Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Remotely Counting Machines Behind A NAT Box

timothy posted more than 11 years ago | from the you-knew-this-was-coming dept.

The Internet 618

Overtone writes "Steve Bellovin of AT&T Labs Research has published a paper showing how to remotely count the number of machines hiding behind a NAT box (in IMW 2002, the Second Internet Measurement Workshop). Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause. Bellovin explains how to change the NAT software to defeat the measurement scheme, but the fix is complicated and unlikely to appear in commercial home gateways anytime soon."

cancel ×

618 comments

Sorry! There are no comments related to the filter you selected.

First Post for Osama! (-1)

Fecal Troll Matter (445929) | more than 11 years ago | (#5234605)

Seems we've forgotten about him, eh?

"I like to eat your sperm," (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5234886)

says Monsieur Chirac about his favorite Uncle Saddam Hussein.

"Nein! I like to eat his sperm BETTER!" shouts Herr Schroeder, looking wide-eyed at his Sugar Daddy Saddam, fearful of his believing otherwise.

well (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5234615)

maybe you should learn to count my 1337ness first! muha! fp! weeee!

- cornjchob

im anon so my karma doesnt go down

Yeah! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5234632)

Great, wonderful, super, oh wait.... this is a bad thing?

Just another way.... (1, Informative)

Anonymous Coward | more than 11 years ago | (#5234633)

For 'the man' to stick it you, and your wallet...

this sucks (0, Flamebait)

hpavc (129350) | more than 11 years ago | (#5234635)

this sucks ... i hope that a simpler way comes down the pipe for iptables users soon

Re:this sucks (5, Informative)

arivanov (12034) | more than 11 years ago | (#5234990)

There are already several simpler ways:

1. Use proxies instead of NAT and proxy transparently if needed. Yeah, I know, none of the P2P download sucker shit as it does not have proxies but such is life.
2. Use OSes with better randomisation of IP IDs. This is a tuneable parameter on most OSes and after you have turned it on the graphs are no longer so pretty.

What about Linux? (0)

Anonymous Coward | more than 11 years ago | (#5234638)

Can linux fool these snoopers? Can it
be changed to fool them?

Re:What about Linux? (4, Interesting)

Anonymous Coward | more than 11 years ago | (#5234744)

Fron the paper:

We do not currently attempt to deal with the randomized IPid generator used by OpenBSD and FreeBSD. Crypt-analyzing the generator may be infeasible in any event. It should be possible to detect a random background to other, linear sources; the current version of the code does not do that.

So take that BSD bashers [ggg]. Of course, a gateway implementation to mask/randomize the IPids would be better - giving you a site-wide fix at once.

First one to market with one wins ;)

damn. (1)

intermodal (534361) | more than 11 years ago | (#5234650)

now i'm going to have to go back to being pissed that I had to do this, right when i got used to having it there and was fine with it now that i was safe.

Not where I'm from (5, Interesting)

pi radians (170660) | more than 11 years ago | (#5234665)

Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause.

There are still providers that limit you to only one computer per connection? Wow. I guess the high competition in my area (GTA) has allowed the customers a little bit more freedom. In fact, my provider will give minor tech support for most routers and hubs.

Re:Not where I'm from (2, Funny)

Anonymous Coward | more than 11 years ago | (#5234748)

If by GTA you are referring to the Greater Toronto Area, then yes, because they are capping bandwith and charging you extra if you go over limit. So go head, hook up as many computers as you want, they'll love it :)

Re:Not where I'm from (1)

pi radians (170660) | more than 11 years ago | (#5234854)

Yeah, I have a 40Gb limit combined for upload and download. I have yet to go over that limit.

Re:Not where I'm from (1)

boy_of_the_hash (622182) | more than 11 years ago | (#5234765)

Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause.

They can't do anything anyway unless they outlaw Open/FreeBSD. Or have I just booped by actually reading the article?

Re:Not where I'm from (2, Informative)

cayenne8 (626475) | more than 11 years ago | (#5234923)

Yeah, my first question was, "Is this a problem?" I'm with Mindspring, and they don't seem to have any problems with multiple computers...mine are all wireless hooked to the DSL wireless router/switch....no 'caps' either that I know of....

