Slashdot Mirror
More On Detecting NAT Gateways
tcom91 writes "The Slashdot article Remotely Counting Machines Behind A NAT Box described a technique for counting NAT hosts. A recently published paper Detecting NAT Devices using sFlow describes an efficient way of detecting NAT gateways using sFlow, a traffic monitoring technology built into many switches and routers. This technology could be used to enforce single host access policies and eliminate unauthorized wireless access points."
Will ISPs use it against us?
No, Beowulf clusters can't imagine in Soviet Russia.
people are still using the same amount of bandwidth payed for, no matter how many machines are using it. when will these companies realize that many people have multiple computers in their home?
If isp's tried to use this in any kind of meaningful way, suddenly there would appear dozens of nat gateway scrubbers that would make sure that the output packets are all uniformely generic. It'll probably turn off the evil bit too.
Karma: SELECT `karma` FROM `users` WHERE `userid`=138474;
Go calculate something
This is going to be used by your ISP to assure you aren't sharing your connection among multiple computers without paying a monthly surcharge for each.
On the bright side, as with nearly all technology that tries to instate a form of checks and balances upon a system, we will soon see ways to fool this check and go back to business (balance) as usual.
Jason
So, if they don't want me to use NAT, does that mean they want me to connect each box to their internal network? Meaning I (and everyone else) can get access to computer B's contents when I'm trying to access it from Computer A?
Why can't they just have a flexible plan where I say, yes, I admit I have 3 boxen behind NAT and agree to pay an extra $5 to $10 a month? Or is this too logical for them to do?
I think most smaller ISPs don't really care if you're using NAT. In fact, I bet lots of ISPs expect you to. Your best bet is to read the terms before signing up and stay away from the AOL/Earthlink conglomerate types.
Nice, besides an ad for Sflow, just shows some more holes we need to patch, and more standards to break.
OS fingerprinting was nice, but now some boxes are replying as a tandy coco, its a very amusing battle. Now TTL is being used to determine multiple Nat'ed IPs. I'm sure someone will write a nice nat module for linux/etc to bypass this also. Seems like the endless cycle of control freaks loosing control.
BTW, not sure which ISPs care about NAT, but there are very very large NAT friendly ISP's out there. (Speakeasy for one)
I just wanted to extend a big thanks to sFlow for posting this paper (and the AT&T people for posting theirs). Despite the fact that DARPA screwed Theo & Co, they are probably already adding a "modulate TTL" setting to pf as we speak.
And of course if you're ultra-paranoid, then just use something like socks or squid to proxy most or all of your TCP connections, and it's 100% indistinguishable from your firewall making the connections out. Because your firewall is making the connections out.
When will they learn?
Kinda irritates me that stuff like this may make my nice all-in-a-box Netgear NAT useless some day, but it's nice to know that people like OpenBSD are there to back us up.
And like someone else said, what exactly does the cable company expect me to do? Expose all of my internal network to the internet? Cha right! They wouldn't even give me more than 3 IPs anyway!
Cryptic Allusion - New Mac and Dreamcast Games!
ISPs sell you connectivity, what right do they have to tell you what you can't do with it? Does your electric company tell you what you can and can't plug in and how many things you can power? Now, if i run extention cord around the neighborhood and charge people for it, then there might be a problem.
On internet: For all I'm concerned, I have *ONE* computer connected to my DSL, and other computers connected to the one computer. ISP gonna tell me I can't connect computers to each other? What's next? It'd be illegal to have multiple screen/keyboard/mouse on the ONE computer? (i think this can be done...buddyPC??)
The 'client' computers access resources on the 'gateway', which happens to include the external internet filtered through the firewall. I dont have multiple computers connected directly to the internet, that's just insecure.
And besides, what are they losing anyway from NATs? It's the same connection/bandwidth. 150kbs down on one box is the same as 150 split to 75kbs down on 2 computers. It's still only one IP. Whatever activity (and any responsibility) that goes on is on ONE account.
$cat
How does it cost the ISP more if multiple people share a broadband line? Where is the additional expense to the ISP that needs to be covered?
... do you know how stupid it is to directly connect your box to that cable/dsl modem thing with out at least hiding behind some kind of NAT?
