More On Detecting NAT Gateways
tcom91 writes "The Slashdot article Remotely Counting Machines Behind A NAT Box described a technique for counting NAT hosts. A recently published paper Detecting NAT Devices using sFlow describes an efficient way of detecting NAT gateways using sFlow, a traffic monitoring technology built into many switches and routers. This technology could be used to enforce single host access policies and eliminate unauthorized wireless access points."
people are still using the same amount of bandwidth payed for, no matter how many machines are using it. when will these companies realize that many people have multiple computers in their home?
Go calculate something
Nice, besides an ad for Sflow, just shows some more holes we need to patch, and more standards to break.
OS fingerprinting was nice, but now some boxes are replying as a tandy coco, its a very amusing battle. Now TTL is being used to determine multiple Nat'ed IPs. I'm sure someone will write a nice nat module for linux/etc to bypass this also. Seems like the endless cycle of control freaks loosing control.
BTW, not sure which ISPs care about NAT, but there are very very large NAT friendly ISP's out there. (Speakeasy for one)
I just wanted to extend a big thanks to sFlow for posting this paper (and the AT&T people for posting theirs). Despite the fact that DARPA screwed Theo & Co, they are probably already adding a "modulate TTL" setting to pf as we speak.
And of course if you're ultra-paranoid, then just use something like socks or squid to proxy most or all of your TCP connections, and it's 100% indistinguishable from your firewall making the connections out. Because your firewall is making the connections out.
When will they learn?
Kinda irritates me that stuff like this may make my nice all-in-a-box Netgear NAT useless some day, but it's nice to know that people like OpenBSD are there to back us up.
And like someone else said, what exactly does the cable company expect me to do? Expose all of my internal network to the internet? Cha right! They wouldn't even give me more than 3 IPs anyway!
Cryptic Allusion - New Mac and Dreamcast Games!
but what do i know, i'm just a model.
As someone on slashdot wrote before me, what about 1 singular PC connected to the internet running a couple of sessions of vmware?
Perhaps it would appear to the outside world that there are more than 1 pc connected, but to prove it, they'd have to have physical access to your home.
Pretty sure they won't get past me...
Praying for the end of your wide-awake nightmare.
Since the method relies on knowing the default TTL, (128 for windows), just set the default TTL to something higher...
\ Servic es\Tcpip\Parameters\DefaultTTL (DWORD)
In W2K:
HKEY_LOCAL_MACHINE\System\CurrentControlSet
Just set to 129 if you have a NAT between your PC and the modem.
This way all the packets seem to come directly from a Windows box, and you don't have the (potential) sideeffects of getting the NAT to change the TTL.
main(i){putchar(177663314>>6*(i-1)&63|!!(i<5)<<6)&&main(++i);}