Re:Not where I'm from (2, Informative)

aberson (461047) | more than 11 years ago | (#5234924)

Verizon DSL in NJ told me a NAT was no problem, and they are willing to support certain brands... and sell them to you. Of course, that was probably a last ditch effort to give up trying to restrict users and instead make money off multiple computer some other way. With something like this, they could quickly change their minds again.

Re:Not where I'm from (5, Funny)

Anonymous Coward | more than 11 years ago | (#5234953)

Do you live in Liberty City or Vice City?

Not a problem here either.. Verizon... NJ (1)

HalfStarted (639977) | more than 11 years ago | (#5234993)

Yeah... from verizon's access policy [verizon.net] [http://www2.verizon.net/policies/agreement.asp] section 2.5.b You may connect multiple computers/devices within a single home or office location to your DSL modem and/or router to access the Service , but only through a single DSL account and a single IP address obtained from Verizon Online.

Protection for Linux (2, Interesting)

JWSmythe (446288) | more than 11 years ago | (#5234666)


So how would a geek like me hide my machines with a Linux firewall, using ipchains? Or am I protected? Would my vmware instances show as multiple machines?

Re:Protection for Linux (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#5234804)

The nature of your stupid questions reveals that you are, in fact, not a geek. Rather you are a doofus.

Re:Protection for Linux (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5234810)

Run, hide, they're at your door! You're finished, you evil criminal! Soon the IP brigade will drag you off to rot in jail for your immorality.

Re:Protection for Linux (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#5234992)

for starters RTFA
the mods obviously didnt read it either

Not a bad thing (5, Informative)

gengee (124713) | more than 11 years ago | (#5234673)

This could be pretty handy. One of the problems with L4 load balancing schemes is that the only way to do persistence tracking is by client IP address. (Persistence tracking is necessary if your application does not save state to some central place). Unfortunately, this means thousands of users behind a single NAT'ing box may get assigned to the same server in your load-balanced pool. If you could identify a specific NAT'd box behind a gateway, you could assign the users to different servers.

Still be screwed by proxies, though...

Re:Not a bad thing (1, Informative)

Anonymous Coward | more than 11 years ago | (#5234900)

When you NAT, you assign different source ports for each IP address. Keeping this in mind, you can load balance by IP address and source port to solve this issue. That is what devices like Radware's WSD can use to properly load balance.

what if they are chained? (5, Interesting)

SHEENmaster (581283) | more than 11 years ago | (#5234693)

so that you have two firewalls back2back and the other boxes behind it? It's a bit extreme, but worth it if your cable company is composed of jackasses.

Most users just want web access, and this technique doesn't work on proxies.

Re:what if they are chained? (5, Funny)

Snork Asaurus (595692) | more than 11 years ago | (#5234849)

if your cable company is composed of jackasses

You mean there are some that aren't?

Re:what if they are chained? (0)

Anonymous Coward | more than 11 years ago | (#5234850)

Two firewalls? WTF are you talking about, why would you ever need 2 firewalls? just configure the first one properly...

Re:what if they are chained? (1, Insightful)

Anonymous Coward | more than 11 years ago | (#5234981)

By using 2 firewalls one can ensure that the method described for counting the number of devices behind a NAT will only show as 1 being the second device or firewall. It also provides a proper DMZ for a webserver/malserver/ftpserver which makes an excellent NAT in itself when multihomed. Think about it.....

Re:what if they are chained? (2, Interesting)

pagen (52961) | more than 11 years ago | (#5234946)

Ok - Panicing in Austin here. Can you do this with a second NAT device? I have a nice Router using NAT (SMC Barricade - SMC7008BR). If I buy the new SMC model and stick it between the Cable Modem and the current SMC, would this avoid any detection. A one time $100 seems like a simple solution for my home network. Even pays for itself in a month.

Thanks in advance,

PaGeN

Top 5 ways to count # of machines behind a NAT box (4, Funny)

Amsterdam Vallon (639622) | more than 11 years ago | (#5234694)

5 -- Via the traditional finger point, coupled with the ever-popular audible counter increment

4 -- Thermal image detection scan

3 -- Utilize the same finger pointing mentioned in 5, but avoid the audible count as an enhanced privacy measure

2 -- Avoid counting and caring about counting altogether; continue browsing Slashdot

1 -- Call the dude with the NAT box and ask him!

