large cities (i'm in seattle).
If you want to sign up and don't mind sending $50 my way use this referral link.
I thought those backticks were single-quotes. You're actually almost 100% correct, you just need to put quotes around the 138474 bit.
Cheers
Stor
"Yeah well there's a lot of stuff that should be, but isn't"
Linksys and similar NAT devices are cheap now. What if you used 2 in sequence? I've done this before, but not for this type of reason. I know it will physically work but wonder about what it would do to this ability to count machines behind a NAT router?
iptables -t mangle -A OUTPUT -i eth0 --ttl-set 64
Is it possible to change the TTL so that it's one higher, effectively hiding the NAT device?
My ISP has a similiar rule, but If you want to add multiple computers they charge almost 10$ a month for each computer. That is outragous. I would like to comply with their rules but I do not want my montly internet bill to be 50$ extra a month because I use several different computers.
So as far as I am consider my machine providing the NAT/Proxy is the only one connected. It does all the file retrivial/web browsing. It just immeidatly serves that same information to another computer on my network. So IN FACT, only one computer is conected and services are not being offered on the WAN side of the connection which they govern.
I have three computers and a PS2 behind an Airport Base Station on a VDSL connection.
When my ISP shuts down all the chatter I see, around the clock, from Code Red hits (default.ida requests, etc.), like 12~14 per second, I'll be happy to discuss my 'expanded' bandwidth usage and how it impacts their resources.
Code Red has little direct impact on my boxes, since I'm MS free, but with the general effect being a load on the network right up against my VDSL modem, this is still a very real issue. If the ISP's want to reduce loads, they can look to stop some of the noise from other sources as well. What other sources? Let me think...ummm...spam mail? Port scan probes....
Isn't this circumventing protection. If I make a reasonalble attempt to secure my network structure from prying eyes with a NAT box, and the cable company sues me for having more than 1 pc connected, can I not claim that they violated the DMCA by looking at the contents of my network without my permission?
I work for a Canadian high speed ISP with absolutely no problem with multiple machines. Granted there is no tech support multiple connections for your home network: if you can setup a network then its your job to support it, but as a provider, the customers are not billed more - in fact customers can get a second IP for FREE - encouraging use of multiple connections. After that you pay for add'l IP addresses. Tech support exists right up to the first network connection. The main criteria that drives internet providers is the customer and if they are happy, they pay their bills it keeps ISPs in business - pissing off the customer only makes things difficult. Bandwidth will always be the primary concern and as long as customers do not exceed the parameters set out in the acceptable use agreement, there is no problem. Remember: the "S" in ISP still stands for SERVICE.
The US government is entirely too dependant on NATs and VPNs as it is. Just about every federal or military network utilizes NAT or has a VPN on it or allowing remote access to it. Laws of this nature will not pass if intelligent people object to them intelligently.
Now, ISPs can (even still) make up their own rules regarding NATs and search for them as they'd like. Who is to say that most ISPs don't already know who is using NAT and who isn't? Chances are that if a network admins that have access to a tool that allows him to actually see their entire network, they're using it.
I know ISP's and stuff can find out how many computers are hooked up through your NAT/Router box, but what do they do if I'm running a DHCP server on a computer hooked to a simple hub? Can they still see how many computers are behind it?
"Some fight for law. Some fight for justice. What will you fight for? One day, you will see."
Everybody here is saying "just fix the NAT code to not decrement the TTL and we're cool", but it's not that easy. At the end of the article (you did read the article, right?) it refers to an AT&T research paper (PDF) on counting the number of hosts behind a NAT box. This is done by looking at packet sequence numbers, using the fact that each host generates its own sequence. This chart shows what happens. If you see one set of packets starting at 20,000 and another at 50,000, all overlapping in time, it's a good bet there are two hosts. It also points out that the default high port numbers NAT uses are another good clue to the presence of NAT.
Port numbers are easy to change, but if your ISP wants to do traffic analysis on your IP address, there's not a lot you can do to hide. I'm just very, very glad that I have an ISP that doesn't suck. In fact, they're pretty damn cool.
What if life is just a side effect of some other process and God has no idea we exist?
kernel-patch-ttl
I used to have single quotes around it, but then I was accousted because people thought it was a string :)
At least in mysql, you do not need quotes around a numerical field.
Karma: SELECT `karma` FROM `users` WHERE `userid`=138474;
...when the trend is that *all* ISPs put this in the ir contracts, bad things happen.
One of those bad things is that it will inhibit the innovation that is available. If it weren't for NAT technology, MANY commercial technologies would not be possible. It's called a chilling of innovation.
Is it legal ? sure. Their bandwidth, right ? They can do whatever they want with it, right ? Sure. Doesn't mean that the practice won't have a harmful effect on the future.
As long as you live under any government, they will always try and screw you! But at least governments are somewhat more predictable than anarchies.
I use NAT to secure my computer. If the ISP finds my computer through the NAT by circumventing the reasonable security technology then I have the right to sue them under the DMCA
I know the two major broadband ISPs in my area, Calgary, have no policies restricting the use of NATs on their network; They don't support them, but they don't restrict them either. The DSL provider actually sells wireless routers, hubs, switches and access points in their stores and will support them to some degree when purchased from them.
The cable internet provider has policies restricting servers, etc., but they only seem to care when the bandwidth use causes problems.
Other than bandwidth use causing problems, or open mail relays, I don't see why ISPs would really care about NATs. In a way, it's sort of like the telephone company working itself into a froth over an answering machine when they offer voice mail service. Maybe we need SOME regulatory body that would permit the connection of any network device that does not interfere with the operation and enjoyment of other network users, similar to the regulation of telephone devices.
