Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

More On Detecting NAT Gateways

timothy posted more than 11 years ago | from the check-your-terms-of-service dept.

Privacy 551

tcom91 writes "The Slashdot article Remotely Counting Machines Behind A NAT Box described a technique for counting NAT hosts. A recently published paper Detecting NAT Devices using sFlow describes an efficient way of detecting NAT gateways using sFlow, a traffic monitoring technology built into many switches and routers. This technology could be used to enforce single host access policies and eliminate unauthorized wireless access points."

cancel ×


Sorry! There are no comments related to the filter you selected.

But... (2, Insightful)

elixx (242653) | more than 11 years ago | (#5795762)

Will ISPs use it against us?

Re:But... (1)

mr. methane (593577) | more than 11 years ago | (#5795784)

... if you're paying for a service where you're only supposed to connect one host, it seems reasonable, doesn't it?

Re:But... (1)

elixx (242653) | more than 11 years ago | (#5795803)

One IP, one host in the eyes of the outside world. That's the way it should be.

Re:But... (2, Interesting)

realdpk (116490) | more than 11 years ago | (#5795869)

I wonder how much it'd cost per month to have an ethernet card in my TiVo and printer.

Re:But... (1)

mr. methane (593577) | more than 11 years ago | (#5795965)

This is something that cable ISP's need to address.

Groan. Sorry. I couldn't help myself.

But they know this is an issue, and that's why they'd rather turn a blind eye to the guy who has an ethernet connected to his canon inkjet printer, and concentrate on the kid who's sharing his connection with two neighbors and a file server.

Ummm no ... (4, Insightful)

bizitch (546406) | more than 11 years ago | (#5795870)

How does it cost the ISP more if multiple people share a broadband line? Where is the additional expense to the ISP that needs to be covered?

Go ahead let them screw their customer base over - sure that'll work! - Good plan!

And another thing ... do you know how stupid it is to directly connect your box to that cable/dsl modem thing with out at least hiding behind some kind of NAT?

Go ahead and try it - be sure to run BlackICE or something so you can count how many times you get portscanned in an hour ..

Re:Ummm no ... (2, Interesting)

mr. methane (593577) | more than 11 years ago | (#5795911)

The additional costs are for:

Bandwidth (about $50-130/mb wholesale)
Customer support (additional troubleshooting)
Security (more machines, more chance for trojans, etc)
Repairs (the guy with six people sharing a cable modem is going to expect instant service restoration, whether he's paying for it or not)

And frankly, it ain't your network. If you want to start up an "all the bandwidth you want for free" ISP, knock yourself out.

Re:But... (1)

Dylan Zimmerman (607218) | more than 11 years ago | (#5795847)

Of course they will. ISPs are taking the RIAA's lead and trying to charge us for everything they possibly can. I wouldn't be at all surprised if they started charging per byte over a certain limit. "You shouldn't need more than that much bandwidth", they'll say.

Re:But... (1)

ocelotbob (173602) | more than 11 years ago | (#5795912)

That's already really common outside of the US. Many broadband providers will either charge for bandwidth over a certain amount, or throttle you back if you go over the cap.

Re:But... (0)

Anonymous Coward | more than 11 years ago | (#5795948)

Just because you live in some weird third world nation doesn't mean that's what happens everywhere outside the alleged "land of the free". Most of my friends outside of this country receive more-than-adequate bandwidth net access that I quite envy. Here I have to deal with annoying fascist types who want to yeah, charge for whatever they can.

Re:But... (1)

secolactico (519805) | more than 11 years ago | (#5795877)

Will ISPs use it against us?

They might. If in their terms of service they specifically disallow connection sharing via NAT, you have no (legal) resource.

But I think the main purpose would be for corporations and other networks to detect potential security breaches.

A *lot* of spam comes from insecure proxies that are sometimes installed on end user machines, not on corporate gateways and, as stated in the article, if said proxy has a wireless interface, you just opened a huge hole in your network.

Re:But... (1)

squiggleslash (241428) | more than 11 years ago | (#5795969)

If they do, neither Earthlink nor Speakeasy, to name but two ISPs who have fairly extensive coverage throughout the US, have any objection to you using either. Earthlink does stipulate that it will not provide support to someone using NAT or some other form of connection sharing, but that's as in "Ok, before I answer your question about why your connection isn't working, please disconnect everything except a PC with a supported configuration and the DSL modem. Thank you, now..."

I use Earthlink, hear good things about Speakeasy. I don't see either as likely to change their policies in this area, whereas I can't say the same for the average RBOC or Cable operator.

Let me be the first to say it.... (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5795764)

Oh shit...

fp (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5795766)

I think I got thte fp here

it will never work... (4, Interesting)

edrugtrader (442064) | more than 11 years ago | (#5795773)

you build a better detector, and all that will happen is local NATs and gateways and routers will use IP to its fullest extent to make the packets look they they were coming from a single machine. this is another type of "lets stop spam" mission. you can't do it, stop trying.

