Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
The Internet

Remotely Counting Machines Behind A NAT Box 618

Overtone writes "Steve Bellovin of AT&T Labs Research has published a paper showing how to remotely count the number of machines hiding behind a NAT box (in IMW 2002, the Second Internet Measurement Workshop). Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause. Bellovin explains how to change the NAT software to defeat the measurement scheme, but the fix is complicated and unlikely to appear in commercial home gateways anytime soon."
This discussion has been archived. No new comments can be posted.

Remotely Counting Machines Behind A NAT Box

Comments Filter:
  • now i'm going to have to go back to being pissed that I had to do this, right when i got used to having it there and was fine with it now that i was safe.
  • Not where I'm from (Score:5, Interesting)

    by pi radians ( 170660 ) on Wednesday February 05, 2003 @05:46PM (#5234665)
    Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause.

    There are still providers that limit you to only one computer per connection? Wow. I guess the high competition in my area (GTA) has allowed the customers a little bit more freedom. In fact, my provider will give minor tech support for most routers and hubs.
    • by Anonymous Coward
      If by GTA you are referring to the Greater Toronto Area, then yes, because they are capping bandwith and charging you extra if you go over limit. So go head, hook up as many computers as you want, they'll love it :)
    • by cayenne8 ( 626475 )
      Yeah, my first question was, "Is this a problem?" I'm with Mindspring, and they don't seem to have any problems with multiple computers...mine are all wireless hooked to the DSL wireless router/ 'caps' either that I know of....
    • by aberson ( 461047 )
      Verizon DSL in NJ told me a NAT was no problem, and they are willing to support certain brands... and sell them to you. Of course, that was probably a last ditch effort to give up trying to restrict users and instead make money off multiple computer some other way. With something like this, they could quickly change their minds again.
    • by Anonymous Coward on Wednesday February 05, 2003 @06:05PM (#5234953)
      Do you live in Liberty City or Vice City?
    • If the cable company thinks they can successfully charge me $10 extra per month for extra IP addresses ($5 per extra address: gf's comp + Tivo), they're crazy. Here is what will happen:

      1. Cable gets cut - no more basic + digital package + cable modem: Cable Co will lose $115/mo

      2. Mini-dish goes up and DSL comes in.

      • Who's your daddy? (Score:3, Interesting)

        by Chazmati ( 214538 )
        I enjoyed telling the cable people to screw off. They charged me in advance of services rendered (!) and everytime a legislated rate decrease was passed, they would somehow have in increase in operating costs that exceeded it (so rates would go up anyway).

        But then I went to DirecTV, and it felt good to not be the hostage of the cable company... until I realized I was still a hostage.

        I do have DSL, but we finally booted DirecTV. It was just too much money every month. I tried calling customer service to see if I could step down to a more economical package (maybe with the 10-15 channels I actually watch) but they told me I was already at the lowest level (which has seemingly hundreds of channels). The infuriating part: when I called to cancel they said I could switch to a cheaper package with less channels.

        But anyway, this is about IP addresses and NAT; coudln't we have a kernel/netfilter module that will resequence all outgoing packets consecutively and reverse on the return?
    • by oliphaunt ( 124016 ) on Wednesday February 05, 2003 @07:20PM (#5235716) Homepage
      OK, play lawyer with me for a little bit. What do these licenses actually say?
      here's one. []
      Seems a little arbitrary, but they're small fry. let's go bigger:
      here's another. []
      I think this bit applies to the question at hand (emphasis is mine):
      3(b) SBC Yahoo! DSL. Your SBC Yahoo! DSL Member Account allows for one DSL connection and one other simultaneous network connection (such as a dial-up line) for a total of two (2) simultaneous network connections to the Internet. SBC reserves the right to prohibit any additional simultaneous network connections.
      This policy does not prohibit multiple DSL users from connecting to the Internet over the same DSL network connection using customer premise equipment such as a router or home networking equipment.

      How does this imply that you can't share a DSL connection? OTOH, it explicitly says that sharing a connection is OK.
      however, if we look to AT&T DSL [] TOS, they are somewhat more restrictive:
      8a. Improper Use. You agree to comply with the "ABC's of AT&T Worldnetiquette," which are described in Section 10. You cannot create a network (whether inside or outside of your residence) with AT&T DSL Service using any type of device, equipment, or multiple computers unless AT&T has granted you permission to do so and you use equipment and standards acceptable to AT&T. AT&T may cancel, restrict, or suspend the Services and this Agreement under Section 11 below for violating these provisions.