..
Go ahead let them screw their customer base over - sure that'll work! - Good plan!
And another thing
Go ahead and try it - be sure to run BlackICE or something so you can count how many times you get portscanned in an hour
---- "Logoff! That cookie shit makes me nervous!" - A. Soprano
afaik Super-DMCA will outlaw all attempts to conceal information in all communication devices, that'll illegalize all firewall, NAT and edge routers, etc.
Stupid as it sounds, but it goes thru our senators, it couldn't be wrong.
The little downside is that the only job left for IT is tech support for Windows installation....
NOT FLAMEBAIT:
Is it legal for the ISP to sniff your packets? I'm very ignorant when it comes to such things, but this screams privacy issues.
--sig fault--
The time before there are "fixed" versions of both NAT (which don't decrement TTL), and of IP packet ID's (changing all ID's into a single monotonically increasing order, or randomizing them) will be measured in hours.
Hopefully the authors of this paper aren't doing research for a living...
-- -pjk Perry Kundert perry@kundert.ca http://kundert.2y.net
If you don't like your ISP's policies then change your ISP.
I get my DSL through speakeasy.net, and so far they seem to be about the coolest provider I've heard of. They don't care how many machines you have hooked up to your connection, they don't care if you run servers, they actually encourage you to share your connection via wireless networking. I read in one of their recent newsletters that if you set up an AP they'd like to know so they can tell the other speakeasy customers about it. I'm pretty sure they're available in most large cities (i'm in seattle).
If you want to sign up and don't mind sending $50 my way use this referral link.
Linksys and similar NAT devices are cheap now. What if you used 2 in sequence? I've done this before, but not for this type of reason. I know it will physically work but wonder about what it would do to this ability to count machines behind a NAT router?
iptables -t mangle -A OUTPUT -i eth0 --ttl-set 64
I have three computers and a PS2 behind an Airport Base Station on a VDSL connection.
When my ISP shuts down all the chatter I see, around the clock, from Code Red hits (default.ida requests, etc.), like 12~14 per second, I'll be happy to discuss my 'expanded' bandwidth usage and how it impacts their resources.
Code Red has little direct impact on my boxes, since I'm MS free, but with the general effect being a load on the network right up against my VDSL modem, this is still a very real issue. If the ISP's want to reduce loads, they can look to stop some of the noise from other sources as well. What other sources? Let me think...ummm...spam mail? Port scan probes....
Everybody here is saying "just fix the NAT code to not decrement the TTL and we're cool", but it's not that easy. At the end of the article (you did read the article, right?) it refers to an AT&T research paper (PDF) on counting the number of hosts behind a NAT box. This is done by looking at packet sequence numbers, using the fact that each host generates its own sequence. This chart shows what happens. If you see one set of packets starting at 20,000 and another at 50,000, all overlapping in time, it's a good bet there are two hosts. It also points out that the default high port numbers NAT uses are another good clue to the presence of NAT.
Port numbers are easy to change, but if your ISP wants to do traffic analysis on your IP address, there's not a lot you can do to hide. I'm just very, very glad that I have an ISP that doesn't suck. In fact, they're pretty damn cool.
What if life is just a side effect of some other process and God has no idea we exist?
Get source code. Hack away. Make it set the TTL to 128 when it's in the NAT part of the code. Bingo, problem solved.
now we need to go OSS in diesel cars
I know the two major broadband ISPs in my area, Calgary, have no policies restricting the use of NATs on their network; They don't support them, but they don't restrict them either. The DSL provider actually sells wireless routers, hubs, switches and access points in their stores and will support them to some degree when purchased from them.
The cable internet provider has policies restricting servers, etc., but they only seem to care when the bandwidth use causes problems.
Other than bandwidth use causing problems, or open mail relays, I don't see why ISPs would really care about NATs. In a way, it's sort of like the telephone company working itself into a froth over an answering machine when they offer voice mail service. Maybe we need SOME regulatory body that would permit the connection of any network device that does not interfere with the operation and enjoyment of other network users, similar to the regulation of telephone devices.
Just throwing out ideas.