Free tech news & blogging for life -- *nix.org [starnix.org]

Re:Top 5 ways to count # of machines behind a NAT (0)

Anonymous Coward | more than 11 years ago | (#5234913)

Hack the box and ARP!!!

Damn, getting more difficult to hide my 23 machine (0)

Anonymous Coward | more than 11 years ago | (#5234700)

i am already using |Cable Modem| - |Netgear Router| - |Linux Firewall| - |clients| and maybe that's still not enough.

Does this count!? (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5234701)

Matt lay in bed. Matt had company. A November morning is what it was and Matt's company
was another man. A young man - a proverbial "Twink" just like Matt himself.

Matt's friend was gay - Matt was gay. Matt's gay friend stood very close to the head of Matt's
bed. There was a snuffling sound from Matt - he appeared to be attached to his gay friend by way of his face.
Matt was cock-gobbling. His gay friend had gotten up to put on a pair of white/lime green stripy underpants when
upon discovering a rising erection he turned to Matt for assistance.
Matt's assistance basically comprised of turning his face away from the bed and allowing penile entry into his mouth.
Indeed Matt had wanted penile entry and had begun by sucking hard.
The incident took no more than 15 minutes. Not a word was spoken.
Snuffle, snuffle, snuffle.
Matt's gay friend reached down with an unclothed arm and began cradling Matt's head.
Matt was in Heaven. The more he snuffled the more his gay friend had begun to pant.
Indeed - to moan.
Now, with both hands around Matt's head Matt's gay friend was beginning to feel really excited.
A special time was approaching.
Matt's gay friend had a rod of iron - jammed hard between his legs.
Thrust - suck. Thrust - suck. Wet yet firm. Hard yet pliant.
Matt had nice lips - just right for a fuck.
Pump, pump, pump. Suck, suck, suck.
And that is when it happened.

The closest thing to a word spoken - "Uuu-uuu-uuuuuu-uuuuh..."
Matt had hit gold. Or was it silver? Whatever it was it was causing a lather.
The pumping and sucking stopped.
Uncertainty set in. Jerk - fuck - jerk - fuck.
And then what?
Matt's throat constricting - swallowing. His short hair caught in the grip of another.
Matt had a throatful of spunk.
What a delighful load of another man's muck!

Five minutes later Matt was in shock. His gay friend was leaving - was this all he got?
The floor was no longer covered in yesterdays clothes. Save Matt's socks and a new pair of shoes.
There was the sound of running water, and then a ruffling of clothes.
Another minute later and the door to his apartment closed.
Matt was morose.

that's not cool (1)

RIT Beast (645989) | more than 11 years ago | (#5234704)

Now I've gotta go on the Lam again!

Brendan

What about NAT behind NAT? (5, Funny)

Anonymous Coward | more than 11 years ago | (#5234706)

What about when I put a NAT machine behind a NAT machine? ;-)

Re:What about NAT behind NAT? (4, Funny)

Tumbleweed (3706) | more than 11 years ago | (#5234881)

Well, then, they'll just use their ANTI-anti-NAT technology!

"No, no, not 'Anti-NAT," that's my Aunt Natalie!"

Maybe not home gateways... (2, Interesting)

jericho4.0 (565125) | more than 11 years ago | (#5234709)

but I bet a fix will apear for the Linux kernel pretty quick.

This is similar to the paketto suite. That allowed pinging behind a NAT wall.

Re:Maybe not home gateways... (0)

Anonymous Coward | more than 11 years ago | (#5234967)

guess what? there already is a fix!
aint open source great

Silver Lining? (4, Insightful)

Anonvmous Coward (589068) | more than 11 years ago | (#5234711)

"Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause."

