Slashdot Mirror

← Back to Stories (view on slashdot.org)

More On Detecting NAT Gateways

Posted by timothy on from the check-your-terms-of-service dept.

tcom91 writes "The Slashdot article Remotely Counting Machines Behind A NAT Box described a technique for counting NAT hosts. A recently published paper Detecting NAT Devices using sFlow describes an efficient way of detecting NAT gateways using sFlow, a traffic monitoring technology built into many switches and routers. This technology could be used to enforce single host access policies and eliminate unauthorized wireless access points."

22 of 438 comments (clear)

  1. still same bandwidth by boolean0 · · Score: 4, Interesting

    people are still using the same amount of bandwidth payed for, no matter how many machines are using it. when will these companies realize that many people have multiple computers in their home?

    1. Re:still same bandwidth by SWroclawski · · Score: 4, Interesting

      Well every industry goes through this it seems (at least in the US).

      The phone company used to care how many phones you had. Then the cable company charged per teleivion, and some ISPs care how many computers you have.

      The key difference I see is the two previous mentioned industries had those issues resolved by regulation. Regulating consumer grade ISPs might not be a bad thing and finally set limits on things like number of computers or port restriction. And if not- at least we'll know what "comsumer grade" service is and all switch to "Small Office" connections, which already seem to be the way to go for people who actually want to use thier internet connection at home.

      - Serge Wroclawski

    2. Re:still same bandwidth by SWroclawski · · Score: 4, Interesting

      Indeed, NAT is (in this context) just a modern day television splitter.

      While the ISPs may go after a few people- I have serious doubts that the practice will become widespread. Just as the TV splitter was commodity, so are cheap NATs. Heck, some expensive cable modems you can buy in the store come with NAT!

      The products are already sold as "Cable Modem Routers".

      It is, of course, possible that the ISPs and media publishers would go after home user, but it's likely they'd do it over bandwidth consumption or trading copyrighted material rather than just NATing. Going after them just for NATing wouldn't benefit them. The ISP looses a customer and gets a bad reputation, the home electronics company gets mad at the ISP and the customer looses.

      At least with file traders, the ISP is loosing a "bandwidth hog". It may be a weak excuse, but it's something.

  2. What will the future hold? by Blaine+Hilton · · Score: 4, Interesting
    The whole idea of the Internet is a network of networks. Things like this along with certain large ISPs blocking any email from whole blocks of networks without reason leads me to wonder how open the Internet really is, and how closed it could become. ISPs should be selling network connectivity, without restricting what use that connectivity has. I have the same feeling with business phone lines. Businesses are charged more just for being a business, they may use the phone more, but not necessarily.

    Go calculate something

  3. Internet providers. by jfisherwa · · Score: 4, Insightful

    This is going to be used by your ISP to assure you aren't sharing your connection among multiple computers without paying a monthly surcharge for each.

    On the bright side, as with nearly all technology that tries to instate a form of checks and balances upon a system, we will soon see ways to fool this check and go back to business (balance) as usual.

    Jason

    1. Re:Internet providers. by phillymjs · · Score: 4, Insightful

      ...we will soon see ways to fool this check and go back to business (balance) as usual.

      Yep, and then the parties interested in counting NATed machines will go buy a law criminalizing circumvention of their "AUP Enforcement Technology."

      After all, only terrorists don't want anyone to know how many machines they've got connected to their cable/DSL modem, right?

      ~Philly

  4. Its a war, you break standards. by BrookHarty · · Score: 4, Interesting

    Nice, besides an ad for Sflow, just shows some more holes we need to patch, and more standards to break.

    OS fingerprinting was nice, but now some boxes are replying as a tandy coco, its a very amusing battle. Now TTL is being used to determine multiple Nat'ed IPs. I'm sure someone will write a nice nat module for linux/etc to bypass this also. Seems like the endless cycle of control freaks loosing control.

    BTW, not sure which ISPs care about NAT, but there are very very large NAT friendly ISP's out there. (Speakeasy for one)

  5. Thanks, sFlow! by frohike · · Score: 4, Interesting

    I just wanted to extend a big thanks to sFlow for posting this paper (and the AT&T people for posting theirs). Despite the fact that DARPA screwed Theo & Co, they are probably already adding a "modulate TTL" setting to pf as we speak.

    And of course if you're ultra-paranoid, then just use something like socks or squid to proxy most or all of your TCP connections, and it's 100% indistinguishable from your firewall making the connections out. Because your firewall is making the connections out.

    When will they learn?

    Kinda irritates me that stuff like this may make my nice all-in-a-box Netgear NAT useless some day, but it's nice to know that people like OpenBSD are there to back us up.