Pay attention -- this is important. Where is it stated in capitalist doctrine that the sale-price of a product must be determined by it's cost of production?
Market forces dictate that the sale price of a product will be determined by it's VALUE to consumers. Obviously, having multiple computer attached to a DSL/Cablemodem/Whatever connection has value, or /.ers wouldn't bitch about this topic so much.
Now, market pressures being what they are - the price naturally tends to drift TOWARD the cost of production for a commodity item, and as the market for internet service matures - it becomes more of a commodity.
But, as long as having two computers share an internet connection is important to you, someone will be glad to charge you more to do that. And as long as your ISP has a mechanism to offer "one computer, one price" "two computers, different price" products they are going to do it.
And herein lies the beauty of the system: You don't like it? Start Smilin' Bizitch's NAT-Friendly ISP!
How does the Slashdot Effect happen given that no slashdotters ever RTFA?
Be that as it may, the approach to finding computers hiding behind a NAT box is an inexact science. It's probably of more use to crackers than ISP's. Such graphs of the decremented TTL's of suspected NAT boxes can be explained away by anomolies in the user's firewall software, or what have you. If the ISP implemented something like this and started calling people saying "you've violated the terms of service", you can just play the dumb user and say "I don't know what you're talking about, there is just one computer hooked up to the connection. What's this NAT you speak of?"
How can the ISP prove conclusively that you have a dozen boxes hooked up to the connection? Get a search warrant and take pictures? I think not. While the technique described in the paper is certainly clever, I believe it would have little value in nailing users to the wall when it comes to sharing access.
-R
See what happens when powerful tools get into the hands of terrorists?
(I'm ignoring the cost of creating/leasing lines and support)
ISP's costs are based on bandwidth used (this can depend on when the bandwidth is used, and whether it's up or down and out of their netblock or inside it). The # of machines connected has no bearing and it's pretty damn difficult to define a 'connected pc' IMO. Which of these would you include?:
- A hardware router running embedded linux
- A hardware router running embedded linux which I've hacked and can surf with
- A linux router (with no keyboard/monitor)
- A linux router (with a keyboard/monitor)
- A palm which is connected 1nce per day to a windows machine behind the router
- A bloke who's hijacking my WiFi connection
- A bloke who's hijacking the hijacker's Infared port
- My laptop which I plug in at night and take to work the next day
- An x server (Or Windows Terminal Server) serving 50 websurfing clients
Will I be charged for maximum# concurrent natted boxes, or average# of natted boxes? Or some other sceme?
I don't see where you could draw a nice precise black line on the definition of internet client; it all looks grey to me.
Speculation:
I think ISP's don't charge for bandwidth YET because it'd cost them money to measure it. I assume it would cost them more to measure {average or maximum natted boxes}. I think they'll finally see the light and begin charging an amount that has some pretty close correlation to their costs (though I think it'll take 5 years or so before new ISP's begin rolling out nice routers which catalog bandwidth based on what time of day it is, etc.).
I just perused my TOS agreement with my DSL provider and three things struck me:
1) Fortunately, my DSL provider (SBC) acknowledges and allows the use of routers to connect multiple home computers to a single DSL router.
2) They disallow users to "forge headers or otherwise manipulate identifiers in order to disguise the origin of any Content transmitted through the Service." That means that, at least with SBC, reconfiguring your NAT routing device to not decrement the TTL on packets could constitute a breech of contract. YMMV.
3) I could not find any clause prohibiting SBC from inspecting the contents of packets it handles. Theoretically then, in addition to considering the IP ids of received packets as mentioned in the sFlow article, your ISP could perform analysis of any unencrypted traffic from your ip. For instance, If you were playing Counterstrike and your housemate was surfing the web, traffic analysis of the packets originating from your ip could correctly identify the existence of multiple hosts.
Obviously, such analysis would be computationally intense, and could not be performed on an ISP's entire customer base simultaneously, but as a random auditing tool, or a followup to previous suspicion, this type of analysis could be an effective tool for ISP's that wanted to outlaw multiple connections.