      A little tougher, but it doesn't actually rule out connection-sharing entirely- just requires that AT&T grant you permission, right? So they must have a process for granting the approval, and a list of approved equipment.

      Since I'm bored today, I called them up. I pointed the nice lady at their TOS, section 8(a), and asked if she could provide me with a list of AT&T approved equipment, and/or the approval process for home networking. She put me on hold for a bit. When she came back, she told me that AT&T DSL is not the same as AT&T WORLDnet DSL, and i had the wrong phone number- but WORLDnet doesn't allow any kind of connection sharing- and she'd happily transfer me to the REAL AT&T. The second phone monkey had no idea what I was talking about- ditto the 3rd. Neither of them could understand why I would want to ask questions about their TOS if they couldn't even deliver service to my residence. The fourth phone monkey told me that they don't support any kind of multiple connection, and that the "grant you permission" line is in the contract for things like automated security systems that call the police department when someone breaks into your house.

      So. Score: SBC +1 (but -1 for their stupid 'frames' patent), AT&T 0. Interesting article, but since I'm on SBC, i won't be changing my NAT settings...
      • support for my area explicitly helps people with setting up linksys and similar NAT gateways.

        Remember, outside of the support issues, supporting this technology makes their life EASIER. They limit your up and down rates, and your number of connections to the news server (4 simultaneous) so why limit the number of machines? The whole point of these devices is that one machine looks like multiple machines, so they have no reason to care.

        If you want multiple IPs, then you have to pay more.