Yeah, that pretty much sucks. There may be a silver lining, though. The more crap these ISP's pull to push their saavier customers away, the more demand there'll be for an uber geek-friendly ISP to come along. Maybe I'm too optimistic, but tell me it wouldn't be cool for a business to start up in order to cater to those of us that really like to play with networking. "Sure, go ahead and set up a wireless lan in your complex. We'll even let you pay to increase your bandwidth to accomodate all those users! Tell them that for $5 a month, they can each get a mail account or some other fairly interesting service."

Re:Silver Lining? (1, Informative)

Anonymous Coward | more than 11 years ago | (#5234795)

You mean Speakeasy?

Re:Silver Lining? (0)

Anonymous Coward | more than 11 years ago | (#5234818)

These exist, if you can find them. In Dallas, it's August.net. There's one in at least Hawaii as well, though I forget the name.

Re:Silver Lining? (0)

Anonymous Coward | more than 11 years ago | (#5234843)

You mean like speakeasy.net???

It's already here (5, Informative)

ptbarnett (159784) | more than 11 years ago | (#5234857)

The more crap these ISP's pull to push their saavier customers away, the more demand there'll be for an uber geek-friendly ISP to come along. Maybe I'm too optimistic, but tell me it wouldn't be cool for a business to start up in order to cater to those of us that really like to play with networking.

It's already here: SpeakEasy [speakeasy.net] .

Their TOS [speakeasy.net] explicitly states:

"Speakeasy believes in the right of the individual to publish information they feel is important to the world via the Internet. Unlike many ISP's, Speakeasy allows customers to run servers (web, mail, etc.) over their Internet connections, use hubs, and share networks in multiple locations."

Re:It's already here (3, Informative)

sweetooth (21075) | more than 11 years ago | (#5234890)

Yup, I'm a speakeasy customer and even though it's a damn expensive connection it has been very reliable and I can do pretty much whatever the hell I want ;)

Re:Silver Lining? (1)

dzym (544085) | more than 11 years ago | (#5234917)

Speakeasy DSL seems to be pretty much that type of service, for the most part.

Too bad it's not available where I live, except for the uber-expensive IDSL and therefore ultimately useless variety.

Re:Silver Lining? (3, Interesting)

digitalsushi (137809) | more than 11 years ago | (#5234932)

A geek friendly ISP, that is, one that would want customers that utilize their connections, would be more than happy to sell them all full T1 service for about 400 to 1200 dollars a month, depending on where you happen to live :)

I think in general (not aimed at you, Anonvmous) people tend to not realize that everybody has to share when it comes down to it. Sure, most ISPs cover that fact with a healthy dose of greed, but in the end, a 50 dollar price point is what you get after you trim the 1% of us, the power users. They dont like us and there's a good reason- we cost them money when we use more than the normal user! And I dont blame an ISP for enforcing; it's not a matter of being fair as they are just doing this to make money.. a geek friendly ISP would last all of 10 minutes with similarly priced services as what is regularly available. Oh well. I got my plan all worked out. Another 40 a month and I can have business dsl- full servers, whatever i want, nat, all perfectly cool with the ISP. ah, but i lose cause i gave up the 40 extra a month? not when they make a policy change to the residentials and I'm the only one left with a working web and mail server :D

With all... (1)

Manos Batsis (608014) | more than 11 years ago | (#5234715)


...respect to all interested parties, it's a shame to see all this brain power waisted for unimportant things such as stealing your ISP or enforcing such a rule.

It's my darn account and I should be able to do whatever with it.

Sheesh.

Re:With all... (1)

Bonker (243350) | more than 11 years ago | (#5234878)

Couldn't agree more. Why was this paper written? The author gives the reason of counting how many hosts exist on the internet.

Do we really care how many hosts are on the internet? Since most NATed boxes are workstations and not webservers, the only practical use for this algorithm is for service providers to count how many machines are using a given broadband pipe. One other poster suggested that it could be used for load balancing, in that you could accidentally load balance one ip address containing a thousand real users to one server rather than split them up.

I thought *real* load balancing used a first-come first-served approach and sent each client request to the least-used server.

This is bad mojo. The author of this paper is going straight to hell. Do not pass go, do not collect 200 dollars.

Is this really a big deal? (2, Interesting)

Jhon (241832) | more than 11 years ago | (#5234719)

Why is it a big deal for some company (broadband provider) whose ToS contract up-front says only X number of machines can use this connection or else additional fees apply to expect their customers to comply with the terms of their contract?