Just throwing out ideas.
That is why you always use a true application proxy, and not a simple nat box. The ttl will always be the the IPid will also all be in the same range, as they are all generated by the proxy box itself.
Sure, they can be a pain to get working properly ( I know, I admin some), but for hiding what is going on behind them, you can't beat them. Plus, they make it easier to protect your outbound traffic, which is always a very good idea.
For a moment I read pockets and had a whole differernt image in mind.
When you buy a connection to an ISP, you pay for a pipe. What you do with that pipe is your business.
Pay attention -- this is important. Where is it stated in capitalist doctrine that the sale-price of a product must be determined by it's cost of production?
Market forces dictate that the sale price of a product will be determined by it's VALUE to consumers. Obviously, having multiple computer attached to a DSL/Cablemodem/Whatever connection has value, or /.ers wouldn't bitch about this topic so much.
Now, market pressures being what they are - the price naturally tends to drift TOWARD the cost of production for a commodity item, and as the market for internet service matures - it becomes more of a commodity.
But, as long as having two computers share an internet connection is important to you, someone will be glad to charge you more to do that. And as long as your ISP has a mechanism to offer "one computer, one price" "two computers, different price" products they are going to do it.
And herein lies the beauty of the system: You don't like it? Start Smilin' Bizitch's NAT-Friendly ISP!
How does the Slashdot Effect happen given that no slashdotters ever RTFA?
Unless you have a dedicated bandwidth, you share it with other subscribers to the same provider. While you may have a bandwidth cap, but until you reach that cap, other subscribers are having to share bandwidth with every single one of your machines.
File under 'M' for 'Manic ranting'
I'd be interested in a paper along the lines of "How to Hide Your Devices Behind NAT and NOT Get Detected."
Has anyone put much thought into this?
Be that as it may, the approach to finding computers hiding behind a NAT box is an inexact science. It's probably of more use to crackers than ISP's. Such graphs of the decremented TTL's of suspected NAT boxes can be explained away by anomolies in the user's firewall software, or what have you. If the ISP implemented something like this and started calling people saying "you've violated the terms of service", you can just play the dumb user and say "I don't know what you're talking about, there is just one computer hooked up to the connection. What's this NAT you speak of?"
How can the ISP prove conclusively that you have a dozen boxes hooked up to the connection? Get a search warrant and take pictures? I think not. While the technique described in the paper is certainly clever, I believe it would have little value in nailing users to the wall when it comes to sharing access.
-R
Ma Bell cared about how many phones you had before deregulation. Therefore, it was regulation that allowed AT&T to care how many phones you had. It was *deregulation* that eventually allowed change.
So, regulation is absolutely the wrong solution. Given the ability for companies to donate money for election campaigns, who said that regulation will always help the consumer?
Can't you feel the passion and rage of the above poster?
My TTL goes to eleven.
..the well off, overprivileged, Conservative sympathizing, self aborbed, yuppie geeks of slashdot can't handle the truth.
Modding the above post as flaimbaid is the only flaimbait around here.
"How to get people to buy my company's software."
OR
"Use my product, please. I need the money."
Many people use NAT routers for basic hardware security. Basic NAT helps a LOT in making one's computer more secure. Stateful packet inspection (now common in many NAT routers) helps even more. If ISP's ban my use of NAT, and I get hacked because they made me remove my hardware firewall, can I sue them? Frankly, I smell Class action here......
The home router makers can just update the firmware to not decrement the TTL counter. Probably a minor firmware tweak.
Unless of course the new Super DCMA laws being passed in many states prohibit this......Because it "steals service" from the ISP by masking the number of hosts.
God I'm getting tired of this cat & mouse game!!!
In any dialect of SQL (which, according to one of my former coworkers, really should've been pronounced "Squeel") that I've written in, including Oracle, MySQL, Postgres, and others, the quotes aren't necessary at all -- eg:
SELECT karma FROM users WHERE userid = 138474;
Unless there's something funky about the backticks that I'm missing here. A SQL wizard I am not. =)
--ZS
-- sigs cause cancer.
See what happens when powerful tools get into the hands of terrorists?
Finally, someone who gets it.
I skimmed over the paper and am wondering what (if any) my big worry would be as far as my ISP is concerned. As far as I can tell, someone can see if I'm using a NAT router. Wouldn't the TTL decrement look the same from my laptop connected by wireless and my desktop connected by wire? In other words, would someone please explain to me if NAT = multiple computers? Couldn't I just tell my ISP that yes I use NAT, but only with one computer?
Bandwidth should be like any other utility. Once the connection is hooked up to your house, who cares how many computers you have on it. You're paying them for the bandwidth, so it doesn't matter whether you divide it between 10 computers or 1 computer, the amount of bits transferred would still be the same.
if they can't or DON't want to deliver the bandwidth they advertise then STOP ADVERTISING IT. I pay for a 383/384 SDSL connection, I expect to be able to use EVERY MBIT at ANY TIME I SO CHOOSE. If that is a problem for my ISP then they #1 had better stop overselling their lines.
I am curious as to how this differs from the cable companies trying to limit the number of TV's you could have plugged in to cable, or the phone company telling you how many phone extensions you could install ? These practices were struck down before, how can they get away with it now ?
This is like the airlines selling to many seats on a particular flight, and then not understanding why someone is upset when they can't get on board because the 'unthinkable' happened and everyone showed up....
errr....umm...*whooosh* *whoosh* Is this thing on ?
