Slashdot Mirror
More On Detecting NAT Gateways
tcom91 writes "The Slashdot article Remotely Counting Machines Behind A NAT Box described a technique for counting NAT hosts. A recently published paper Detecting NAT Devices using sFlow describes an efficient way of detecting NAT gateways using sFlow, a traffic monitoring technology built into many switches and routers. This technology could be used to enforce single host access policies and eliminate unauthorized wireless access points."
Will ISPs use it against us?
No, Beowulf clusters can't imagine in Soviet Russia.
This is going to be used by your ISP to assure you aren't sharing your connection among multiple computers without paying a monthly surcharge for each.
On the bright side, as with nearly all technology that tries to instate a form of checks and balances upon a system, we will soon see ways to fool this check and go back to business (balance) as usual.
Jason
So, if they don't want me to use NAT, does that mean they want me to connect each box to their internal network? Meaning I (and everyone else) can get access to computer B's contents when I'm trying to access it from Computer A?
Why can't they just have a flexible plan where I say, yes, I admit I have 3 boxen behind NAT and agree to pay an extra $5 to $10 a month? Or is this too logical for them to do?
If you sign a contract saying no NAT, or no multiple machines on your connection then you have agreed to it. My wife and I pay an extra 7 bucks/mo for two connections instead of one.
If you have agreed to one connection or machine and have multiple connections or machines then you are cheating your ISP. If you want to change it then call your ISP and negotiate, or sign-up with someone else, or move somewhere where you can get an ISP to agree to your terms, or form a buying group, or start a boycott, or picket. Do you think breaking a contract is OK?
Open source development is my way of competing with the low-cost programmers in India...
ISPs sell you connectivity, what right do they have to tell you what you can't do with it? Does your electric company tell you what you can and can't plug in and how many things you can power? Now, if i run extention cord around the neighborhood and charge people for it, then there might be a problem.
On internet: For all I'm concerned, I have *ONE* computer connected to my DSL, and other computers connected to the one computer. ISP gonna tell me I can't connect computers to each other? What's next? It'd be illegal to have multiple screen/keyboard/mouse on the ONE computer? (i think this can be done...buddyPC??)
The 'client' computers access resources on the 'gateway', which happens to include the external internet filtered through the firewall. I dont have multiple computers connected directly to the internet, that's just insecure.
And besides, what are they losing anyway from NATs? It's the same connection/bandwidth. 150kbs down on one box is the same as 150 split to 75kbs down on 2 computers. It's still only one IP. Whatever activity (and any responsibility) that goes on is on ONE account.
$cat
How does it cost the ISP more if multiple people share a broadband line? Where is the additional expense to the ISP that needs to be covered?
... do you know how stupid it is to directly connect your box to that cable/dsl modem thing with out at least hiding behind some kind of NAT?
..
Go ahead let them screw their customer base over - sure that'll work! - Good plan!
And another thing
Go ahead and try it - be sure to run BlackICE or something so you can count how many times you get portscanned in an hour
---- "Logoff! That cookie shit makes me nervous!" - A. Soprano
afaik Super-DMCA will outlaw all attempts to conceal information in all communication devices, that'll illegalize all firewall, NAT and edge routers, etc.
Stupid as it sounds, but it goes thru our senators, it couldn't be wrong.
The little downside is that the only job left for IT is tech support for Windows installation....
Mine says you're not supposed to, yet the installers recommended a brand of NAT device to buy.
:)
Wish I had that on tape
The source of these numbers are netflow reports and similar traffic measurements, both my own and other published data.
If you really want to play word games, I define an idle machine as "a computing platform with an operating system loaded and running, but without a user interacting with the system".
I'm glad you like to run a caching DNS server and diskless workstations. Really. But to most people, computers are just tools to play games and send email. They're purchased at places like Sears and CompUSA, and they automatically download things like windows update, antivirus software, etc.
Last time I checked, a caching DNS server only reduces traffic if you have a large enough, active user base to populate and refresh the cache.
They're only "your" packets until they leave your computer. Then they are their packets, since they are on their network.
So yeah, they can sniff packets all they want. You agreed to that when you paid for their service.
Now, using what they find in your packets against you in court, or really doing anything with them other than protecting their own network/contracts...that's different.
Everybody here is saying "just fix the NAT code to not decrement the TTL and we're cool", but it's not that easy. At the end of the article (you did read the article, right?) it refers to an AT&T research paper (PDF) on counting the number of hosts behind a NAT box. This is done by looking at packet sequence numbers, using the fact that each host generates its own sequence. This chart shows what happens. If you see one set of packets starting at 20,000 and another at 50,000, all overlapping in time, it's a good bet there are two hosts. It also points out that the default high port numbers NAT uses are another good clue to the presence of NAT.
Port numbers are easy to change, but if your ISP wants to do traffic analysis on your IP address, there's not a lot you can do to hide. I'm just very, very glad that I have an ISP that doesn't suck. In fact, they're pretty damn cool.