If you want 10 machines to share an internet connection, sign up with a company which doesn't care or charge for how many computers share the connection OR pay for the additional machines for ISPs who do.

It's interesting to note that this would only ID the number of machiens behind NAT boxes -- not those using proxy servers (a la squid). At least from what I read...

-jhon

Re:Is this really a big deal? (3, Interesting)

NetDrain (167337) | more than 11 years ago | (#5234822)

Yes, it is in fact a big deal. Not every community has multiple options for high speed internet access -- if you're unlucky enough to be stuck in an area with only one ISP that offers cable/DSL and they have the draconian requirement that you have only one machine on the network, you have a problem.

The telephone companies did this a while ago about the number of phones you could have connected to your phone line. They monitored the voltage drop on the line when your phone rang. They eventually gave up trying to enforce it.

Re:Is this really a big deal? (1, Insightful)

Jhon (241832) | more than 11 years ago | (#5234998)

I dont agree. It's not your local ISPs fault that there aren't multiple providers in your area (assuming we are talking about you) or multiple service options. If there was enough money to be made in an area, there would most likely be more providers.

In the end, it's the end user who signs the contract. If they don't like it, they dont need to sign it. Don't you see any problems signing a contract with the INTENT of breaking it to save money? I don't see anything but a poor rationalization in your arguement suggesting that it's not *YOUR* fault that you NEED to break your contract -- it's the community -- or the draconian requirements (which you never needed to sign, by the way).

-jhon

Re:Is this really a big deal? (0)

Anonymous Coward | more than 11 years ago | (#5234891)

There aren't always options. Where I live, AT&T is the only broadband in town.

Re:Is this really a big deal? (1)

Phroggy (441) | more than 11 years ago | (#5234918)

If you want 10 machines to share an internet connection, sign up with a company which doesn't care or charge for how many computers share the connection OR pay for the additional machines for ISPs who do.

Not everyone has a choice among multiple broadband ISPs, or their choice may be limited to companies that all have a similar TOS. The additional fee for extra machines may be beyond what they can afford, and they may not be using any additional bandwidth, meaning the extra cost to the ISP is zero. Under these circumstances, violating the TOS seems like a reasonable thing to many people.

Personally, I blame the FCC for allowing this to happen. But that's just me.

Like the RIAA... (5, Interesting)

hndrcks (39873) | more than 11 years ago | (#5234725)

the cable / DSL operators will soon find out that trying to wage this battle through technical means will result in an arms race they cannot possibly win...

...which will, of course, result in their attempts to find more onerous legal solutions to the problem.

I say - let the games begin!

Re:Like the RIAA...NOT like... (0)

Anonymous Coward | more than 11 years ago | (#5234959)

" the cable / DSL operators will soon find out that trying to wage this battle through technical means will result in an arms race they cannot possibly win..."

Well that depends. Are your financial pockets bigger than their financial pockets? Remember were not talking cold war US vs USSR here, were it was "Who ran out of money?" instead of "My technology is bigger than yours.".

hrmph. (2, Insightful)

zod1025 (189215) | more than 11 years ago | (#5234731)

Well, this sucks. Looks like I'll be flashing my Router soon...

All those single-computer use clauses are evil anyway. A DSL line gives you X bandwidth, so X bandwidth is what you use, regardless of how many machines you multiplex it to. Arbitrary fees for extra machines behind the connection are just more ways to rape^H^H^H^Hmilk the customer.

Re:hrmph. (0)

Anonymous Coward | more than 11 years ago | (#5234937)

>A DSL line gives you X bandwidth, so X bandwidth is what you use,

Better read those terms of service again. Its more likely that it give you up to X bandwidth. DSL tends not to have Quality Of Service guarantees, at least for consumber grades. They count on there being fluxuation in demand to lower the total bandwidth in use to make the service more economical to sell. Otherwise, how would they ever sell a T1 (other than privacy)?