(I'm ignoring the cost of creating/leasing lines and support)
ISP's costs are based on bandwidth used (this can depend on when the bandwidth is used, and whether it's up or down and out of their netblock or inside it). The # of machines connected has no bearing and it's pretty damn difficult to define a 'connected pc' IMO. Which of these would you include?:
- A hardware router running embedded linux
- A hardware router running embedded linux which I've hacked and can surf with
- A linux router (with no keyboard/monitor)
- A linux router (with a keyboard/monitor)
- A palm which is connected 1nce per day to a windows machine behind the router
- A bloke who's hijacking my WiFi connection
- A bloke who's hijacking the hijacker's Infared port
- My laptop which I plug in at night and take to work the next day
- An x server (Or Windows Terminal Server) serving 50 websurfing clients
Will I be charged for maximum# concurrent natted boxes, or average# of natted boxes? Or some other sceme?
I don't see where you could draw a nice precise black line on the definition of internet client; it all looks grey to me.
Speculation:
I think ISP's don't charge for bandwidth YET because it'd cost them money to measure it. I assume it would cost them more to measure {average or maximum natted boxes}. I think they'll finally see the light and begin charging an amount that has some pretty close correlation to their costs (though I think it'll take 5 years or so before new ISP's begin rolling out nice routers which catalog bandwidth based on what time of day it is, etc.).
Normally, they are not required. However they tend to help in odd situations, like when a name matches a sql reserved word, or contains items that need to be escaped. Yes its bad form to use those for column names, but that doesn't mean no one does it or that you shouldn't be able to do it.
Karma: SELECT `karma` FROM `users` WHERE `userid`=138474;
Also, linux (like *bsd) randomizes ipid's by default now. Have fun with NAT, without fear.
Fuck Beta. Fuck Dice
I just perused my TOS agreement with my DSL provider and three things struck me:
1) Fortunately, my DSL provider (SBC) acknowledges and allows the use of routers to connect multiple home computers to a single DSL router.
2) They disallow users to "forge headers or otherwise manipulate identifiers in order to disguise the origin of any Content transmitted through the Service." That means that, at least with SBC, reconfiguring your NAT routing device to not decrement the TTL on packets could constitute a breech of contract. YMMV.
3) I could not find any clause prohibiting SBC from inspecting the contents of packets it handles. Theoretically then, in addition to considering the IP ids of received packets as mentioned in the sFlow article, your ISP could perform analysis of any unencrypted traffic from your ip. For instance, If you were playing Counterstrike and your housemate was surfing the web, traffic analysis of the packets originating from your ip could correctly identify the existence of multiple hosts.
Obviously, such analysis would be computationally intense, and could not be performed on an ISP's entire customer base simultaneously, but as a random auditing tool, or a followup to previous suspicion, this type of analysis could be an effective tool for ISP's that wanted to outlaw multiple connections.
That said, I agree with the countless comments to the effect that very few ISP's are going to actively pursue any of these measures; the costs seem to greatly outweigh the benefits. Imagine if my ISP did crack down on my four home computers behind my NAT router: I would still be capable of using the same amount of bandwidth with only one computer, I would be pissed off and looking for another provider, and most importantly, I couldn't give SBC any more money if I tried--it's not as though I can get multiple DSL accounts on the same phone number (and believe me, I certainly wouldn't let SBC charge more for "Platnum NAT Service").
My other
" For every technology, there is equal and opposite hacker technology".
In short, I am sure the open source community (the Openbsd guys and the linux netfilter team) have, or will shortly release mods to fill any nat detection gear. And i am sure the various nat box makers and rebadgers (linksys, netgear, etc) will soon have a tidy check mark with the text label next to it saying "Hide all computers from greedy isp and big brother government agency? (y/n) "
Lawyers, MBA's, RIAA? A jedi fears not these things!
Damn, I didn't even have to think of it...the author suggested a work around:
It would be possible to defeat this detection technique by creating a NAT gateway that didn't decrement the IP TTL
I wonder how long it will take Cisco to update my PIX software with this feature...
-ted
I'm still pretty angry about getting laid off by a CLEC/DSL provider I worked for, but I have to give them credit. It's great when they let the network engineers have nearly unfettered access to the TOS/AUP in a timely manner and they pretty much get their way. Put a NAT box at your location? Yes please! Save us the IP's!
Too bad more providers might not follow this line of thought.
I had a sucky sig.
A good NAT/firewall device will generate VERY random sequence numbers to prevent a hacker from guessing sequence numbers and hijacking your connection.
Cisco's PIX firewall does a very good job of randomizing sequence numbers. This would really give the AT&T method a hard time.
Check out this article it shows the randomness of some popular TCP sequence number generators.
-ted
Read the previous article. It mentions that it is difficult and time consuming to detect hosts using packet #s. The easiest way to change this is to randomize packet #s and change TTLs. Think of it this way, TCP/IP has been around a long time. If it were this simple to check to see if someone was behind a NAT why hasn't anyone done it yet?
void
As someone on slashdot wrote before me, what about 1 singular PC connected to the internet running a couple of sessions of vmware?
Perhaps it would appear to the outside world that there are more than 1 pc connected, but to prove it, they'd have to have physical access to your home.
Pretty sure they won't get past me...
Praying for the end of your wide-awake nightmare.
Most people on here can just set up a Linux router that *doesn't* support sFlow, and do NAT with that.
The only people that'd get fucked is Joe Windows User types with hardware router/DHCP thingamabobs.
May we never see th
can it detect a NAT behind a NAT?
--- sig moved for great justice.
That's a MUCH more fitting title.