      • Super-Net Cable Modem Service Terms
        This is the title of the contract (duh). It tells you briefly the scope and nature of what is to follow.
        This agreement, along with the Service Subscriber Agreement and Installation Agreement, is the complete agreement between Super-Net and the Internet user.
        This clause attempts to close the agreement to any outside evidence of contrary intent in the forming of the contract. In many states, this will suffice to cause this contract to be the entirety of the agreement. In many states, however, this clause is merely expressive of an intent to conclude a bargain, and may be supplemented with extra evidence (emails, phone conversations, etc.) that would demonstrate that one of the parties intended something contrary or in addition to this contract.
        Super-Net may discontinue or change the services offered and/or modify the terms and conditions of this agreement at anytime. Changes modifications or additions are On-line at If you do not agree to these terms and conditions, please notify Super-Net via email at so we may initiate a closure of your account.
        This clause essentially allows Super-Net to vary the services and the terms by which you use them at will, with no notice. This would include pricing, acceptable use, and even the product offering. This essentially labels the agreement as non-negotiable, in that you have to take the agreement - and their services - as is.
        1.0 Account and Agreement Term 1.1 This agreement shall remain in effect as long as the Internet User's account remains open, valid or undeleted on an Super-Net server. The Internet User may cancel this agreement at anytime, for any reason by providing Super-Net proper acceptable written notice in accordance to the terms stated herein.
        This establishes terms for the start and finish of the agreement. Basically, it means that it starts when you agree to it (accept their offer, or, depending on the way they phrase it, make an offer to accept their product, which they then accept by taking your payment information), and it ends whenever you notify them in writing.
        2.0 Account Cancellation Requests 2.1 Cancellation of an account requires at least 24 hours notice and must be received in writing via fax or email at Such requests must be received 30 days prior to the 1st of the month in order to be processed by the beginning of the next accounting cycle. 2.2 All Super-Net accounts must be paid in full before cancellation is complete.
        This tells you that you are bound by a 24-hour notice provision, meaning you may notify them one day, and you'll actually cancel the next. The second sentence means that they can bill you for another month if you don't cancel 30 days out from the next cycle. You'd probably get a refund, but it means they have some extra cash for a short time.
        3.0 Indemnification 3.1 The Internet User acknowledges that Super-Net makes an honest effort to keep the software, data and information available on Super-Net's servers accurate. Super-Net has no control over any information, data or software that is available through the Internet. Super-Net makes no warranty of any kind, either expressed or implied, regarding the accuracy, or validity of data, software and information available. Use of data, software or information obtained from or through Super-Net is always at the risk of the Internet User.
        This basically says Super-Net will make a good faith effort to keep things working, but you can't hold them responsible ("no warranty of any kind") if something goes amiss. They then say, in the last sentence, that you can't hold them responsible if something bad happens to you while you use their bandwidth. Illustration - if someone h4x0rs j00 and is able to do so at least in part because of a weakness in their system, you're (purportedly) out of luck.
        3.2 The Internet User agrees to indemnify and hold Super-Net harmless from any and all claims, including attorney's fees, resulting from the Internet User receiving Super-Net Cable Modem services or software that causes direct or indirect damage to the Internet User or another party.
        And, this gives some meat to the prior assertion, saying that you can't hold Super-Net liable (make them pay for harms) for harms you or another person may suffer. Even more, it means you may have to pay THEM if harm comes to someone else via your computer (say someone used your computer to launch an attack, the target suffered damage, and sued Super-Net - you may be subject to a lawsuit to recover Super-Net's defense costs and penalties).
        4.0 Fees and penalties 4.1 Charges or fees associated with canceled, closed or terminated accounts are not prorated. Accounting cycles begin the first of each month.
        Basic, just tells you when the billing is. This is all the notice they are required to give you that they're going to bill you.
        4.2 All payments shall be paid in advance of receiving services.
        You pay for the month ahead, not the month just completed. In other words, you're paying for services to be rendered, not services already rendered.
        4.3 Payment is due at the beginning of each billing cycle. Personal accounts are billed to your credit card that you have provided for this purpose.
        No big deal. They basically say you have to pay by credit card.
        4.4 Accounts that are delinquent by two accounting cycles are may be terminated and deleted.
        Keep at least two months current or they'll cut you off. That also means, if you miss a month, they WON'T cut you off.
        4.5 In the event an account is terminated a reconnection charge not exceeding $25.00 is required to remove the hold status.
        They reserve the right to hit you for $25.00 (or less, yeah, right) to reconnect you after you've been disconnected for any reason.
        4.6 The Internet User acknowledges account responsibility until payment is made in full. In the event that the cable modem was rented or leased monthly account basic charges remain in effect until the cable modem is returned or paid for in full.
        This sets you up to be responsible for paying for your service until you are able to return the hardware. If you don't or can't for some reason, they'll keep dinging you.
        4.7 There is a $35.00 service charge for each returned check.
        Penalize you for being a check bouncer.
        4.8 Super-Net will publish a notice of fee increases 10 days before such increases take effect.
        Here they qualify their "change terms or products at any time" clause above by saying they'll "let you know" 10 days before they raise your rates. "Letting you know" is a fuzzy term - all they may have to do is post the rate change somewhere on their site, and then you're expected to stay aware of the changes. This is called "constructive notice."
        4.9 A $500 fee will be incurred for failure to return the cable modem within 30 days of termination.
        Self explanatory. Return the equipment or get hit with a penalty.
        5.0 Accounts and Use of Services 5.1 The Internet User agrees to maintain a secure password. Secure passwords are those that are between 6 and 8 characters long, contain upper and lower case letters, and numbers or other characters.
        CYA clause... They want you to choose a secure password. Note, however, that they do not provide any links to a secure password generator - that's so they can't be liable if you were to use such a service and still get hacked. The burden, once again, is on you.
        5.2 The Internet User agrees not to use Super-Net Cable Modem services to make unauthorized attempts to access the computers, accounts, files, systems and networks of others.