Re:hrmph. (2, Interesting)

Phroggy (441) | more than 11 years ago | (#5234980)

All those single-computer use clauses are evil anyway. A DSL line gives you X bandwidth, so X bandwidth is what you use, regardless of how many machines you multiplex it to. Arbitrary fees for extra machines behind the connection are just more ways to rape^H^H^H^Hmilk the customer.

If you have two computers, they figure you're going to be using more bandwidth than if you only had one. for example, if you and your wife are both surfing the web at the same time, more bandwidth is being used than if you only had one computer (so only one of you could be surfing at a time). If this is generally true, then the ISP has a higher cost for users with two computers than for users with one (remember that the ISP has to pay for bandwidth from their backbone providers; they don't pay a flat monthly rate like you do).

Of course, in many cases this is not true. I have several computers, and I use far less bandwidth than the guy with only a single PC who leaves Kazaa running 24/7.

Score another one for Linux (5, Interesting)

guido1 (108876) | more than 11 years ago | (#5234733)

The method described decodes packets from the NAT, using the IP header's ID field (which is normally a simple counter) to determine number of nodes behind the NAT. (Find X distinct ID field chains, that is the number of PCs...)

However:
Some hosts take evasive measures. Since the IPid field is used only for fragment reassembly (see below), some Linux kernels use a constant 0 when emitting Path MTU discovery [5] packets, since they cannot be fragmented. Recent versions of OpenBSD and some versions of FreeBSD use a pseudo-random number generator for the IPid field.


Hurray for Linux... :)

Re:Score another one for Linux (1)

La Camiseta (59684) | more than 11 years ago | (#5234809)

OK, so all that I have to do is run my NAT through a cheap OpenBSD box (can probably get the hardware for well under $100)? That's fine by me.

You should have read further: (2, Interesting)

burgburgburg (574866) | more than 11 years ago | (#5234914)

Setting it to 0, as Linux does, is one possibility; as discussed below, in a NAT situation this can leak information, and hence is probably undesirable.

On OpenBSD and FreeBSD, however:

A keyed generator, as is used in OpenBSD and FreeBSD, provides some protection, but one needs to be careful to avoid duplication if the generator is rekeyed periodically.

Re:Score another one for Linux (1)

brer_rabbit (195413) | more than 11 years ago | (#5234987)

You should of continued your quote...
All of these [evasive measures] complicate (and to some extent block) the analysis.

it never flat out says that the methods don't work or don't work with linux or *BSD.
Complicate || Some extent block != Completely block

yup (0)

Anonymous Coward | more than 11 years ago | (#5234736)

Façam-me todos um ganda broxe seus filhos duma ganda puta negra :)

jerk (1, Funny)

io333 (574963) | more than 11 years ago | (#5234737)

Please allow me to express the sentiment of most if not all home network users, as well as that of the companies that make routers for home use:

Thanks a lot Steve you PRICK!

What are you talking about? (2, Interesting)

amarodeeps (541829) | more than 11 years ago | (#5234943)

There's every possibility the ISPs and cable companies already know about this. Why do you think they would tell us? This is the same tired argument used to justify security through obscurity...it's specious.

I say, thank you Steve for making me aware of this. Now I have the option to take action, as do the companies that make these home networking devices.

No way! (4, Funny)

Arcaeris (311424) | more than 11 years ago | (#5234741)

"Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause."

Crap! Now I have to worry about my internet conn

Telephones (2, Interesting)

Smallpond (221300) | more than 11 years ago | (#5234742)

At one time the telephone monopoly measured ringer current to locate
"unauthorized" telephones that customers would (gasp!) install without
consulting Bell. People installed phones anyway.

Once everyone has many devices with IP addresses on their home LAN,
there is no way the ISP's can keep up. Just ignore this.

Re:Telephones (1)

ch-chuck (9622) | more than 11 years ago | (#5234869)

...and electronic projects magazines would publish FET circuits to ring your extra phones w/o drawing extra current. Think I still have that CG booklet of fet projects somewhere ....

Could be bad (1)

digitalgimpus (468277) | more than 11 years ago | (#5234745)

This could be bad for those like me who run a few machines where your supposed only run 1. This could really stink.

I would think NAT producing companies would be quick as the company who figures out another way, gets the market.

research.att.com Slashdotted? Give me a break. (4, Funny)

Snork Asaurus (595692) | more than 11 years ago | (#5234752)

Or maybe they think it's another Slapper.