A lot of the posters have been talking about how this technique would be used to prevent end-users from providing access to multiple machines in an attempt to charge more for bandwidth. But people who have read the actual paper will note this phrase: "Unauthorized NAT (Network Address Translation) devices can be a significant security problem."
One purpose of this paper is to provide a tool that can address security concerns. And yes, NAT does make it more difficult to police the machines behind the NAT. One reason: "Wi-Fi is a particular problem since it allows access to the network from a considerable distance, allowing unauthorized access without even entering the building."
This paper never once talks about a problem where NAT users are going to eat up too much bandwidth. Another quote: "In this network the administrative policy is for host computers to be directly connected to the distribution switches, as is shown by Host C. Two hosts, A and B, are connected to the distribution switch through an illicit NAT router." Note the words "administrative policy".
This is all Microsoft's Fault.
Sure, it's not pretty, but if the ISPs decide to use it against us, we'll just have to use PROXY's. Linksys/DLink/NetGear/you name it will have an affordable Proxy appliance out before you know it.
... well, they probably won't do it (if they're smart, which they aren't always...).
.02
Let's face it- before the Cable Router was prevalent, everyone that wanted to share used a machine with (2) NICs. The people smart enough to figure it out will do that with Proxy's (or if you're not smart enough to think of that, now I just thought of it for you). Once the companies realize this is another cheap thing that they can do to make lots of $$$, they'll market an applicance cheap that will do it.
Before the cable router, I used 2 NICs and WinRoute to NAT. Before that, 2 NICs and WinProxy to Proxy.
The ISPs will realize that there is always a way around it, and that the trouble of detecting will cause them so much pain that
My
I think the best way to detect NAT gateways is to use a system like homosexuals do at rest areas. I remember one time on interstate 5 i met up with a guy named bruce and he was so big i could hardly handle him. I think I cummed three times before i got the bleeding to stop.
If I remember right a proxy firewall will stop this from being affective. A proxy Firewall will pull all the data as one system and resends it to you or many other systems on the other side. Any one who knows Proxy firewalls well enough to know?
If they don't want people to use their bandwidth to the fullest extent, they should charge per gb, not simply per month.
The only broadband provider in my area just raised their rates by $10/month. I was nice about bandwidth usage before, but now I feel cheated if I don't use it all. I was already paying double what many of my out of state friends pay.
Lucky for them, all versions of the drivers for the cable modem they gave me crash Windows XP if my usage is near the max for several hours.
But they'll soon get what they deserve. Their stock dropped to less 1/20th of last year's price and they're being investigated by the SEC.
Gotta set TTL to 129 now.
We beat the first host detection with "options RANDOM_IP_ID" and we will beat this one with "options IPSTEALTH". Quite simple!
... NAT. TCP stacks are for packet processing.
Oh, and you don't really want to do that kind of thing outside the TCP stack since it is much much better at moving packets. Firewalls are for denying and allowing. NAT is for
I'm sure there are many ISP's throughout the world that don't really care if you've got a little Linksys router with a few PC's behind it. I found one today that encourages it.
Black Hills Fibercom (in little Rapid City, SD). They offer phone, digital cable, and broadband. Called today on behalf of my Dad who is considering their broadband package. I asked about firewalls - they strongly recommend using one and will even help set up any of the major software firewalls during install. He then proceeded to recommend purchasing a NAT router for additional protection. I damn near fell out of my chair.
We talked a bit about bandwidth and I brought up access for multiple PC's. He then said definately get a router or they would have to charge an additional (though nominal) fee for each additional IP. At that point, I did fall out of my chair.
They won't support your home network nor will they help set up your router. They will, however, walk a user through disconnecting it during a support call if it's necessary for them to see their computer over the network to resolve an issue.
Almost makes me wish I still lived there.
- If we aren't supposed to eat animals, then why are they made out of meat? - Steven Wright
I have more public IPs from my ISP than I have actual machines running on my home network currently. I use dNAT as a security barrier, making it more difficult to acess from the Internet. I also have ports mapped in such away, I can move services from one box to another without changing the public IP needed to access such a service.
All this time, I thought NAT was a way to make things more secure. After reading this article, I should just do away with the dNAT router and let all my boxes have direct connectivity to the Internet. Now that makes me feel secure!</sarcasm>
I work for a small ISP in northern California. We don't have any policies against our users using NAT. We provide NAT routers to our ADSL customers and recommentd cable/dsl routers to our DSL customers on our older system. We also help our users setup ICS if they're running windows. We have sold systems running linux to our wireless customers.
It's not that we care how many computers someone has behind these NAT devices. It's how much of the bandwidth they bought that they are using and how often they're using it.
Our basic ADSL and wireless offerings are 384k/128k. If we had every user maxing out their connection all the time, then we'd have to charge more. Because we're in a remote area, we pay more for our T1 service. We have a T1 that runs about $1k per month and another about $1300 per month (special build for geographic diversity). If 4 of our ADSL or wireless users held their connection maxed out all the time, that would pretty much eat a whole T1. We have just over 300 broadband customers and about 600 dialup on two T1 lines with a third on the way.
Our 384k/128k service is regulated and costs $49.95 per month. If every broadband user insisted on maxing out their connection 24/7, we'd have to charge broadband customers $250 per month just to break even on the T1 costs. That doesn't even count the overhead associated with staff and equipment.
I'm sure there are ISP's out there that are all about the money. We try to be more about service and making sure our customers are happy. But we have to make a living too. I don't think the issue should be if you're using a NAT device or how many computers you have hooked up to it. As I said, we encourage it. I think the issue should be about usage. Sell 3 gig per month. Charge for data over that. (3 gig is a number I pulled out of my head)
My point is, if the ISP is worried about usage, they should charge for that and not for how many computers are behind a NAT box.