        Don't hack anybody. A good lawyer may be able to construe this to mean "Don't use Kazaa." (unauthorized attempts to access ... files ... of others -- unauthorized by whom?)
        5.3 The Internet User understands that no third party cable modems will be allowed on the cable system, which were not bought from or provided by Super-Net.
        You must use their equipment.
        5.4 The Internet User understands that an active cable TV connection from Massillon Cable TV is required in order to use a cable modem. A separate charge exists for cable TV service. Failure to maintain an active cable TV connection will cause an interruption of cable modem service. Monthly service charges for cable modem service will continue even if cable TV service is discontinued.
        You've got to buy their cable service to keep their internet service. Pleasant of them, no?
        6.0 Net Etiquette 6.1 The Internet User acknowledges proper Internet etiquette will be practiced at all times. The Internet User agrees to use the services provided by Super-Net as permitted by applicable local, state, and federal laws. The Internet User agrees, therefore, not to use these services to conduct any business or activity or solicit the performance of any activity that is prohibited by law. All commercial usage by the account holder, such as advertising, announcements or postings shall be performed in a considerate, unobtrusive manner that shall not waste or overuse Internet data bandwidth. Spamming (the sending of large volumes of email) is considered to be obtrusive.
        Don't do anything that might be construed as illegal. Also, be polite. Explicitly, they say spamming is wrong, as well as commercial use. They do NOT, however, exclude other activities in this clause. Once they set out specific things that are "wrong" they can't add to that list at will - or, they can, but they'll only have an effect on you after they add them to the contract, and will likely not be applicable to anything you did before.
        7.0 Abuse of Services 7.1 Usage of Super-Net resources that disrupts the normal use of Super-Net servers, other Internet hosts and/or other Super-Net customers is considered to be abuse of resources and is grounds for account cancellation. Some examples of system abuse include consuming excessive amounts of memory, circuit bandwidth or CPU time.
        Don't use any file sharing systems, don't attempt to use the idle CPU cycles of others without their permission, and don't do anything (this is broad) that might use "excessive" amounts of computer resources. They don't define excessive, probably to give themselves the flexibility to define excessive should they ever end up in court.
        7.2 Depending on the nature and the severity of the abuse, the user may have their account suspended by Super-Net. Occasionally, unintentional misuse is misinterpreted as intentional misuse. Customers who believe their activity has been misinterpreted may appeal to Super-Net.
        Do something they consider wrong, and you'll be terminated without notice. Then you have to ask them to reconnect you and prove that you weren't doing anything wrong.
        7.3 Super-Net does not allow the unprotected distribution or storage of any pornographic or like material in any Internet User's account. Posting such material for public access is grounds for immediate account cancellation.
        Don't post nudie pictures on your website. This MAY also apply to pornography shared through Kazaa.
        7.4 Harassment of others via the use of Super-Net access is grounds for account cancellation.
        Don't stalk the people you play Everquest with.
        7.5 Operating a web or other publicly accessible server via an Super-Net cable modem is prohibited. (This includes Napster, Songspy ..etc)
        No web servers, no file sharing systems. What's interesting is that by the letter of this agreement, a "publicly accessible server" could be interpreted as chat programs, even ping.
        7.6 Providing Internet access to a user at another location via the cable modem is prohibited.
        You can't resell the service or splice your neighbor onto the account.
        8.0 Copyrighted and Public Domain Material 8.1 Public Domain materials may be downloaded or uploaded using Super-Net access. The Internet User accepts all responsibilities and assumes all risks that are associated with the determination of whether or not material obtained via Super-Net is in the public domain.
        You can download non-copyrighted music to your heart's content, but if you get busted downloading copyrighted stuff, you can't sue Super-Net for contribution to any civil damages you might incur.
        8.2 As provided by United States law and by International treaties, copyrighted materials (like, images, text, and software) may not be uploaded using Super-Net services without the permission of the copyright holder. Copyrighted materials may be downloaded for personal use. Except as expressly permitted, materials under copyright may not be distributed to others. Copyrighted material may not be changed or modified in an way.
        You can download copyrighted materials you have permission to access (RealAudio streams you've paid for, etc.), but you can't modify them (scratch using your PC for business if you're in digital media), or reupload them.
        8.3 Notice: Some materials on the Internet and provided by Super-Net are called "SHAREWARE" or "FREEWARE." Generally these materials are copyrighted. The copyright holder often gives limited permission as to the use of these materials. If you choose to continue using the materials, the copyright holder requests that you register your usage and may ask that you pay a license fee.
        Strange to include this. Basically, they're saying to pay up for your shareware. Odd that they would include this, unless - at the beginning - they give you shareware as part of their package.
        9.0 Electronic Data Services Provided 9.1 Super-Net will provide Internet and computer related services on its data access servers to individual and business Internet Users for a fee, provided the Internet User complies with the terms and conditions set forth in this agreement.
        This tells you what they'll do, and under what circumstances.
        9.2 Super-Net Cable Modem Services are defined as Internet communications access and information services. These services also include access to software, computing, data and information services provided by others via the Internet.
        This specifically defines what the cable modem service consists of. You could also call this clause "what is a network?"...
        9.3 Super-Net Cable Modem Services include access to USENET Newsgroups. Some groups contain language or images of subjects intended for adults. Internet Users less than 18 years old must have a parent or legal guardian agree to these conditions to indicate acceptance and knowledge of this.
        Don't be surprised if you see naughty words in USENET. And if you're under 18, don't even look at the stuff.
        10.0 Super-Net right reserved 10.1 Super-Net reserves the right to refuse service to anyone for any reason, as with in Super-Net's rights as a business entity in accordance with the laws of the Internet User's State.
        They say that they can deny service to anybody they don't like, unless denying service would itself be illegal (i.e., denying based on race, etc.)
        11.0 Effective Date 11.1 This agreement became effective upon the opening of the Internet Users new account.
        As soon as you "open" the account, the terms apply. Here's a perfect example of why the very first clause (final and complete) is fuzzy: When - exactly - did you open your account? When you requested service? When you provided them with a credit card? When you actually paid for your first month or any setup fees?