Re:it will never work... (3, Interesting)

yeti (dn) (618882) | more than 11 years ago | (#5795908)


After reading the article I've said to myself: hm, I'll have to take care of these things... instead of: hm, I'd better not use NAT.

OTOH, if you have machines wtih different OSes, it may be pretty difficult to make it look like the packets are coming from a single source, even when only passive fingerprinting is used.

still same bandwidth (4, Interesting)

boolean0 (448844) | more than 11 years ago | (#5795775)

people are still using the same amount of bandwidth payed for, no matter how many machines are using it. when will these companies realize that many people have multiple computers in their home?

Re:still same bandwidth (1)

krelian (525362) | more than 11 years ago | (#5795796)

But all the ISP's are selling bandwith they don't have. They know that not everyone is maxing out their bandwith at any given time so they are able to sell it to more people.

Re:still same bandwidth (1)

mr. methane (593577) | more than 11 years ago | (#5795806)

The numbers don't bear this out. Even if two machines are just sitting idle, they both download patches, query DNS, etc.

ISP's *do* realize that people want to connect more than one machine. This is simply a mechanism for identifying people who violate their agreements.

Re:still same bandwidth (1)

jelle (14827) | more than 11 years ago | (#5795879)

I have more than one machine, but only one has a harddisk, the rest is diskless, hence the patches are downloaded only once. Plus I run my own bind (dns cache), ntpd, etc, so the extra machines don't generate extra traffic, just a higher electricity bill.

My cablemodem provider allows me to use NAT, they just don't support it.

Like the other poster said, if someting like this will be used to 'enforce' limiting 'agreements' (if you can call it that, because where was the negotiation that led to the agreement), they will just be opening up a new market for smarter next-generation NAT boxes.

Re:still same bandwidth (1)

xsbellx (94649) | more than 11 years ago | (#5795910)

Sorry but I strongly disagree with your conjectures.

The numbers don't bear this out.

Whose numbers? Care to share the source of these "numbers"?.

Even if two machines are just sitting idle, they both download patches, query DNS, etc

Guess they aren't idle now are they. Why would an idle machine ever perform a DNS lookup? Patches are usually downloaded with some forethought. I nor any reasonable techie I know constantly downloads patches. This is typically a scheduled process, usually at a time when there is little or no contention for limited residential bandwidth.

Further to your DNS contention, a caching local DNS server reduces bandwitdh requirements while providing end users with the perception of more responsive surfing.

Re:still same bandwidth (3, Insightful)

mr. methane (593577) | more than 11 years ago | (#5795951)

The source of these numbers are netflow reports and similar traffic measurements, both my own and other published data.

If you really want to play word games, I define an idle machine as "a computing platform with an operating system loaded and running, but without a user interacting with the system".

I'm glad you like to run a caching DNS server and diskless workstations. Really. But to most people, computers are just tools to play games and send email. They're purchased at places like Sears and CompUSA, and they automatically download things like windows update, antivirus software, etc.

Last time I checked, a caching DNS server only reduces traffic if you have a large enough, active user base to populate and refresh the cache.

Re:still same bandwidth (1)

emag (4640) | more than 11 years ago | (#5795944)

How is that any different than 1 machine doing 24x7 leeching? Plus, the folks most likely to actually DO things like patch their machines, run daily updates, reload /. every 30 seconds, etc, are likely the same folks who'll set up caches, proxies, and local (DNS/mail/web) servers, thereby reducing the load on the network and/or the ISPs' communal servers. (An example: I have anywhere from 3 to 6 machines on my internal network at any one time. All internal machines' DNS queries a caching nameserver, I run apt-proxy to cache all debian updates [speeds up my update times past the first machine updated, too!], squid's set up transparently, I've got my own mail server saving my ISP from dealing with several megs of mail a *day* transitting to their servers and then immediately back out, etc.)

Arguably, it could still be 1.x times a single person (where x is some small decimal to account for checking if caches need updating), but as the number of machines, N, behind the NAT increases, additional load for shared resources should climb significantly slower.

Re:still same bandwidth (1)

Dylan Zimmerman (607218) | more than 11 years ago | (#5795811)

The same day that the RIAA realizes that people don't want to pay for each copy of a song that they have.

Re:still same bandwidth (4, Interesting)

SWroclawski (95770) | more than 11 years ago | (#5795838)

Well every industry goes through this it seems (at least in the US).

The phone company used to care how many phones you had. Then the cable company charged per teleivion, and some ISPs care how many computers you have.

The key difference I see is the two previous mentioned industries had those issues resolved by regulation. Regulating consumer grade ISPs might not be a bad thing and finally set limits on things like number of computers or port restriction. And if not- at least we'll know what "comsumer grade" service is and all switch to "Small Office" connections, which already seem to be the way to go for people who actually want to use thier internet connection at home.