I went on a call not too long ago, where the customer was in your situation. They were paying for two IP addresses, and weren't using any sort of router, or NAT, as they didn't need it, since they were paying for two IPs. Well, the problem they were having was their two machines weren't seeing each other anymore, but the switch they were plugged into showed they were getting links, and they could both still get online. To make a long story short, the cable company changed one of their IPs to a different one, and it was on a completely different segment of the network (don't ask for too much technical details on how this happened, for I don't really know what the hell the cable company did to them), and since they were no longer on the same segment, they could no longer talk, as all their local traffic was going out through the cable companies DHCP to get to the other machine .. So tell me, how is your local sharing setup?? I fixed their issue by installing a NAT router and firewall, and they called the cable company to cancel one of the IPs. The cable company agreed with putting in the NAT, as they would not guarantee them completely static IPs.
I feel it is perfectly fine to pay the cable company a connection fee to allow my network to connect to their network, but what is on their side of the NAT is theirs, and whats on my side is mine.
For those who describe their systems as 'boxen', do you order multiple 'boxen' of corn flakes also?
First, everybody keeps arguing this on the basis of even with NAT you are using the same bandwidth as without because you are going to use the full bandwidth. The logic fallacy has already been pointed out. I would actually think that ISPs would like for the *casual* home user (not the person downloading MP3s 24/7) to put in a NAT appliance because it would be one safeguard against someone external scanning for illconfigured windows shares and loading malware that could be used for DDoS attacks.
Point 2. If an ISP did implement something like this, an technical user could always put in an X11 server and use X-Window clients on other machines as a workaround (all internet activity would be coming from that one X11 box). A bit far-fetched, and probably more work than its worth but it is one possibility.
The cable company only "poked one hole through the wall". Their prefered method of running mulitple IPs is to connect the cable modem to a switch, so the customer only has to pay for one modem, and then connect the machines to the switch, and run multiple IPs through the modem some how. It is a ridiculous setup, and their tech support people always suggest pay for one account, and run a nat box.
For those who describe their systems as 'boxen', do you order multiple 'boxen' of corn flakes also?
Since the method relies on knowing the default TTL, (128 for windows), just set the default TTL to something higher...
\ Servic es\Tcpip\Parameters\DefaultTTL (DWORD)
In W2K:
HKEY_LOCAL_MACHINE\System\CurrentControlSet
Just set to 129 if you have a NAT between your PC and the modem.
This way all the packets seem to come directly from a Windows box, and you don't have the (potential) sideeffects of getting the NAT to change the TTL.
main(i){putchar(177663314>>6*(i-1)&63|!!(i<5)<<6)&&main(++i);}
So how does this affect me running VMWare with a guest OS that connects to the Internet? How can the ISP tell if I have two real machines or a real and a virtual machine?
but I can remember when the phone company, and there WAS ONLY MA-BELL back then claimed to OWN the phones inside your house. The first cable companies regulated the number of TV's you could use by lowering th power on the line, but again why is it my problem (Joe User) if an ISP has been foolish and promised customers always on bandwidth and then doesn't have the bandwidth when those customers try to exercise the service they've payed for ??
BTW how does my use of the end product affect ANY OTHER USERS ? we are not talking token ring here what hits my house ends there cable TV speaking ?
!!!"But that doesn't mean they should plan for an event in which all users want all their bandwidth simultaneusly." !!! Why not ? Fail to plan for a viable worst case and you are a FOOL, and generally a bankrupt one.
As an employee of a major bank, I'd suggest you read your account agreement, they HAVE thought of that and you will be stuck with a Cashiers check if the manager decides the case warrants it.
As an Aside I do have a business class SDSL connect with redundency and a rate for redress if they are down outside SOW for more than 2 hours, and it is quite a bit steeper 149.00 for 384 sdsl.
errr....umm...*whooosh* *whoosh* Is this thing on ?
According to The Netfilter HOWTO you should be able to just apply the (already existing) TLL patch and then issue a command similar to the following in the appropriate part of your firewall rules:
Gee, that didn't take long :)
Well, they happen to do that right now, mostly because of historical accident. If bogus "NAT detectors" like this proliferate, people will simply move to user-mode NAT. That is, packets from network A are redirected to a user-mode process which then looks at them and sends out a request on network B, and the same in reverse. In that case, the packets sent from the NAT process onto network B are indistinguishable from the packets coming from any other user mode process because they were generated by a user mode process.
The only thing ISPs can do to detect NAT is to look at traffic patterns and accusing you of, say, browsing too many web sites per second. That eventually just amounts to volume-based (or traffic-pattern-based) charges. Sure, they can do that, and they probably should, but at current prices, that's not going to affect you browsing the web from two machines.
Ok so we need to get Linux, BSD etc to 'randomize' their TTL values. This will make everyone running those OSs look like nat boxes. Basically making the method useless. Alternativly, I alter the kernel on my linux NAT box to not decrement the TTL. Someone actually spent time writing about this. WEAK!
... should be found and stopped.
If you want business access, buy it cheapskate.
If you ask me, bandwidth is overpriced on all levels. My light bill is cheaper than my bandwidth (by the unit). And after all, that bandwidth is just electrons over a ethernet cable.
"When you buy a connection to an ISP, you pay for a pipe. What you do with that pipe is your business."
That's why I'm going to send 20.000 Volts down mine.
I'm signed up with earthlink and i (don't laugh) actually READ the user agreement before signing it.