        Anyway, IANAL (yet), so don't rely on this information as legal advice (see, cover my own ass). But this is actually a pretty basic contract, and though you don't have any leverage at all to negotiate it, a court may - depending on the state - let you wiggle out of a number of the provisions. Then again, they may not.

        Oh, and it doesn't say a word about operating a firewall, router, or multiple computers, unless they were able to construe the "excessive use" provision as prohibiting multiple computers.

    • by Chasuk ( 62477 ) <> on Wednesday February 05, 2003 @08:34PM (#5236399)
      I work for an ISP where we enforce a single-machine license clause,and we do it for a very good reason: we aren't a charity. If it costs us more, it costs you more.

      We don't conceal this fact, and customers who are not happy with this clause are, almost uniformly, the customers who would cost us money instead of being a source of income.

      We are a small mom-and-pop ISP, and we get charged by the telco per kilobyte of traffic. If we charged everyone more to compensate for the bandwidth hogs, it would certainly be unfair to the low or moderate users, so we instead assign static IP's and charge per IP/computer. In other words, every computer attached to the Internet via our services must have a unique IP. We do make exceptions, but we still charge for one-IP but five-PC's connected/downloading from the Internet at the same rate as one-IP/one-PC.

      The telcos keep our costs so high that we can't afford to do otherwise.

      The customer's cost for five IPs versus one IP is a difference of $12.50, which is quite reasonable.

      We let you run servers on your static IP connection, and will host your DNS for free. We aren't money grubbers, in other words. But we are a business which intends to stay solvent.

      We do kick people off periodically, usually because they lied when they signed up, indicating that they would have one machine connected and actually had three or four, using IP masquerading. It isn't THAT hard to determine who the dishonest are, using the simple question: you are using twice (or three times) the bandwidth that an average customer would use connected with one PC 24/7. Do you have more than one system connected? If they say yes, we give them opportunity to pay at the increased rate. If they decline, we kick them off. If they answer no, we start investigating where our system might be reporting eroneous data. We don't assume that they are being deceitful. More people than not are telling the truth.

      This is also largely why we disallow P2P file sharing applications. After an audit, we discovered that fewer than 5% of our customers were consuming the majority of our bandwidth. It was either raise prices for everyone, or disallow P2P file-sharing. We _do_ allow P2P file-sharing for customers who are sharing their own files; their own songs, etc., as those customers actually consume very little, if any, extra bandwidth.

      Whoops. I appear to have gone off-topic. I think it was relevant, as it helps explain the realities why an ISP would need to enforce a single-machine license clause.
      • by Anonymous Coward on Wednesday February 05, 2003 @09:02PM (#5236574)
        In a properly-functioning economy, you'd be charging for traffic (tiered or metered) since that drives your cost. Your interest in how your customers are processing their traffic internally is inappropriate, and the IPv4 address space you're squandering should be reassigned to someone more ethical.
        • AMEN (Score:3, Insightful)

          by raygundan ( 16760 )
          Why are you charging per IP? Charge these people by the traffic they use. I also fail to understand how having two machines behind a NAT can use twice as much bandwidth. I would assume you cap the bandwidth already, but if not-- a single machine with a 100MBps ethernet card could saturate a whole stack o' T1 connections. There is no need for more than one box running 24/7 to eat all of your bandwidth and then some.