- Serge Wroclawski

Re:still same bandwidth (1)

NETHED (258016) | more than 11 years ago | (#5795895)

You Sir, have a great city named after you.

Re:still same bandwidth (3, Informative)

mattyohe (517995) | more than 11 years ago | (#5795852)

Try reading your contract agreement.. If it doesn't mention it.. you are in the clear.. if it does, you need to learn how to make your NAT gateway not reveal the IP TTL.

That is.. if you are actually worried about anything.

wireless... (0)

Anonymous Coward | more than 11 years ago | (#5795782)

The only wireless network I could find while war driving... were ones without WEP turned on.. I could find the other ones but if the WEP is turned on... of course I couldnt access them... theres a reason for IT!... try using it sometime..

Its of no real use to isp's (3, Funny)

SeanTobin (138474) | more than 11 years ago | (#5795785)

If isp's tried to use this in any kind of meaningful way, suddenly there would appear dozens of nat gateway scrubbers that would make sure that the output packets are all uniformely generic. It'll probably turn off the evil bit too.

Re:Its of no real use to isp's (-1, Offtopic)

stor (146442) | more than 11 years ago | (#5795923)

From where I'm sitting, your SQL is syntactically invalid.

> Karma: SELECT `karma` FROM `users` WHERE `userid`=138474;

is incorrect. It should be:

SELECT karma FROM users WHERE userid='138474';

Sorry :P


Re:Its of no real use to isp's - OOPS I"m SORRY! (1)

stor (146442) | more than 11 years ago | (#5795947)

I thought those backticks were single-quotes. You're actually almost 100% correct, you just need to put quotes around the 138474 bit.


Attention! (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#5795786)

To all you assholes who want to restrict my freedom, know this:

I should be able to do as I fucking please without having to put up with your sissy greedy bullshit that oppresses me and insults me.

I should be able to do what I want, when I want, and how I want without you getting in the way. I should be able to discharge a loaded weapon in your general direction if you try to interfere with my right to exist and do what I please.

Thank you.

Re:Attention! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5795823)

Awwww..there there honey. Everything will be okay. I got some ice cream for you! All better now? That's a good boy!

just another (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#5795788)

Just another front in the class war.

As usual the bourgeoisie try to extract more and more money from the masses through the corporations they control.

As long as you live under capitalism they will always try and screw you! Get used to it!

mod parent up (0)

Max Threshold (540114) | more than 11 years ago | (#5795822)

Because that's exactly what's going on here.

To the greedy rich: We, the working class, want to resolve this without dusting off the ol' guillotine. Honestly, we do. Please don't corner us.

What will the future hold? (4, Interesting)

Blaine Hilton (626259) | more than 11 years ago | (#5795790)

The whole idea of the Internet is a network of networks. Things like this along with certain large ISPs blocking any email from whole blocks of networks without reason leads me to wonder how open the Internet really is, and how closed it could become. ISPs should be selling network connectivity, without restricting what use that connectivity has. I have the same feeling with business phone lines. Businesses are charged more just for being a business, they may use the phone more, but not necessarily.

Go calculate [] something

Re:What will the future hold? (3, Informative)

emag (4640) | more than 11 years ago | (#5795891)

The theory (at least it was several years ago) is that business class telephone users aren't actually being charged more for being a business, but that home users are being charged less since they don't typically use the resources at peak times (read: during the daytime) when excess free circuits are at a premium. In other words, the theory is/was that business are *subsidizing* home users.

Now, in today's modern world, with most of the (modern) phone network being packet-switched, it's probably just another way to eek out extra money from a more or less captive audience. Of course, you just know that if businesses were being charged less, home users would still end up paying more in the end. *sigh*

Re:What will the future hold? (1)

Blaine Hilton (626259) | more than 11 years ago | (#5795967)

I've never heard it described that way, but it makes me wonder why I didn't go into marketing!

Re:What will the future hold? (1)

jelle (14827) | more than 11 years ago | (#5795914)

No matter how much I would want that too, the sellers don't care about what the "idea of the Internet" is. The sellers are just optimizing their income, and the buyers their expenses. Whenever one of the parties becomes complacent, the other party wins (and throws a quiet party). There will never be an end to this.

Internet providers. (4, Insightful)

jfisherwa (323744) | more than 11 years ago | (#5795795)

This is going to be used by your ISP to assure you aren't sharing your connection among multiple computers without paying a monthly surcharge for each.

On the bright side, as with nearly all technology that tries to instate a form of checks and balances upon a system, we will soon see ways to fool this check and go back to business (balance) as usual.


Re:Internet providers. (1)

Dylan Zimmerman (607218) | more than 11 years ago | (#5795836)

Well, it'll do that if you don't use a computer as a gateway. If you do, then it probably won't look like more than one computer is connecting.

Or do I completely misunderstand how this works?