They specifically state that no more than one computer may use the service at a time. The DSL modem provided to me also enforces it. If two computers try to browse at the same time, one of them will get a web page asking for the PPPOE login info (user and pass). If you type it, then the other computer losses access and gets the same page, while the one that previously required a password suddenly works...
Not a problem to me since I currently only use one computer on the internet here at home, but I suspect that it could be a real bitch at the office where I set up a home-style network with a NAT. (Small office, only six computers)
Solution to the earthlink? I "borrowed" and extra DSL modem from my office (they had several laying around when I started working there) and set up XP (don't laugh) to log in using the built in PPPEO authentication.
If my roommate gets a computer, I'll buy another NIC and use XP's built in NAT. Should work just fine.
This message brought to you by Jack Schitt's Previously Shat Shit
So this sFlow thing sounds like a NAT buster to me. Then all i have to do is to build a NAT Buster Buster.. right ??
In our case, it is. It's a member-owned cooperative. I used to pay for someone else's Hummer and house with a pool, now I get a check back every year, and a vote in the management of the cooperative. I live 55 miles from the city and have excellent DSL service. And I must admit, I have downloaded plenty of Linux ISO's and 'other' big files, even had my "Internet Cafe" with 5 machines running off it, and never a complaint.
I'll say it again: Member Owned Cooperative.
DNA based encryption with software developed
I have an idea on how to defeat this, let me know how it would fail...
If you had a piece of software behind the NAT, software very much like a NAT but not exactly, that aggregated traffic and forwarded all of it to the real NAT as a single host wouldn't you lose the clues that they are using to detect the real NAT?
So configure your router to not decrement the TTL for forwarded packets and to use ports ranging from 1024 to 65535. This can be easily defeated, especially with PF or IPF.
Sure some people who have linksys and friends type boxes may be burned, but:
1. it will not work with most avid wireless zealots.
2. there is way to mask particular network stack behaviours with little extra code in iptables.
I propose better way:
ISP just drives around connecting randomly to open networks, use wget http://wirelesstest.somelameisp.com,
and track see where data is coming from. If it comes from inside, bigo, got one. Even better, know his address and his account. Cancel it!
But who cares? This is sure way to generate negative publicity, about broadband. And there is plenty of it already, with @home dead. Only proper way to deal with hogs is either 1. bill them, and provide same quality service. Upgrade if its needed. 2. Sack them if they don't pay.
For one, I would not mind having 200KB uplink, and have some sort of cap on that, but have that available to me. If provider sacks me, will be sure not to use uplinks they provide within their colocation facilities, once my business grows. They sell colo bandwidth, didn't you know that? Bling bling! If they piss off their technically advanced customers, they will loose potential customers for their high end colo facilities.
Its best to be clear and forthcoming on what your terms are, not handout 5000 lawyer written, ass covers. Provide efficent path for upgrades, for people who suck uplink bandwidth. Maybe they are not even aware of it. Maybe they run the site from their home, for their tiny business and their customers get pissed off when they can't buy stuff.
If it is a warez sharing wanker, well narrow his bandwidth or send him letter explaining bandwidth caps and billing strategy. Bandwidth within the network should be 100% free however.
Point is made, make your customers your friends through dialog, don't piss them off, by cutting them off. If they want to run wireless point, stick them with business package and widen their bandwidth. Give them options.
Like most people here I had just been thinking of having multiple endpoints that talk out to the internet but I suppose if you have a network printer and other devices that talk only locally you might want a NAT. So the simple existence of a NAT shouldn't be a reason for them to terminate your service.
Use a proxy. A proxy would be the only origin of packets.
The only thing ISPs will really upset is when You screw their routing. In that case they may screw You, IMHO.
Only these Super DMCA (proof that stupid legislation can be made worse) would be a worry.
chess
As usual the bourgeoisie try to extract more and more money from the masses through the corporations they control.
In other news, China doesn't block Slashdot.
Like what I said? You might like my music
- dsl-router instead of dsl-modem or dsl-bridge = +1HOP (legal)
- on of the famous micro-firewall-boxes between client and dsl-router = +1HOP (legal)
- vmware in non-bridging-mode = +1HOP (legal)
- to easy to overcome (change defalut initial TTL, magle TTL on NAT box
If an ISP really want to detect NAT, they would do a bit more intelligent passive-OS-fingerprining stuff (like the "IP-ID" method, see older article) witch are a bit harder bypass.I pay for 384k bi-directional. Why is it anyone's business if I run a subnet in my home to tie my cluster together? I am still not getting any more bandwidth, I am simply subdividing the bandwidth among machines. Same argument holds for making the subnet wireless. What exactly is there to object to? What am I supposed to be ripping off?
And when are we going to rise up and tell the greedy, small-minded busy-bodies to take a flying leap? I am beginning to think it isn't even about greed but more about control for the sake of control.
TCP/IP is a wanderfull thing, but there is only so much that one can do with it.
BSD has a way to avoid that kind of detection already...
Makes a change from seeing that ugly bloatware called Perl used for everything under the sun.
Doesn't a full internal proxy address this too? If all your internal hosts go thru a proxy, then the proxy is the single host seen from the outside world. There are a few issues with this technique, IPSec, that prevent it from being useful for many folks, but everyone else ought to be good.
You **should** be using a proxy anyway for security, and improved web experience thru filtering.
Well, there are some easy solutions. The easiest being to run NAT that rewrites the TTL and the packet sequence to a standard value. E.g. it rewrites the TTL to a common value. It shoud likewise re-write the packet ID sequence.