What if life is just a side effect of some other process and God has no idea we exist?
Get source code. Hack away. Make it set the TTL to 128 when it's in the NAT part of the code. Bingo, problem solved.
now we need to go OSS in diesel cars
Be that as it may, the approach to finding computers hiding behind a NAT box is an inexact science. It's probably of more use to crackers than ISP's. Such graphs of the decremented TTL's of suspected NAT boxes can be explained away by anomolies in the user's firewall software, or what have you. If the ISP implemented something like this and started calling people saying "you've violated the terms of service", you can just play the dumb user and say "I don't know what you're talking about, there is just one computer hooked up to the connection. What's this NAT you speak of?"
How can the ISP prove conclusively that you have a dozen boxes hooked up to the connection? Get a search warrant and take pictures? I think not. While the technique described in the paper is certainly clever, I believe it would have little value in nailing users to the wall when it comes to sharing access.
-R
Some universities try to prevent network users from adding routers and wireless APs. Northwestern, for example, has policy to that effect.
The same would go for corporations - I can easily see why a corporation would want to prevent its employees from adding WAPs and routers.
if they can't or DON't want to deliver the bandwidth they advertise then STOP ADVERTISING IT. I pay for a 383/384 SDSL connection, I expect to be able to use EVERY MBIT at ANY TIME I SO CHOOSE. If that is a problem for my ISP then they #1 had better stop overselling their lines.
I am curious as to how this differs from the cable companies trying to limit the number of TV's you could have plugged in to cable, or the phone company telling you how many phone extensions you could install ? These practices were struck down before, how can they get away with it now ?
This is like the airlines selling to many seats on a particular flight, and then not understanding why someone is upset when they can't get on board because the 'unthinkable' happened and everyone showed up....
errr....umm...*whooosh* *whoosh* Is this thing on ?
" For every technology, there is equal and opposite hacker technology".
In short, I am sure the open source community (the Openbsd guys and the linux netfilter team) have, or will shortly release mods to fill any nat detection gear. And i am sure the various nat box makers and rebadgers (linksys, netgear, etc) will soon have a tidy check mark with the text label next to it saying "Hide all computers from greedy isp and big brother government agency? (y/n) "
Lawyers, MBA's, RIAA? A jedi fears not these things!
A lot of the posters have been talking about how this technique would be used to prevent end-users from providing access to multiple machines in an attempt to charge more for bandwidth. But people who have read the actual paper will note this phrase: "Unauthorized NAT (Network Address Translation) devices can be a significant security problem."
One purpose of this paper is to provide a tool that can address security concerns. And yes, NAT does make it more difficult to police the machines behind the NAT. One reason: "Wi-Fi is a particular problem since it allows access to the network from a considerable distance, allowing unauthorized access without even entering the building."
This paper never once talks about a problem where NAT users are going to eat up too much bandwidth. Another quote: "In this network the administrative policy is for host computers to be directly connected to the distribution switches, as is shown by Host C. Two hosts, A and B, are connected to the distribution switch through an illicit NAT router." Note the words "administrative policy".
If they don't want people to use their bandwidth to the fullest extent, they should charge per gb, not simply per month.
The only broadband provider in my area just raised their rates by $10/month. I was nice about bandwidth usage before, but now I feel cheated if I don't use it all. I was already paying double what many of my out of state friends pay.
Lucky for them, all versions of the drivers for the cable modem they gave me crash Windows XP if my usage is near the max for several hours.
But they'll soon get what they deserve. Their stock dropped to less 1/20th of last year's price and they're being investigated by the SEC.
According to The Netfilter HOWTO you should be able to just apply the (already existing) TLL patch and then issue a command similar to the following in the appropriate part of your firewall rules:
Gee, that didn't take long :)
Well, they happen to do that right now, mostly because of historical accident. If bogus "NAT detectors" like this proliferate, people will simply move to user-mode NAT. That is, packets from network A are redirected to a user-mode process which then looks at them and sends out a request on network B, and the same in reverse. In that case, the packets sent from the NAT process onto network B are indistinguishable from the packets coming from any other user mode process because they were generated by a user mode process.
The only thing ISPs can do to detect NAT is to look at traffic patterns and accusing you of, say, browsing too many web sites per second. That eventually just amounts to volume-based (or traffic-pattern-based) charges. Sure, they can do that, and they probably should, but at current prices, that's not going to affect you browsing the web from two machines.
I pay for 384k bi-directional. Why is it anyone's business if I run a subnet in my home to tie my cluster together? I am still not getting any more bandwidth, I am simply subdividing the bandwidth among machines. Same argument holds for making the subnet wireless. What exactly is there to object to? What am I supposed to be ripping off?
And when are we going to rise up and tell the greedy, small-minded busy-bodies to take a flying leap? I am beginning to think it isn't even about greed but more about control for the sake of control.