Re:Internet providers. (4, Insightful)

phillymjs (234426) | more than 11 years ago | (#5795841)

...we will soon see ways to fool this check and go back to business (balance) as usual.

Yep, and then the parties interested in counting NATed machines will go buy a law criminalizing circumvention of their "AUP Enforcement Technology."

After all, only terrorists don't want anyone to know how many machines they've got connected to their cable/DSL modem, right?


Re:Internet providers. (1)

BrookHarty (9119) | more than 11 years ago | (#5795871)

After all, only terrorists don't want anyone to know how many machines they've got connected to their cable/DSL modem, right?

Hey, thats a great Idea, lets License every IP! That way the government can get a few billion in tax money! I bet the RIAA/MPAA would love access to a database like that!

What else are we supposed to do? (3, Insightful)

shr3k (451065) | more than 11 years ago | (#5795807)

So, if they don't want me to use NAT, does that mean they want me to connect each box to their internal network? Meaning I (and everyone else) can get access to computer B's contents when I'm trying to access it from Computer A?

Why can't they just have a flexible plan where I say, yes, I admit I have 3 boxen behind NAT and agree to pay an extra $5 to $10 a month? Or is this too logical for them to do?

Re:What else are we supposed to do? (1)

BKX (5066) | more than 11 years ago | (#5795848)

Go with AT&T Broadband cable service (or Comcast or whatever the hell they're calling it these days.). They seem to quite fast and hell, they'll sell you extra IPs for $4.95 a month. No fucking NAT to screw with gaming. My family currently connects five computers that way.

Re:What else are we supposed to do? (1)

sholden (12227) | more than 11 years ago | (#5795881)

Why not find an ISP with a clue who allows multiple machines to use the connection. Mine does, but I'm in a different country so that's not much use.

If you are going to pay extra I'd want IPs not NAT...

Re:What else are we supposed to do? (0)

Anonymous Coward | more than 11 years ago | (#5795931)

exactly, charter pipeline specifically states "We do not support more than 1 computer" there is nothing about connecting more, its just that its your problem if there is an issue.

Re:What else are we supposed to do? (1)

robi2106 (464558) | more than 11 years ago | (#5795906)

That is the usual route they take. My local Cable internet provider will sell up to 3 IPs through the same cable modem (marketing or hw/sw limitations don't allow more than 3 per modem)

Fortunately, I never had to worry about that with the use of a simple Linksys gateway router. Now I don't know how the gateway router changes the bits of packet headers to eliminate host counting (one way to count hosts behind NAT).


see (0)

Anonymous Coward | more than 11 years ago | (#5795810)

... this patch for the 2.4 kernel tree should make this kind of NAT counting much, much more difficult, if not impossible.

Just make sure your firewall/router is a linux based router with the grsecurity patch in the kernel. Surely YOU don't use some kind of cheesy linksys style router/firewall?

O Early Post! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5795812)

O early post! O early post!
I love thee!

Don't get you knickers in such a twist (5, Insightful)

1984 (56406) | more than 11 years ago | (#5795816)

From the article:

"The algorithm for detecting NAT routers relies on the observation that switches directly connected to a host, or in the same subnet as a host, will always see packets from the host with a TTL that is characteristic of the host operating system."

So if you play with the OS fingerprinting (and TTL), you can likely fool this method. Don't forget that your NAT is rewriting part of the information in each packet anyway. It would be more expensive (but probably not prohibitively so) to rewrite more of that information. It is, after all, information for moving the payload around, and not the payload.

This just ups the ante a little.

Wow - Just think of it (3, Funny)

bizitch (546406) | more than 11 years ago | (#5795819)

.. All those Linksys/Belkin poor man router users that are out there - and one day they're gonna get a bill from they're already expensive broadband provider and ...

WHAMO! Instantly pissed off customer base!

(is UWB ready for prime-time yet?)

UWB not ready for a few years (0)

Anonymous Coward | more than 11 years ago | (#5795937)

As a recent presenter in the IEEE 802.15.3a committee on UWB, I see that the heavily divided group will likely take at least a year to reach a first-draft standard phase, then another year or more for a final standard. Only at the final std stage will test equipment manufacturers like Agilent start to develop UWB test equipment, without which compliance testing is likely to be iffy at best. All this is complicated by the 500+ MHz RF bandwidth of UWB radios, and the 100+ Mbps data rates intended to be supported. BTW, UWB is targeted mainly at WPAN (10meters or less), for digital media device connectivity (home theater & video without cables, laptop to projector without cables, etc). Look for UWB around 2007 or so.

pf circumvents this still it appears. (2, Interesting)

Anonymous Coward | more than 11 years ago | (#5795830)

Looking at the paper, it doesn't seem to mention any new techniques (ie analyzing something other than the IP ID field) beyond what Bellovin has already posited. As such, I would presume that OpenBSD's pf changes are still a valid way of circumventing this issue. Looking at his charts, the TTL variations did not appear to yield differentiating evidence without also correllating the IP ID field. For more information on the pf techniques at circumvention see: 723

not all ISPs care (2, Informative)

brer_rabbit (195413) | more than 11 years ago | (#5795834)

I think most smaller ISPs don't really care if you're using NAT. In fact, I bet lots of ISPs expect you to. Your best bet is to read the terms before signing up and stay away from the AOL/Earthlink conglomerate types.