That kills the two techniques and is not difficult to do.
I can think of a few other options too.
We run a second NAT router behind the first as it is.
Yeah, screw it. The rest of the family can run crappy old machines I'll never have to upgrade or administer, and I'll run everyone off a Citrix box. One computer. Congratulations, you've stopped me.
"Oh no... he found the
Another option is the SSHd option of TCP forwarding; once the connection hits the router box, that is running a SSHd server, the packets would be pulled out, decrypted, and sent out an entirely new connection to the Internet. In that respect there would be only one machine accessing the Internet and all of the others on the LAN would be accessing it.
Another option would be to have the NAT box, if it was done on a real computer that could be programmed instead of a dedicated box such as those from D-link, Netgear, etc., check for bandwidth consumption and when there is a lot of excess it could just make its own requests and deliver them to /dev/null. This would add a great deal of garbage to the data that must be analyzed
It seems that the simplest solution for actually cloaking the number of boxen that sit behind a NAT/firewall is simply to get the initial IPid of a connection out of a random number generator like one of the BSD flavors did in the article.
Just my $0.02...
Restore America: Dr. Ron Paul for President!
I use NAT, if they charge me for NAT then I am going to charge them right back for having idiots at the customer service desk.
If other ISP's were as clued in as Bellsouth seems to be, the world would be a happier place.
Also, Bellsouth uses PPPoE, but their DSL modems have a built in PPPoE client so that the end machines don't have to deal with it! How's that for convenience?
Not to plug them, but I'm just surprised some ISP's are being such assholes when a big telco like Bellsouth is being so open and flexible.
Thats why I am glad I use speakeasy. They don't care if you run servers, or if you have a home network, if you run linux, and you can get extra static IPs for cheap. (I get two static IPs, and still use NAT) I am not an employee or anything, but they are the BOMB for an ISP. Of course they arent as big as Comcast etc, so they are not as available as those other ISPs.
Just add /etc/sysctl.conf
options IPSTEALTH
to the kernel config and
net.inet.ip.stealth=1
to
I guess it works with other BSDs too, but I haven't tried it yet.
Rewriting TTLs would be nice too, does anybody know how to do it?
In all fairness to broadband providers, the argument that "I pay for the bandwidth, why do they care" isn't a slam-dunk. Here's, at least possibly, why:
Imagine it costs a cable company $70 a month to provide you with 600kbps downstream access. Presumably for a large majority of home users this cost is too high -- they may be only willing to pay, say, $50. On the other hand, there may also be some business/high volume users who would be willing to pay up to $90 for the same service. The basic point being that different people value the exact same service differently.
Now, if you're an ISP you can get more customers if you can charge the residential people $50 and the business/high volume people $90, than if you just charged everyone $70. This is called "price discrimination" and, despite the title, is an extremely good thing -- it's how most businesses survive -- think of the difference between and coach and first class ticket.
The problem is what's to prevent the business customers from just paying the $50 for the service. Another word for this is "arbitrage" i.e. taking advantage of a discrepancy in pricing for the same item. The solution is to try to come up with some way to sell the same product for different prices but ensure that the business users pay the higher price and the residential users the lower.
Again the thing to keep in mind is that this is a good thing. If you're a residential user you are only able to pay $50 because the business people will pay $90.
So one possible way to prevent this arbitrage (and I'm not claiming this is the only reason for restrictive use policies) is to make the licensing terms for business (or in this case multi-user systems) less restrictive.
Put simply, restrictive licensing terms may allow higher valuing users to subsidize the costs of lower valuing users.
(Note: I used the example of business customers willing to pay $90 for the service, but to make it more germane to this article, the argument would be that people running NAT are higher valuing users than single computer users)
I pay for the bandwidth. I should use it in any way I want. :)
eventually, the cable companies, ect will decide to tap this resource and make you pay for every machine in your house.
even that internet enabled refrigerator
ISPs are afraid that people will team-up with their neighbours to get a broadband connection together.
Most trafficrates are enough for two families doing nothing more than web surfing, e-mailing and chatting.
If you share your connection with your neighbour, your ISP will have a customer less, so they really *do* lose money.
In need of reliable and affordable server monitoring?
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\DefaultTTL
Just change that regkey to the value of your choice (it doesn't exist by default, so create it, it's a DWORD key).
You need to read your TOS. Almost certainly, there's a clause in there saying they can disconnect you at any time if you violate the TOS - and they get to decide whether you've violated it.
It's not like it takes a court order to get your connection shut off.
Sean
My university wants to keep track of all network devices. And they bill a small amount for each network connection ($10 per year) back to each department or research group. Billing on a bandwidth basis would cost much more to administer.
Some of the smarter professors use a NAT box & run their own cable to avoid paying for a dozen computers.
It's hard to find unauthorized wireless APs behind a NAT box as well.
This will not work, period other than altering TTL. And TTL is NOT what the author of the PDF is looking for. He's looking at packet IDs that are
changing. There is no way to hide from this w/o breaking the NAT/state table. If you have several machines that are NATing behind, say, an OpenBSD machine with 2 NICs, when you munge the packets to change the IDs, as the author is looking for, when they come back to the box from the universe, they will be dropped because they've been munged too badly. I'm sure one could muck with the pf source code to allow for this change with an additional sub-state table that specifically compares the original with the munged packets and re-addresses them, sort of like a double-reverse NAT on firewalls. Could be done, but will be difficult.
I am on NTL cable modem service which is great!
They actively encourage use of NAT routers and wirless LAN, they even resell the equipment required at a discount.
The standard package comes with an ethernet/USB cable modem trown in for free.