Maybe someone can fill us in.

Re:research.att.com Slashdotted? Give me a break. (0)

Anonymous Coward | more than 11 years ago | (#5234925)

No, Just laging really bad. give it about 2-3 minutes and it will begin to open... unless the cat knocks over the bowl of water perched ontop of the server's case...

All my machines are single (1, Funny)

Anonymous Coward | more than 11 years ago | (#5234761)

My friend says he has a couple of machines, though.

Spellcheck? (0)

fetus (322414) | more than 11 years ago | (#5234775)

from .PDF ...

"many locations are connected to the Internet
by means of NAT (Network Adress Translator) [1] boxes.
field is used only for fragment reassembly (see below),"

Re:Spellcheck? (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5234866)

WHO GIVES A FUCK SHITHEAD?

Quick summary... (0)

Anonymous Coward | more than 11 years ago | (#5234793)

Most use a simple counter for ipid... except *bsd

If we're clever we can work out how many hosts there are by watching the ipid field change... except for *bsd.

Someone'll patch the linux kernel with a pseudo-random ipid field real soon now, I bet.

FreeBSD (5, Funny)

PunchMonkey (261983) | more than 11 years ago | (#5234802)

Our technique is based on the observation...that the "id" field in the IP header is generally implemented as a simple counter

Recent versions of OpenBSD and some versions of FreeBSD use a pseudo-random number generator for the IPid field.

So my FreeBSD will look like thousands of PCs? LOL, that sure would piss the cable company off.

Do OpenBSD and FreeBSD ... (1)

burgburgburg (574866) | more than 11 years ago | (#5234803)

have the pseudo-random IPidfield specifically to avoid this sort of information leakage, or is this a happy side effect from addressing some other problem?

I find it especially interesting that this method works best on home users and small businesses. Interesting and frustrating.

New motto? (1)

di0s (582680) | more than 11 years ago | (#5234826)

"Slashdotted in 30 comments or less!"
Yes I know it was offtopic, but still.

damn pdf (0)

Anonymous Coward | more than 11 years ago | (#5234830)

Any html file around instead of pdf? I just hate pdf files...

no beowolf clusters? (1)

OwlofCreamCheese (645015) | more than 11 years ago | (#5234832)

does that mean no beowolf clusters? crud...

Is my NAT router a single computer? Because... (2, Insightful)

DoofusOfDeath (636671) | more than 11 years ago | (#5234838)

`Cuz if it is, strictly speaking, there is only one computer connected to the ISP's network.

damnit! (0)

buzban (227721) | more than 11 years ago | (#5234840)

there goes my home beowulf cluster!

Multiple Systems != Multiple Boxen (5, Interesting)

Heghta' (246911) | more than 11 years ago | (#5234844)

I can already imagine conversations like this:

ISP: We'll have to cut your net access! We detected several dozen computers simultaneously accesing the net through our service, while the contract only allows you one!
Customer: Uh, I only have one box, I just love to have 30 windows of VMWARE open at once. How better to show off system performance!
ISP: arglllll

I mean, if the customer says he uses VMware, what's the ISP gonna do? Cut off the line without real evidence? I'd assume there are enough people who'd not mind a lawsuit.

google cache (0)

Anonymous Coward | more than 11 years ago | (#5234851)

http://216.239.57.100/search?q=cache:QZA0opGpxtwC: www.research.att.com/~smb/papers/fnat.pdf+&hl=en&i e=UTF-8

google cache of the article.

How this works (5, Interesting)

szquirrel (140575) | more than 11 years ago | (#5234853)

Counting boxes is done using the "id" field in the IP header. The id field is relatively unique to each datagram sent between two hosts and is used to reassemble datagram fragments. This scheme depends on the observation that most IP stacks keep this field unique by just incrementing a counter for each datagram. By examining the id field of each packet coming from a NAT box and finding trends in the values you can tell how many boxes are behind the NAT. Each trend you can identify is another box hiding behind the NAT.

But as the article states:

We do not currently attempt to deal with the randomized IPid generator used by OpenBSD and FreeBSD. Cryptanalyzing the generator may be infeasible in any event.