Re:not all ISPs care (4, Insightful)

Sabalon (1684) | more than 11 years ago | (#5795942)

Mine says you're not supposed to, yet the installers recommended a brand of NAT device to buy.

Wish I had that on tape :)

What about network behind 2 routers in series!!! (0)

Anonymous Coward | more than 11 years ago | (#5795837)

will it work?

Defeating "Single Host Access Policies" howto... (0)

Anonymous Coward | more than 11 years ago | (#5795840)

Put a Transparent Proxy behind a NAT behind a NAT.

['s pathetic ISP]
| [Pathetic poor little guy Slashdot hurts]
| /
[Your ISP's Network, and some idiot trying to eavesdrop]
[ISP's Router]
[Your NAT]
[Your next NAT]
[Your Transparent Proxy services]
[Application/ie YOU!]

Why do ISPs care about NAT? (1)

Elpacoloco (69306) | more than 11 years ago | (#5795842)

They're providing the bandwidth anyway.
Are they concerned that people will host thousands of computers (at a major cost to the ISP's bandwidth) if people are allowed to do this?

Its a war, you break standards. (4, Interesting)

BrookHarty (9119) | more than 11 years ago | (#5795846)

Nice, besides an ad for Sflow, just shows some more holes we need to patch, and more standards to break.

OS fingerprinting was nice, but now some boxes are replying as a tandy coco, its a very amusing battle. Now TTL is being used to determine multiple Nat'ed IPs. I'm sure someone will write a nice nat module for linux/etc to bypass this also. Seems like the endless cycle of control freaks loosing control.

BTW, not sure which ISPs care about NAT, but there are very very large NAT friendly ISP's out there. (Speakeasy for one)

Damn IP stuff... (0)

Anonymous Coward | more than 11 years ago | (#5795849)

Does that means a userland HTTP proxy or SOCKS proxy would be more undetectable?

Thanks, sFlow! (4, Interesting)

frohike (32045) | more than 11 years ago | (#5795854)

I just wanted to extend a big thanks to sFlow for posting this paper (and the AT&T people for posting theirs). Despite the fact that DARPA screwed Theo & Co, they are probably already adding a "modulate TTL" setting to pf as we speak.

And of course if you're ultra-paranoid, then just use something like socks or squid to proxy most or all of your TCP connections, and it's 100% indistinguishable from your firewall making the connections out. Because your firewall is making the connections out.

When will they learn?

Kinda irritates me that stuff like this may make my nice all-in-a-box Netgear NAT useless some day, but it's nice to know that people like OpenBSD are there to back us up.

And like someone else said, what exactly does the cable company expect me to do? Expose all of my internal network to the internet? Cha right! They wouldn't even give me more than 3 IPs anyway!

Re:Thanks, sFlow! (1)

fuzzyping1 (266783) | more than 11 years ago | (#5795907)

Actually, if you have 3 IP's, you could just build yourself an OpenBSD transparent bridge. The bridge doesn't need an IP address on either interface, so you'd be able to use all 3 for your internal machines.

Unless, of course, you have more than 3 machines (and who doesn't?). The next best solution, in the short term, as you've mentioned, is a proxy.


You don't have to sign the contract (0, Insightful)

SourceHammer (638338) | more than 11 years ago | (#5795859)

If you sign a contract saying no NAT, or no multiple machines on your connection then you have agreed to it. My wife and I pay an extra 7 bucks/mo for two connections instead of one.

If you have agreed to one connection or machine and have multiple connections or machines then you are cheating your ISP. If you want to change it then call your ISP and negotiate, or sign-up with someone else, or move somewhere where you can get an ISP to agree to your terms, or form a buying group, or start a boycott, or picket. Do you think breaking a contract is OK?

Re:You don't have to sign the contract (1)

Narchie Troll (581273) | more than 11 years ago | (#5795916)


Re:You don't have to sign the contract (1)

pjkundert (597719) | more than 11 years ago | (#5795926)

Perhaps you meant to say that you pay 7 bucks/mo more for 2 distinct IP addresses? You probably only have one connection (hole in your wall, ADSL/Cable modem, etc).

ISP care? (3, Insightful)

ejaw5 (570071) | more than 11 years ago | (#5795860)

ISPs sell you connectivity, what right do they have to tell you what you can't do with it? Does your electric company tell you what you can and can't plug in and how many things you can power? Now, if i run extention cord around the neighborhood and charge people for it, then there might be a problem.