Assume this is because they don't allow more than one cable modem line per residence.
Scenario: corporate environment. :).
RTFA
Scenario: paid WiFi Internet access.
Potential problem:
Customer pays for Internet via WiFi at a cafe, runs a proxy and everyone else surfs through the customer's computer.
Possible solutions:
1) Restrict each and every MAC to a certain bandwidth
2) detect offenders and restrict their bandwidth or take other action.
3) Ignore it- the cafe's business model allows it (makes lots of money selling expensive drinks), and it's kinda unlikely for cafe customers to do that.
There are other scenarios I guess.
But if I'm an ISP providing internet access to a _site_ (home/office) it's seems a bit stupid to not allow sharing. If I need to restrict anything I'd restrict by bandwidth or volume.
"For every technology, there is equal and opposite hacker technology"
The exception to Eric's theorem: "Eric's theorem does not apply to technologies designed to persuade national legislators."
Will I retire or break 10K?
since by default they're randomized in Linux 2.4.x. Hooooooray!
Fuck Beta. Fuck Dice
Last month I was chatting with a shockingly knowledgeable service tech at my ISP, cox.net (cable provider in S. California). She admitted that cox does cap bandwidth, but also told me that they don't give a whit about NAT. In fact, they had the manual for my Linksys router in their support system and helped me troubleshoot.
Remember: all technologies are morally neutral, it's how we choose to use them that determines if a given technology is "good" or "bad."
"one treats others with courtesy not because they are gentlemen or gentlewomen, but because you are" --G. Henrichs
"Mine says you're not supposed to, yet the installers recommended a brand of NAT device to buy."
I don't think you need to worry, either but...
Don't forget: it's almost certain your installer was a contractor, not a cable company employee. He can say what he wants.
--Richard
Let's make that kind of use "unreasonable" *per se* by going around and getting laws passed in every state that make it a crime to violate your contract with your isp.
Here in Sunny alberta the major ISP uses a default password anyways so you can register as many computers as you want. I have a 2 Ip plan and have had about 7 different computers registered.
all I do is think of a name, say John or Mike and try the default password. 10 minutes of trying and I'm registered. They didn't even make it hard. Typing in the MAC is the hardest part.
Totally of topic but what the hell... There's two hobbies in alberta... MS bashing and telus bashing.
I want to set up an internet cafe to cater to all my rich ass, stone(d)runk, speed metal on, elite engineer hippy friends in the bay area. [p.s. hey brian]
Imagine having a seperate agreement with the electric company for each outlet in your house?
or the water company for each faucet?
or the phone company for each phone? ( I know it used to be that way)
what a bunch of horse shit. This will last for as long as it takes the average soccer mom to realize they are full of it, and then it will go away forever.
Someone big (like yahoo dsl or the evil msn), trying to break in to the market with cash in the bank from dominating some other market will not require single access and all these bastards will have to adapt. Or someone small, trying to gain ground, will not require single access and everyone will switch over.
that, and as more and more and more items get network access, people will demand multiple access.
so even if they can do this, it won' last for very long.
because I have been enjoined by this Holy Office to abandon the false opinion which maintains that the Sun is the centre
Yeah, but it is $20 more per month than the standard hookup. That is total B.S.
I started with @Home. Got moved to ATT Broadband, and now I'm getting sold to Comcast. That's 3 e-mail address changes in less than 3 years. And I'm losing best my screen name because someone at Comcast.net already has it.
F*ck them! I'm ready to go to DSL if they try to charge me $20 more.
The hacker technology "equal and opposite" to legal coercion/punishment technology (e.g., guns/jails) is #shutdown now -h
My raw HTML skills are lacking. Sorry.
Set the registry value to something off-the-wall:
Registry Settingsi ces\Tcpip\Parameters]
System Key: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Serv
Value Name: DefaultTTL
Data Type: REG_DWORD (DWORD Value)
Value Data: 1-255 hops
If they are ISP they can't do any kind of sniffing. Sniffing the packets means that they get knowledge of the content of the packet, so they stop to be carriers and will be prossecuted for all unlawfull content that passes the pipe!
They can only do the network stuff needed to pass the packets arround... they can't act any thing more then that on the content of the packets.
That is why they are carriers and are protected by the law for that...
Here's the thing.
Terms of Service that limit how many hosts you can connect to the machine *make no sense*. It isn't as if you are receiving MORE of a service from the ISP if you use NAT to connect multiple machines in your house. You're getting the same amount of bandwidth and, in essence, "splitting" it. If there were some way to use NAT to get more than your fair share of bandwidth, I'd be right there with the ISPs decrying its use, but that's simply not the case.
TOSes like these are simply a tool to milk their customers. If my ISP bitches about me because of this, sayonara ISP. And I REALLY hope I'm not alone.
+++ATH0
You said "It comes in spurts"
Maybe the isp's should learn how to treat their customers a little better then.
My rates have been raised two or three times in the last year. Theyre constantly finding new ways to make money [now if a tech comes to your home its $22/half-hour].
Their speeds are getting slower and slower. And worst of all, they randomly decide to start blocking different ports [they dont let ppl run lowly web servers on port 80, but they dont bother blocking ftp ports. the argument of course is serving sucks up too much bandwidth...]
its all bullshit. Id switch to another isp, but theres nothing else decent available. The cable companies have set up a monopoly of sorts, so that each one only services certain areas, and they dont overlap each other, basically eliminating competition.
I think their official policy about NAT is they do allow it [multiple machines using on IP] they just wont give you any support setting up it, or troubleshooting the network.
take a pill or sumthin...