Remotely Counting Machines Behind A NAT Box

Overtone writes "Steve Bellovin of AT&T Labs Research has published a paper showing how to remotely count the number of machines hiding behind a NAT box (in IMW 2002, the Second Internet Measurement Workshop). Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause. Bellovin explains how to change the NAT software to defeat the measurement scheme, but the fix is complicated and unlikely to appear in commercial home gateways anytime soon."

Top 5 ways to count # of machines behind a NAT box

[Amsterdam Vallon]

5 -- Via the traditional finger point, coupled with the ever-popular audible counter increment

4 -- Thermal image detection scan

3 -- Utilize the same finger pointing mentioned in 5, but avoid the audible count as an enhanced privacy measure

2 -- Avoid counting and caring about counting altogether; continue browsing Slashdot

1 -- Call the dude with the NAT box and ask him!

Free tech news & blogging for life -- *nix.org [starnix.org]

What about NAT behind NAT?

[Anonymous Coward]

What about when I put a NAT machine behind a NAT machine? ;-)

jerk

[io333]

Please allow me to express the sentiment of most if not all home network users, as well as that of the companies that make routers for home use:

Thanks a lot Steve you PRICK!

No way!

[Arcaeris]

"Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause."

Crap! Now I have to worry about my internet conn

Re:Not where I'm from

[Anonymous Coward]

If by GTA you are referring to the Greater Toronto Area, then yes, because they are capping bandwith and charging you extra if you go over limit. So go head, hook up as many computers as you want, they'll love it :)

research.att.com Slashdotted? Give me a break.

[Snork Asaurus]

Or maybe they think it's another Slapper.

Maybe someone can fill us in.

All my machines are single

[Anonymous Coward]

My friend says he has a couple of machines, though.

FreeBSD

[PunchMonkey]

Our technique is based on the observation...that the "id" field in the IP header is generally implemented as a simple counter

Recent versions of OpenBSD and some versions of FreeBSD use a pseudo-random number generator for the IPid field.

So my FreeBSD will look like thousands of PCs? LOL, that sure would piss the cable company off.

Re:what if they are chained?

[Snork Asaurus]

if your cable company is composed of jackasses

You mean there are some that aren't?

Quick!

[kliklik]

Let us quick slashdot the server before those "friendly" ISPs get the information and use it to count our machines.

Re:What about NAT behind NAT?

[Tumbleweed]

Well, then, they'll just use their ANTI-anti-NAT technology!

"No, no, not 'Anti-NAT," that's my Aunt Natalie!"

Re:Not where I'm from

[Anonymous Coward]

Do you live in Liberty City or Vice City?

Re:jerk

[VivianC]

Please allow me to express the sentiment of most if not all home network users, as well as that of the companies that make routers for home use: Thanks a lot Steve you PRICK!

And if you ever do anything like this again, you will get another Slashdotting!

AT&T can't stand slashdotting?

[random_nick]

Not even an AT&T host can stand slashdotting?

AT&T lets you connect five

[Qrlx]

According to their FAQ, AT&T lets you connect "four additional computers" to your cable modem.

I'm thinking that even for Slashdot readers, five computers in the house with broadband internet will be sufficient.

Read it here: [att.com]
Connect Multiple Computers to the AT&T Broadband Internet Service

Attention Customer:

[Snork Asaurus]

We are terminating your 28.8kbps dial-up service due to the following violation of the TOS:

Our expert system has detected that you are sharing a single connection with 4,179 computers.

Lets be real for a moment...

[tkrotchko]

The cable company can't tell when my cable modem is visible on the network.

And now suddenly they're counting machines behind it?

This is sounding like fantasy and science fiction to me.

Re:Not where I'm from

[PunchMonkey]

I remember playing Grand Theft Auto (1) on my PC a few years back. At the start of the game an announcer booms "Grant Theft Auto".... the first time my friend heard it he thought the guy said "Down Town Toronto".

Re:Not where I'm from

[Anonymous Coward]

Simple explanation, your friend is autistic.

Technical hypothesis, you are schizophrenic and you are blaming imaginary people for own fuck ups.

Re:trying to crack down on reselling

[ewhac]

It probably annoys the telcos to no end that a connection can be shared - they are more used to the "telephone" model, where there is one line going into the house and if 2 people want to have separate converations then they need two lines.

Well, the cable company is after me, and I can't understand why.

I picked up a used VAX-11/780 a while back (had the word 'dagobah' scrawled inside the door, never figured out what that was about), and have a couple dozen friends and neighbors hooking up to it via a combinaton of Wyse-50 serial terminals and NDS dedicated X terminals. The terminals are "dumb" and can't do any local processing. All the compute resources are on the VAX, there are no NAT services running, and only one IP address is being consumed. So the connection isn't being shared.

Still, the cableco is giving me static about connection sharing, saying it's tantamount to running NAT. I countered by saying that running NAT is tantamount to running a large multi-user machine. But their lawyers are better dressed than mine, and are threating criminal cable fraud charges. I have no idea how it will turn out. If they decide to go to the mat, it'll be interesting to watch the local constabulary confiscate the VAX for forensic examination.

Schwab

P.S: Anyone know how to compile Quake2 for this thing? It keeps crapping out on the CPU_ARCH #define with the message, "Carmack hits you with a cluestick --more--".

P.P.S: :-)

Re:Not where I'm from

[Spruitje]

Multikabel/quicknet does not allow a router.
But they do recommend you to use a firewall.
The firewall i'm using is running linux with an iptables based firewall.
Behind it are 8 computers.
So, it's not a router but a firewall.

Re: Liberty City or Vice City

[Anonymous Coward]

in soviet russia, internet logs onto you!!!!