On internet: For all I'm concerned, I have *ONE* computer connected to my DSL, and other computers connected to the one computer. ISP gonna tell me I can't connect computers to each other? What's next? It'd be illegal to have multiple screen/keyboard/mouse on the ONE computer? (i think this can be done...buddyPC??)

The 'client' computers access resources on the 'gateway', which happens to include the external internet filtered through the firewall. I dont have multiple computers connected directly to the internet, that's just insecure.

And besides, what are they losing anyway from NATs? It's the same connection/bandwidth. 150kbs down on one box is the same as 150 split to 75kbs down on 2 computers. It's still only one IP. Whatever activity (and any responsibility) that goes on is on ONE account.

Re:ISP care? (1)

thebigmacd (545973) | more than 11 years ago | (#5795890)

Seems to be (I may be very wrong), but in the UK and other places they have something like TV and radio police or something...where you have to have licenses to own radio and TV sets. That's like telling you what you can't plug in. OF course it's not the power provider telling you that, but still.

Re:ISP care? (1)

robi2106 (464558) | more than 11 years ago | (#5795932)

That doesn't matter to them. If the ISP is interested more in money than satasfaction, then they will care how many computers are behind it. Many computers hints of a home business trying to pass itself off as a private user. And everyone knows that business stuff is more expensive (note sarcasm).


Re:ISP care? (1)

uchi (534979) | more than 11 years ago | (#5795980)

It's different for electric companies. Infact, if you did run an extension cord around the neighbor hood, you would probably help them. Less infrastructure they need to support. You are charged for electricity, unlike bandwidth in most American situations, based on the amount you use, not some flat fee. It may make sense to the people providing the bandwidth that NATs are bad because if you have two machines, the possibility that you will max out your bandwidth(thus, cost them more) is greater than if one person is using the bandwidth themselves. Anyways, if you don't like it, dont sign the contract saying that you agree to it. There are other options where you can have NATS legally - like a T1 or 56k :)

ip-personality could help (0)

Anonymous Coward | more than 11 years ago | (#5795865) can defeat these types of attacks, and also it can screw up nmap. I wish Linus would add ippersonality into 2.5 because it's becoming more important to have this type of tool.

Back to Un*x (0)

Anonymous Coward | more than 11 years ago | (#5795872)

Since this is all based on TTL, what I use an operating system that randomizes this to avoid fingerprinting? Do I now only get service if my packets look like they're being sent from windows? I guess if my ISP starts doing this I'll have to switch back to routing with my NetBSD box instead of my wireless router so I can scrub the packets to appear like I'm a windoze box. Of course I think it's unlikely that any ISP would really implement this.

Perhaps more importantly, your cable modem is running NAT also (check out traceroute some time) so this would all have to happen on board your modem (unlikely)

"The Slashdot article..."? (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5795874)

Slashdot didn't describe how to count machines behind a NAT. AT&T Research did. Nice try to steal credit, though.

Why should we bother (2, Insightful)

jsse (254124) | more than 11 years ago | (#5795876)

afaik Super-DMCA will outlaw all attempts to conceal information in all communication devices, that'll illegalize all firewall, NAT and edge routers, etc.

Stupid as it sounds, but it goes thru our senators, it couldn't be wrong.

The little downside is that the only job left for IT is tech support for Windows installation....

*BSD is dying (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5795880)

It is official; Netcraft now confirms: *BSD is dying

One more crippling bombshell hit the already beleaguered *BSD community when IDC confirmed that *BSD market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by failing dead last [] in the recent Sys Admin comprehensive networking test.

You don't need to be a Kreskin [] to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood.

FreeBSD is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeBSD developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeBSD is dying.

Let's keep to the facts and look at the numbers.

OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.

All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS dilettante dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.

Fact: *BSD is dying

Legal? (2, Interesting)

NETHED (258016) | more than 11 years ago | (#5795882)

Is it legal for the ISP to sniff your packets? I'm very ignorant when it comes to such things, but this screams privacy issues.

Re:Legal? (0)

Anonymous Coward | more than 11 years ago | (#5795939)

I know someone who ran an ftp server that had some pirated software on it. The ISP noticed how much bandwith he was using, sniffed the packets and then logged into his ftp server using the username and password from the sniffed packets grab a list of the files he was serving and then wrote a letter telling him to shut it down or they'd terminate his inet access.

Even is this was illegal for the isp to do it just goes to show you that they will still do it.

Re:Legal? (2, Insightful)

realmolo (574068) | more than 11 years ago | (#5795979)

They're only "your" packets until they leave your computer. Then they are their packets, since they are on their network.

So yeah, they can sniff packets all they want. You agreed to that when you paid for their service.

Now, using what they find in your packets against you in court, or really doing anything with them other than protecting their own network/contracts...that's different.

pf , iptables ... (0)

Anonymous Coward | more than 11 years ago | (#5795885)

so anyone know if this can be blocked using pf or iptables or some other packet filter?