    And like someone else said, what exactly does the cable company expect me to do? Expose all of my internal network to the internet? Cha right! They wouldn't even give me more than 3 IPs anyway!

    --
    Cryptic Allusion - New Mac and Dreamcast Games!
  6. Ummm no ... by bizitch · · Score: 4, Insightful

    How does it cost the ISP more if multiple people share a broadband line? Where is the additional expense to the ISP that needs to be covered?

    Go ahead let them screw their customer base over - sure that'll work! - Good plan!

    And another thing ... do you know how stupid it is to directly connect your box to that cable/dsl modem thing with out at least hiding behind some kind of NAT?

    Go ahead and try it - be sure to run BlackICE or something so you can count how many times you get portscanned in an hour ..

    --
    ---- "Logoff! That cookie shit makes me nervous!" - A. Soprano
    1. Re:Ummm no ... by Rude+Turnip · · Score: 4, Informative

      There are no additional costs.

      Bandwidth: You can only suck so much down on a broadband connection at a time. One guy downloading MP3's all day is using more bandwidth than two people in a household with simple needs who want to network their two computers.

      Customer Support: If the service contract says one IP, one system, they're not going to help you solve problems with your network. Comcast refuses to troubleshoot anything for me until I plug my system directly into the cable modem, for example.

      Security: The user bears this cost, not the ISP.

      Repairs: If you pay for "consumer level" service, they're only going to give you "consumer level" service, regardless of how many people use the connection.

      --
      Bill Clinton: Pimp we can believe in. - The Shirt!!!
    2. Re:Ummm no ... by nolife · · Score: 5, Insightful

      Bullshit..

      Bandwidth (about $50-130/mb wholesale)

      Number of computers in a home environment does not automatically mean more BW. It may come in spurts but not more overall. I go online and do certain things every day. I can do this before, after, or during the times the kids are on and use the same exact BW either way. My firewall is reject unless specifically allowed (limits trojans and spurious connections), I use squid and have every PC set to use it via a proxy.pac autoconfig (currently at over a 45% hit rate after 80k requests) and a caching DNS server.

      Customer support (additional troubleshooting)

      Maybe, maybe not, I also think this would reduce support as you can eliminate probles related to your PC as you can try another one, or blame it on the ISP.. I would also suggest that a person with a multipc setup is probably smarter then the average computer user and would call support less.

      Security (more machines, more chance for trojans, etc)

      This is laughable. It would be much safer to have 15 computers behind a NAT box/firewall then one Windows or misconfigured Linux machine directly connected.

      Repairs (the guy with six people sharing a cable modem is going to expect instant service restoration, whether he's paying for it or not)

      So what your saying is everyone with one computer should not expect good service and fast repairs? They just sit back and wait for the ISP to find the problem and they should not expect the service to work when they need it?

      You do have points but those can not be seperated into those with and without NAT.

      And frankly, it ain't your network. If you want to start up an "all the bandwidth you want for free" ISP, knock yourself out.

      What do you mean set one up, they are everywhere. Check the advertisements for Comcast, RR, Verizon, Speakeasy, and many others. They all say pretty much the same... Unlimited internet and connected all the time so your online experience is fast and quick. Maybe they should change their tune. Kind of like my cell phone plan.. Unlimited nights and weekends, free long distance, unlimited phone to phone, and unlimited web access. Do you think I should feel guilty when I use it? I don't, that's what they are advertising and that's what I bought the damn things for. Sure as shit, I browse the web with the phone whenever i want, I call all my relatives after 9:00pm or any time during the weekend, and I call phone to phone just because I can.

      --
      Bad boys rape our young girls but Violet gives willingly.
    3. Re:Ummm no ... by n3k5 · · Score: 4, Interesting
      There are no additional costs. [...] You can only suck so much down on a broadband connection at a time.
      You're assuming here that every customer is maxing out his/her bandwith all the time, as if every customer had a P2P client running all the time and enough active downloads that more data is available than he/she can suck down. However, this is not the reality, hence this is not how ISPs calculate their fees. If they did calculate their fees that way, their service would be much more expensive. Just compare with enterprise-level ISPs that sell 24/7 _guaranteed_ bandwidth. So, ISPs are saving costs because their users don't use all that bandwidth -- and this is even true if they charge for the MegaByte instead of a flatt fee! More users means making more use of the available bandwith, means more costs.
      If the service contract says one IP, one system, they're not going to help you solve problems with your network.
      A reasonable contract says one system at a time, they'll let you upgrade your PC, they'll let you run different operating systems, they'll most likely let you plug in your laptop you took home from work. Now if you have trouble setting up the connection on any system, they should help you even if they helped you before with another system.
      --
      but what do i know, i'm just a model.
  7. Bzzzt! Sorry; Close, but no cigar! by pjkundert · · Score: 4, Informative
    The technique describes depends on two very simple mechanisms; A) assuming that a NAT router will decrement each packet's Time-To-Live (TTL), thus exposing its presence, and B) searching for independent, incrementing sequences if IP packet ID's, to estimate the number of hosts behind the NAT router.