So there you go. Write a patch for your IP stack to randomize the id field instead of incrementing it. I couldn't do it, but I imagine someone else can (and will).

Re:How this works (4, Informative)

leviramsey (248057) | more than 11 years ago | (#5234991)

One of the grsecurity patches for the kernel already gives Linux the random IPid field.

Google Cache goodness (1)

Bellwether (12891) | more than 11 years ago | (#5234855)

The presentation is here.

Since the site is /.'ed, there's a cached copy of the HTML of the paper itself available here.

Where is this "here" you speak of? (0)

Anonymous Coward | more than 11 years ago | (#5234948)

Where is this "here" you speak of?

Artical is slashdotted (0)

Anonymous Coward | more than 11 years ago | (#5234874)

Anyone going to post a copy of the artical then?

Quick! (3, Funny)

kliklik (322798) | more than 11 years ago | (#5234876)

Let us quick slashdot the server before those "friendly" ISPs get the information and use it to count our machines.

Possible fix (4, Interesting)

entrager (567758) | more than 11 years ago | (#5234879)

After reading the document (something that is rarely done among posters), it appears to me that this wouldn't be TERRIBLY hard to fix. The different machines are recognized by the sequences of IPids that are generated for the packets that are sent out. This field must be unique for each packet with the same protocal, destination, and source. This prevents the NAT from simply mangling the number in the field, making it impossible to track the number of machines.

Someone correct me if I'm wrong, but it seems to me that iptables could be updated to change the IPid of outgoing packets to a single sequence and just keep a table of old ids -> new ids. When necessary, it performs the translation. So basically it acts as a two way filter, packets behind the NAT will all have the correct id, packets beyond it will all appear as a single sequence. Would this work?

Can we make it a DMCA violation? (4, Interesting)

DoofusOfDeath (636671) | more than 11 years ago | (#5234895)

There must be some way to make it so that an ISP doing this kind of analysis becomes a DMCA violation of the customer. Any ideas?

trying to crack down on reselling (4, Insightful)

a7244270 (592043) | more than 11 years ago | (#5234907)

It probably annoys the telcos to no end that a connection can be shared - they are more used to the "telephone" model, where there is one line going into the house and if 2 people want to have separate converations then they need two lines.

Contrast that with a high speed connection that can been shared with a bazillion users.

I'm guessing they are not as concerned with people who are running more than one machine at home - the precedent has been set already with telephone extensions, cable TV and satellite TV.

I know of at least one person that is sharing his connection with 5 houses on his block via 802.11, which is a fair chunk of high speed connections that could be sold, and more than likely these are the people they are trying to find.

My prediction - they will either give up once netgear, linksys et al. release rom patches to prevent this, or they will try start charging on a "by data" basis.

This is of course doomed to failure, because the only purpose for a high speed connection is for sharing [censored by the RIAA and MPAA] across the net, and any attempts to change their pricing to this model will be met by massive consumer outcry.

Why Wasn't This Posted... (0)

Anonymous Coward | more than 11 years ago | (#5234909)

as one of the Top Ten Questions to Kevin Mitnick? :)

openbsd and freebsd not affected (0)

Anonymous Coward | more than 11 years ago | (#5234929)

the article states that openbsd and freebsd are not entirely affected (or at least make it really hard). This is because openbsd's pf has the ability to randomize this field in an effort to prevent a thing just like this from happening.

now who's gonna tell me bsd is dead?

single-machine license? (1)

roka (211127) | more than 11 years ago | (#5234978)

Don't you mean single-user-license?
Because in germany most ISPs don't prohibit to use multiple clients if they are used by one person.

Google Cache Html (1)

bdigit (132070) | more than 11 years ago | (#5234995)

http://216.239.57.100/search?q=cache:QZA0opGpxtwC: www.research.att.com/~smb/papers/fnat.pdf+&hl=en&i e=UTF-8 ATT couldnt handle the /.ing

The answer my friend... (1)

nocomment (239368) | more than 11 years ago | (#5235000)

is lying in the ...

openbsd-pseudo-random number generating packet filterrrrrrrrr
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?