Bzzzt! Sorry; Close, but no cigar! (4, Informative)

pjkundert (597719) | more than 11 years ago | (#5795892)

The technique describes depends on two very simple mechanisms; A) assuming that a NAT router will decrement each packet's Time-To-Live (TTL), thus exposing its presence, and B) searching for independent, incrementing sequences if IP packet ID's, to estimate the number of hosts behind the NAT router.

The time before there are "fixed" versions of both NAT (which don't decrement TTL), and of IP packet ID's (changing all ID's into a single monotonically increasing order, or randomizing them) will be measured in hours.

Hopefully the authors of this paper aren't doing research for a living...

Easy to fix (1)

Skapare (16644) | more than 11 years ago | (#5795893)

This will be easy to fix. A hack to your NAT box source code (you are doing NAT with OpenBSD, Linux or some other open source system, right?) to remove the TTL decrement for NAT traffic (or re-increment it where the decrement can't tell the difference) would get around that aspect of the problem. I'd argue that one can NAT in a transparent "switch", which would not decrement TTL, so why not just make the OpenBSD or Linux box do that.

And for fun, add a randomizer to the initial TTL value. Thus instead of it starting at say 128, it could be a randomly chosen value between 100 and 140 (just to pick some arbitrary numbers).

(HA cluster)^-1 (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5795901)


Hardware list? (1)

xchino (591175) | more than 11 years ago | (#5795903)

Anyone know if there is a list of Hardware that uses sFlow?

Re:Hardware list? (0)

Anonymous Coward | more than 11 years ago | (#5795981)

ONly HP and Foundry right now, so this is no real consequence since most of the big ISPs are Crisco shops.

FUCKING EVA iS out OF contr()L!? (-1, Troll)

(TrollCore)Dessimat0 (663223) | more than 11 years ago | (#5795904)

TrollKore is back in business, you FUCKING whores.

Cmdr. Taco you fucking bitch fucking arsewipe! Come on, LETS HAVE A FUCKING FIGHT, JUST THE FUCKING TWO OF US, HERE, NOW!!!1


A MEMBER OF TROLL-KORE: (post as code)

- I hate you, I hate your country, and I hate your face!
/ | \
|_____| #TROLLKORE
| o /\O |
| UUUUU | Website coming soon, fagG0tZ!
| 8 | - Prince of Knobstradamus
|S S|


Easy fix (1)

Ungrounded Lightning (62228) | more than 11 years ago | (#5795917)

The described technique works by taking advantage of the fact that NAT forwarders decrement the TTL (Time To Live) field of the packets. So NAT flows

There's an easy way around this - especially for Linux boxes serving as NAT forwarders via ipchains' MASQ option:

Modify the software to allow the configuration to specify rewriting the TTL field to a value appropriate for a packet originating in the MASQing box. Apply this (at least) to packets net-bound.

(It might also be wise to allow the configuration to specify INCREMENTING the TTL field by an amount equivalent to the number of hops from the MASQing box to the target. Applying this to incoming flows would frustrate active probes on variations of traceroute's model.)

Of course care will have to be taken in setup. If the outgoing MASQed flow loops back to the MASQing machine in a way that gets it re-MASQed with a re-initialized TTL field, a packet sent to that address/port combination will circulate forever. Similarly, a looped packet that gets its TTL incremented incoming-packet style by an amount equal to the loop length would also loop.

Oops. Missing text. (1)

Ungrounded Lightning (62228) | more than 11 years ago | (#5795930)

The described technique works by taking advantage of the fact that NAT forwarders decrement the TTL (Time To Live) field of the packets. So NAT flows ... show a TTL fingerprint different from a flow originating at the forwarding machine.

plots (0)

Anonymous Coward | more than 11 years ago | (#5795921)

Please learn to properly format plots and axes.

Plots made by non-scientists in software articles look like a cross-eyed retarded kid drew them (the excel default). Please spend some time fixing the appearance, or at least grab the nearest chemistry or physics student and get them to fix it before presenting it.

I've seen lab reports that look like that get a grade of 0 simply for lack of presentation.

line support... (0)

Anonymous Coward | more than 11 years ago | (#5795927)

What if the line connecting you to the ISP can't be split? AFAIK you can only run one DSL connection over one physical copper wire. In most houses you can only have 2 or 4 at the most before you need redo the entire wiring in the house, possibly even pull extra wires from the main trunk etc etc etc... So in those cases, you'd have to sign up for N-additional regular phone lines, and if you run over the physical limits your wiring supports, you're just plain outta luck? You can only connect 4 computers at the most to the net? Am I missing something...

competition (1)

asv108 (141455) | more than 11 years ago | (#5795928)

I doubt we will ever see this technique used by ISP's, at least in the states, because there is simply too much competition. ISP's already have a tough enough time attracting customers, the last thing they want is a reliable $50/month going out the door. Routers are becoming too ubiquitous to start changing pricing policies to squeeze an extra buck out of consumers that already pay too much for broadband.