That said, I agree with the countless comments to the effect that very few ISP's are going to actively pursue any of these measures; the costs seem to greatly outweigh the benefits. Imagine if my ISP did crack down on my four home computers behind my NAT router: I would still be capable of using the same amount of bandwidth with only one computer, I would be pissed off and looking for another provider, and most importantly, I couldn't give SBC any more money if I tried--it's not as though I can get multiple DSL accounts on the same phone number (and believe me, I certainly wouldn't let SBC charge more for "Platnum NAT Service").
My other
" For every technology, there is equal and opposite hacker technology".
In short, I am sure the open source community (the Openbsd guys and the linux netfilter team) have, or will shortly release mods to fill any nat detection gear. And i am sure the various nat box makers and rebadgers (linksys, netgear, etc) will soon have a tidy check mark with the text label next to it saying "Hide all computers from greedy isp and big brother government agency? (y/n) "
Lawyers, MBA's, RIAA? A jedi fears not these things!
if you haven't heard.. WEP is hackable.
- what is the definition of simultanagnosia?! I've been meaning to look it up!
As someone on slashdot wrote before me, what about 1 singular PC connected to the internet running a couple of sessions of vmware?
Perhaps it would appear to the outside world that there are more than 1 pc connected, but to prove it, they'd have to have physical access to your home.
Pretty sure they won't get past me...
Praying for the end of your wide-awake nightmare.
A lot of the posters have been talking about how this technique would be used to prevent end-users from providing access to multiple machines in an attempt to charge more for bandwidth. But people who have read the actual paper will note this phrase: "Unauthorized NAT (Network Address Translation) devices can be a significant security problem."
One purpose of this paper is to provide a tool that can address security concerns. And yes, NAT does make it more difficult to police the machines behind the NAT. One reason: "Wi-Fi is a particular problem since it allows access to the network from a considerable distance, allowing unauthorized access without even entering the building."
This paper never once talks about a problem where NAT users are going to eat up too much bandwidth. Another quote: "In this network the administrative policy is for host computers to be directly connected to the distribution switches, as is shown by Host C. Two hosts, A and B, are connected to the distribution switch through an illicit NAT router." Note the words "administrative policy".
Sure, it's not pretty, but if the ISPs decide to use it against us, we'll just have to use PROXY's. Linksys/DLink/NetGear/you name it will have an affordable Proxy appliance out before you know it.
... well, they probably won't do it (if they're smart, which they aren't always...).
.02
Let's face it- before the Cable Router was prevalent, everyone that wanted to share used a machine with (2) NICs. The people smart enough to figure it out will do that with Proxy's (or if you're not smart enough to think of that, now I just thought of it for you). Once the companies realize this is another cheap thing that they can do to make lots of $$$, they'll market an applicance cheap that will do it.
Before the cable router, I used 2 NICs and WinRoute to NAT. Before that, 2 NICs and WinProxy to Proxy.
The ISPs will realize that there is always a way around it, and that the trouble of detecting will cause them so much pain that
My
If they don't want people to use their bandwidth to the fullest extent, they should charge per gb, not simply per month.
The only broadband provider in my area just raised their rates by $10/month. I was nice about bandwidth usage before, but now I feel cheated if I don't use it all. I was already paying double what many of my out of state friends pay.
Lucky for them, all versions of the drivers for the cable modem they gave me crash Windows XP if my usage is near the max for several hours.
But they'll soon get what they deserve. Their stock dropped to less 1/20th of last year's price and they're being investigated by the SEC.
That is usually the difference between business and consumer internet connections.
Consumer bandwidth is oversold to decrease the price, and the ISP expects you to not max out your bandwidth all the time.
Business connections allow you to connect as many people as you want, run servers, max out your bandwidth 24/7, and you pay the price.
If you want business access, buy it cheapskate. Don't rant and rave about your ISP because you don't understand what kind of service you've contracted for. What you really asking for is for them to get rid of the consumer tier and force everyone to pay business tier prices. That would give us all less choices.
My complaint about anti-NAT measures is that though I have multiple computers connected, one is my laptop and one is my fileserver (for stuff that doesn't all fit on my laptop's HD). Only one person ever accesses the internet from my house. Multiple computers != Higher bandwidth usage. If the problem is bandwidth than they should check for excessive bandwidth usage, not NAT hosts.