    The time before there are "fixed" versions of both NAT (which don't decrement TTL), and of IP packet ID's (changing all ID's into a single monotonically increasing order, or randomizing them) will be measured in hours.

    Hopefully the authors of this paper aren't doing research for a living...

    --
    -- -pjk Perry Kundert perry@kundert.ca http://kundert.2y.net
  8. Re:not all ISPs care by Sabalon · · Score: 4, Insightful

    Mine says you're not supposed to, yet the installers recommended a brand of NAT device to buy.

    Wish I had that on tape :)

  9. Yawnn.. iptables? by MacroHard · · Score: 5, Informative

    iptables -t mangle -A OUTPUT -i eth0 --ttl-set 64

    1. Re:Yawnn.. iptables? by graf0z · · Score: 4, Interesting
      This will break some things, i.e. traceroutes from NATed boxes to the outsinde world. Better: change default initial TTL on the packet originating box. I read a reply with the according MSwin-registry-entry, this is for linux:
      /sbin/sysctl -w net.ipv4.ip_default_ttl=129

      /graf0z.
  10. Yes, and.... by djupedal · · Score: 4, Informative

    I have three computers and a PS2 behind an Airport Base Station on a VDSL connection.

    When my ISP shuts down all the chatter I see, around the clock, from Code Red hits (default.ida requests, etc.), like 12~14 per second, I'll be happy to discuss my 'expanded' bandwidth usage and how it impacts their resources.

    Code Red has little direct impact on my boxes, since I'm MS free, but with the general effect being a load on the network right up against my VDSL modem, this is still a very real issue. If the ISP's want to reduce loads, they can look to stop some of the noise from other sources as well. What other sources? Let me think...ummm...spam mail? Port scan probes....

  11. Re:Change TTL by Skapare · · Score: 4, Insightful

    Get source code. Hack away. Make it set the TTL to 128 when it's in the NAT part of the code. Bingo, problem solved.

    --
    now we need to go OSS in diesel cars
  12. What about Virtual Machines? by BadBlood · · Score: 4, Interesting

    As someone on slashdot wrote before me, what about 1 singular PC connected to the internet running a couple of sessions of vmware?

    Perhaps it would appear to the outside world that there are more than 1 pc connected, but to prove it, they'd have to have physical access to your home.

    Pretty sure they won't get past me...

    --


    Praying for the end of your wide-awake nightmare.
  13. Re:Err and that is the USERS problem ?? by gripdamage · · Score: 4, Insightful

    That is usually the difference between business and consumer internet connections.

    Consumer bandwidth is oversold to decrease the price, and the ISP expects you to not max out your bandwidth all the time.

    Business connections allow you to connect as many people as you want, run servers, max out your bandwidth 24/7, and you pay the price.

    If you want business access, buy it cheapskate. Don't rant and rave about your ISP because you don't understand what kind of service you've contracted for. What you really asking for is for them to get rid of the consumer tier and force everyone to pay business tier prices. That would give us all less choices.

    My complaint about anti-NAT measures is that though I have multiple computers connected, one is my laptop and one is my fileserver (for stuff that doesn't all fit on my laptop's HD). Only one person ever accesses the internet from my house. Multiple computers != Higher bandwidth usage. If the problem is bandwidth than they should check for excessive bandwidth usage, not NAT hosts.

  14. Easy Windows Fix by Winter · · Score: 4, Interesting

    Since the method relies on knowing the default TTL, (128 for windows), just set the default TTL to something higher...

    In W2K:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Servic es\Tcpip\Parameters\DefaultTTL (DWORD)

    Just set to 129 if you have a NAT between your PC and the modem.

    This way all the packets seem to come directly from a Windows box, and you don't have the (potential) sideeffects of getting the NAT to change the TTL.

    --
    main(i){putchar(177663314>>6*(i-1)&63|!!(i<5)<<6)&&main(++i);}
  15. How is this anyone's business? by samantha · · Score: 4, Insightful

    I pay for 384k bi-directional. Why is it anyone's business if I run a subnet in my home to tie my cluster together? I am still not getting any more bandwidth, I am simply subdividing the bandwidth among machines. Same argument holds for making the subnet wireless. What exactly is there to object to? What am I supposed to be ripping off?

    And when are we going to rise up and tell the greedy, small-minded busy-bodies to take a flying leap? I am beginning to think it isn't even about greed but more about control for the sake of control.