Just change ISP's (2, Informative)

_UnderTow_ (86073) | more than 11 years ago | (#5795934)

If you don't like your ISP's policies then change your ISP.

I get my DSL through, and so far they seem to be about the coolest provider I've heard of. They don't care how many machines you have hooked up to your connection, they don't care if you run servers, they actually encourage you to share your connection via wireless networking. I read in one of their recent newsletters that if you set up an AP they'd like to know so they can tell the other speakeasy customers about it. I'm pretty sure they're available in most large cities (i'm in seattle).

If you want to sign up and don't mind sending $50 my way use this [] referral link.

I hold your cunts, in the palm of my hand (-1, Troll)

(TrollCore)Dessimat0 (663223) | more than 11 years ago | (#5795945)

MY name IS Mr Taco, I like CHILDrEN'S PENIESES

A MEMBER OF TROLL-KORE: (post as code)

- I hate you, I hate your country, and I hate your face!
/ | \
|_____| #TROLLKORE
| o /\O |
| UUUUU | Website coming soon, fagG0tZ!
| 8 | - Prince of Knobstradamus
|S S|

Multiple NAT Routers (2, Interesting)

ArkiMage (578981) | more than 11 years ago | (#5795952)

Linksys and similar NAT devices are cheap now. What if you used 2 in sequence? I've done this before, but not for this type of reason. I know it will physically work but wonder about what it would do to this ability to count machines behind a NAT router?

Yawnn.. iptables? (5, Informative)

MacroHard (107619) | more than 11 years ago | (#5795955)

iptables -t mangle -A OUTPUT -i eth0 --ttl-set 64

Change TTL (0)

Anonymous Coward | more than 11 years ago | (#5795957)

Is it possible to change the TTL so that it's one higher, effectively hiding the NAT device?

Problem with my ISP (0)

Anonymous Coward | more than 11 years ago | (#5795958)

My ISP has a similiar rule, but If you want to add multiple computers they charge almost 10$ a month for each computer. That is outragous. I would like to comply with their rules but I do not want my montly internet bill to be 50$ extra a month because I use several different computers.

So as far as I am consider my machine providing the NAT/Proxy is the only one connected. It does all the file retrivial/web browsing. It just immeidatly serves that same information to another computer on my network. So IN FACT, only one computer is conected and services are not being offered on the WAN side of the connection which they govern.

Yes, and.... (4, Informative)

djupedal (584558) | more than 11 years ago | (#5795962)

I have three computers and a PS2 behind an Airport Base Station on a VDSL connection.

When my ISP shuts down all the chatter I see, around the clock, from Code Red hits (default.ida requests, etc.), like 12~14 per second, I'll be happy to discuss my 'expanded' bandwidth usage and how it impacts their resources.

Code Red has little direct impact on my boxes, since I'm MS free, but with the general effect being a load on the network right up against my VDSL modem, this is still a very real issue. If the ISP's want to reduce loads, they can look to stop some of the noise from other sources as well. What other sources? Let me think...ummm...spam mail? Port scan probes....

DMCA Violation? (0)

Anonymous Coward | more than 11 years ago | (#5795964)

Isn't this circumventing protection. If I make a reasonalble attempt to secure my network structure from prying eyes with a NAT box, and the cable company sues me for having more than 1 pc connected, can I not claim that they violated the DMCA by looking at the contents of my network without my permission?

Changing the ISP model (1)

Exanerd (649005) | more than 11 years ago | (#5795968)

I work for a Canadian high speed ISP with absolutely no problem with multiple machines. Granted there is no tech support multiple connections for your home network: if you can setup a network then its your job to support it, but as a provider, the customers are not billed more - in fact customers can get a second IP for FREE - encouraging use of multiple connections. After that you pay for add'l IP addresses. Tech support exists right up to the first network connection. The main criteria that drives internet providers is the customer and if they are happy, they pay their bills it keeps ISPs in business - pissing off the customer only makes things difficult. Bandwidth will always be the primary concern and as long as customers do not exceed the parameters set out in the acceptable use agreement, there is no problem. Remember: the "S" in ISP still stands for SERVICE.

Not Likely (0)

oaf357 (661305) | more than 11 years ago | (#5795975)

The US government is entirely too dependant on NATs and VPNs as it is. Just about every federal or military network utilizes NAT or has a VPN on it or allowing remote access to it. Laws of this nature will not pass if intelligent people object to them intelligently.

Now, ISPs can (even still) make up their own rules regarding NATs and search for them as they'd like. Who is to say that most ISPs don't already know who is using NAT and who isn't? Chances are that if a network admins that have access to a tool that allows him to actually see their entire network, they're using it.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>