I'm sure there are many ISP's throughout the world that don't really care if you've got a little Linksys router with a few PC's behind it. I found one today that encourages it.
Black Hills Fibercom (in little Rapid City, SD). They offer phone, digital cable, and broadband. Called today on behalf of my Dad who is considering their broadband package. I asked about firewalls - they strongly recommend using one and will even help set up any of the major software firewalls during install. He then proceeded to recommend purchasing a NAT router for additional protection. I damn near fell out of my chair.
We talked a bit about bandwidth and I brought up access for multiple PC's. He then said definately get a router or they would have to charge an additional (though nominal) fee for each additional IP. At that point, I did fall out of my chair.
They won't support your home network nor will they help set up your router. They will, however, walk a user through disconnecting it during a support call if it's necessary for them to see their computer over the network to resolve an issue.
Almost makes me wish I still lived there.
- If we aren't supposed to eat animals, then why are they made out of meat? - Steven Wright
I work for a small ISP in northern California. We don't have any policies against our users using NAT. We provide NAT routers to our ADSL customers and recommentd cable/dsl routers to our DSL customers on our older system. We also help our users setup ICS if they're running windows. We have sold systems running linux to our wireless customers.
It's not that we care how many computers someone has behind these NAT devices. It's how much of the bandwidth they bought that they are using and how often they're using it.
Our basic ADSL and wireless offerings are 384k/128k. If we had every user maxing out their connection all the time, then we'd have to charge more. Because we're in a remote area, we pay more for our T1 service. We have a T1 that runs about $1k per month and another about $1300 per month (special build for geographic diversity). If 4 of our ADSL or wireless users held their connection maxed out all the time, that would pretty much eat a whole T1. We have just over 300 broadband customers and about 600 dialup on two T1 lines with a third on the way.
Our 384k/128k service is regulated and costs $49.95 per month. If every broadband user insisted on maxing out their connection 24/7, we'd have to charge broadband customers $250 per month just to break even on the T1 costs. That doesn't even count the overhead associated with staff and equipment.
I'm sure there are ISP's out there that are all about the money. We try to be more about service and making sure our customers are happy. But we have to make a living too. I don't think the issue should be if you're using a NAT device or how many computers you have hooked up to it. As I said, we encourage it. I think the issue should be about usage. Sell 3 gig per month. Charge for data over that. (3 gig is a number I pulled out of my head)
My point is, if the ISP is worried about usage, they should charge for that and not for how many computers are behind a NAT box.
And why is that? Power companies do it (and get roundly bitched out if they fail to live up). Phone companies do it. Airlines do it, though they do allow you to bet that there will be no-shows. Banks are legally required to be fairly well prepared for runs on their accounts. And yes, if an entire bank ran out of money and left their depositers SOL with a simple "Oh well", I would blame them. They may not be able to prepare for the absolute Armageddon-style worst case scenario, but if they advertise it, they damned well better deliver it and not bitch and moan if their customers actually call the bluff.
I never ever saw a pricing scheme in which a cable company would sell you additional connections for additional TVs
I bet you a whole dollar that we will start to see exactly this kind of nonsense over the next few years in states that have passed the super-DMCA laws. Cable is a communications line and it would be perfectly legal for Time Warner to demand that I account for every device connected. Hell, they could demand that I'm not allowed to use Sony TVs or Panasonic VCRs if they so wanted to. And don't think for a minute that some tin-pot PHB won't try it.
because that would degrade the signal's quality for other users
Huh? Care to provide some support for that little gem?
For phone extensions, on the other hand, applicable arguments are similar to the ISP story. Which also is an area in which you're not so very much in touch with reality, as we've already seen.
I suggest you bone up on your tele-history before you start bandying about insults about ridiculous corporate activities. Ma Bell used to do exactly this. If you wanted another phone on the same line, you had to pay for it. There are plenty of accounts right here on /. by people who, before the breakup, had to hide their 'illicit phones' whenever repairmen came by. It got rightly busted down because it was a bullshit practice.
Dyolf Knip
Since the method relies on knowing the default TTL, (128 for windows), just set the default TTL to something higher...