          I understand the need to make money-- you are a business after all. But don't charge based on how people use the bits after they get there (whether they all go to the same PC or get split up by a router)-- charge them based on how many bits they use. If they want extra IPs for $12, that's cool too. But don't enforce it on everyone. That's a massive waste of IP space.
      • by Karrots ( 14012 )
        Ever thought of Bandwidth metering? Thats what the ISP I used to have did something like 12Gig's a week. They mainly did it so they could provide a good level of service to every one. If you wanted more gigs you could purchase more.

        Recently they just lifted the Download metering for weekend and night time. Pretty cool I think.
      • by Anonymous Coward on Wednesday February 05, 2003 @09:39PM (#5236859)
        And why on earth would you have a metered T1 if you were an ISP? Is a flat-rate T1 simply not available in your area?

        I also operate an ISP, and we have a flat-rate T1. We don't care how many computers a customer has connected--we only care how much data is transferred, and we bill accordingly.

        I would not use an ISP that placed restrictions on how many computers I could connect, mom-and-pop ISP or not. Life's too short. I live in a house with four computers, and they all get used a good portion of the evening. Why should I have to put up four antennas just so I can hook up four computers?
      • by chriso11 ( 254041 ) on Wednesday February 05, 2003 @10:08PM (#5237049) Journal
        Well, then suddenly SBC doesn't seem like such a group of bozos. Multiple computers does not necessarily equal higher BW. For me, when my daughter comes home from college, my BW usage spikes. Now if I have 2 computers connected or 1 computer, it doesn't matter, the cause of the BW usage is not a function of the number of computers.

        And I don't like your phrase 'bandwith hogs' anyway. Either commit to a level of BW or an amount of data to transfer, or don't bitch about a subset of users using more than 'their share'. To me, it sounds like a fitness club owner complaining about some of the members who actually come in and use the equipment! The nerve! And they stay for hours too!

        If you are charged per KB, then charge your users per KB. McDonalds doesn't charge customers on their cholesterol level, they charge customers on the food that they order. I just don't see how multiple computers are the root cause of your problems.
      • by Sabalon ( 1684 ) on Wednesday February 05, 2003 @10:39PM (#5237237)
        This is apples and oranges.

        One machine could suck as much bandwidth as 10 machines doing next to nothing.

        Also, the idea behind NAT is that it only uses one IP address.

        Here at home, I have an army of computers (most junk). My cable modem hooks to a NAT/firewall (Linux). Behind that is my desktop. I also have a wireless access point so when I'm sitting outside in the hammock I can get on from there, or the wired bedroom or living room, or my wireless iPaq.

        And regardless of how many machines I have, I am still capped at 512k for all of them. While it is true I could use all of them to saturate that 512k, I could easily do it with just one machine as well.

        Sounds like you need to get some equipment that can do rate limiting and just sell bandwidth instead of hasseling customers.
      • This isn't necessarily directed at you or your ISP, but just an observation about many ISPs.

        Your argument is that having multiple machines correlates strongly with high bandwidth usage. I am not going to debate this.

        My problem starts when you try to say users shouldn't be using that much bandwidth. When you say that P2P burns bandwidth like popcorn, and you can't support those users.

        Here's the thing: I pay for *unlimited* bandwidth. I should be able to saturate my 768/128 pipe 24/7 and no one should be able to complain. That's what my ISP advertised.

        Now, if the ISP can't afford to provide unlimited (and they advertised that they would), then they should fix the advertising. Don't cap my bandwidth usage, I pay for unlimited.

        I understand that you guys can't afford to allow unlimited access: stop advertising it, then.
  • Protection for Linux (Score:2, Interesting)

    by JWSmythe ( 446288 )

    So how would a geek like me hide my machines with a Linux firewall, using ipchains? Or am I protected? Would my vmware instances show as multiple machines?
    • by chill ( 34294 ) on Wednesday February 05, 2003 @06:31PM (#5235202) Journal
      The article talks about the IPid field in the IP header and how it is used for packet fragment reassembly.