\ Servic es\Tcpip\Parameters\DefaultTTL (DWORD)
In W2K:
HKEY_LOCAL_MACHINE\System\CurrentControlSet
Just set to 129 if you have a NAT between your PC and the modem.
This way all the packets seem to come directly from a Windows box, and you don't have the (potential) sideeffects of getting the NAT to change the TTL.
main(i){putchar(177663314>>6*(i-1)&63|!!(i<5)<<6)&&main(++i);}
but I can remember when the phone company, and there WAS ONLY MA-BELL back then claimed to OWN the phones inside your house. The first cable companies regulated the number of TV's you could use by lowering th power on the line, but again why is it my problem (Joe User) if an ISP has been foolish and promised customers always on bandwidth and then doesn't have the bandwidth when those customers try to exercise the service they've payed for ??
BTW how does my use of the end product affect ANY OTHER USERS ? we are not talking token ring here what hits my house ends there cable TV speaking ?
!!!"But that doesn't mean they should plan for an event in which all users want all their bandwidth simultaneusly." !!! Why not ? Fail to plan for a viable worst case and you are a FOOL, and generally a bankrupt one.
As an employee of a major bank, I'd suggest you read your account agreement, they HAVE thought of that and you will be stuck with a Cashiers check if the manager decides the case warrants it.
As an Aside I do have a business class SDSL connect with redundency and a rate for redress if they are down outside SOW for more than 2 hours, and it is quite a bit steeper 149.00 for 384 sdsl.
errr....umm...*whooosh* *whoosh* Is this thing on ?
According to The Netfilter HOWTO you should be able to just apply the (already existing) TLL patch and then issue a command similar to the following in the appropriate part of your firewall rules:
Gee, that didn't take long :)
Well, they happen to do that right now, mostly because of historical accident. If bogus "NAT detectors" like this proliferate, people will simply move to user-mode NAT. That is, packets from network A are redirected to a user-mode process which then looks at them and sends out a request on network B, and the same in reverse. In that case, the packets sent from the NAT process onto network B are indistinguishable from the packets coming from any other user mode process because they were generated by a user mode process.
The only thing ISPs can do to detect NAT is to look at traffic patterns and accusing you of, say, browsing too many web sites per second. That eventually just amounts to volume-based (or traffic-pattern-based) charges. Sure, they can do that, and they probably should, but at current prices, that's not going to affect you browsing the web from two machines.
In our case, it is. It's a member-owned cooperative. I used to pay for someone else's Hummer and house with a pool, now I get a check back every year, and a vote in the management of the cooperative. I live 55 miles from the city and have excellent DSL service. And I must admit, I have downloaded plenty of Linux ISO's and 'other' big files, even had my "Internet Cafe" with 5 machines running off it, and never a complaint.
I'll say it again: Member Owned Cooperative.
DNA based encryption with software developed
So configure your router to not decrement the TTL for forwarded packets and to use ports ranging from 1024 to 65535. This can be easily defeated, especially with PF or IPF.
I pay for 384k bi-directional. Why is it anyone's business if I run a subnet in my home to tie my cluster together? I am still not getting any more bandwidth, I am simply subdividing the bandwidth among machines. Same argument holds for making the subnet wireless. What exactly is there to object to? What am I supposed to be ripping off?
And when are we going to rise up and tell the greedy, small-minded busy-bodies to take a flying leap? I am beginning to think it isn't even about greed but more about control for the sake of control.
Another option is the SSHd option of TCP forwarding; once the connection hits the router box, that is running a SSHd server, the packets would be pulled out, decrypted, and sent out an entirely new connection to the Internet. In that respect there would be only one machine accessing the Internet and all of the others on the LAN would be accessing it.
Another option would be to have the NAT box, if it was done on a real computer that could be programmed instead of a dedicated box such as those from D-link, Netgear, etc., check for bandwidth consumption and when there is a lot of excess it could just make its own requests and deliver them to /dev/null. This would add a great deal of garbage to the data that must be analyzed
It seems that the simplest solution for actually cloaking the number of boxen that sit behind a NAT/firewall is simply to get the initial IPid of a connection out of a random number generator like one of the BSD flavors did in the article.
Just my $0.02...
Restore America: Dr. Ron Paul for President!