      While you MIGHT be able to use the "mangling" abilities of iptables to rewite headers on the way out -- I suspect the key is monitoring fragment IDs on the way IN. This would be by an upstream connection, before the packets got to your machine. Thus, there isn't a damn thing you can do about it.

      Match an outgoing request (via IP destination) to incoming fragments (via IP source and IPid). Not only could the monitor build a map of the destinations, they could reasonably determine via statistical analysis of the access times and frequencies, how many machines are behind the NAT making the requests.

      That's probably the long, hard way. I need to finish reading the article, first.
    • Easily, you just proxy your connections.

      I've got DSL and cable. My DSL is a general purpose connection (and more widely used). It's natted, with some filtering preventing certain egress traffic.

      My cable has a single box hooked up to it, but all of the machines use it. However, this method will not help the cable company to see how many machines I have behind it because it does not NAT. It's got a SOCKS5 proxy and a squid proxy running on it. Everything that uses that connection rides over one of those proxies.

      The other benefit is that when the cable goes down, it just picks up and moves to the other connection. Sure, current connections break, but that doesn't so much matter for web browsing (which is mostly all the thing does).

  • Not a bad thing (Score:5, Informative)

    by gengee ( 124713 ) <> on Wednesday February 05, 2003 @05:47PM (#5234673)
    This could be pretty handy. One of the problems with L4 load balancing schemes is that the only way to do persistence tracking is by client IP address. (Persistence tracking is necessary if your application does not save state to some central place). Unfortunately, this means thousands of users behind a single NAT'ing box may get assigned to the same server in your load-balanced pool. If you could identify a specific NAT'd box behind a gateway, you could assign the users to different servers.

    Still be screwed by proxies, though...
  • by SHEENmaster ( 581283 ) <travis@utk . e du> on Wednesday February 05, 2003 @05:48PM (#5234693) Homepage Journal
    so that you have two firewalls back2back and the other boxes behind it? It's a bit extreme, but worth it if your cable company is composed of jackasses.

    Most users just want web access, and this technique doesn't work on proxies.
    • by Snork Asaurus ( 595692 ) on Wednesday February 05, 2003 @05:58PM (#5234849) Journal
      if your cable company is composed of jackasses

      You mean there are some that aren't?

    • Ok - Panicing in Austin here. Can you do this with a second NAT device? I have a nice Router using NAT (SMC Barricade - SMC7008BR). If I buy the new SMC model and stick it between the Cable Modem and the current SMC, would this avoid any detection. A one time $100 seems like a simple solution for my home network. Even pays for itself in a month.

      Thanks in advance,

    • by tjrw ( 22407 ) on Wednesday February 05, 2003 @06:16PM (#5235052) Homepage
      Wouldn't make a jot of difference. The current firewalls aren't rewriting the IPid field anyway, so adding an extra hop would not affect the analysis at all.

      In reading the paper, it is apparent that this is not a particularly cheap thing to attempt. I can't see how it could be easily automated and deployed on a large scale, even assuming someone could be sufficiently bothered to do so.

      If you want protection from this, you're going to need to do some serious work on iptables to add tracking of fragments to the connection tracking code and to rewrite the field on outbound packets to some psuedo-random value. Interestingly this is the "correct" thing to do anyway - otherwise it is theoretically possible to generate two packets with the same id, both fragmented from different internal hosts to the same destination, and screw up the fragmentation reassembly at the receiver.


  • 5 -- Via the traditional finger point, coupled with the ever-popular audible counter increment

    4 -- Thermal image detection scan

    3 -- Utilize the same finger pointing mentioned in 5, but avoid the audible count as an enhanced privacy measure

    2 -- Avoid counting and caring about counting altogether; continue browsing Slashdot

    1 -- Call the dude with the NAT box and ask him!

    Free tech news & blogging for life -- * []

  • by Anonymous Coward on Wednesday February 05, 2003 @05:49PM (#5234706)
    What about when I put a NAT machine behind a NAT machine? ;-)
  • by jericho4.0 ( 565125 ) on Wednesday February 05, 2003 @05:49PM (#5234709)
    but I bet a fix will apear for the Linux kernel pretty quick.

    This is similar to the paketto suite. That allowed pinging behind a NAT wall.

    • by FreezerJam ( 138643 ) <> on Wednesday February 05, 2003 @06:32PM (#5235214)
      > How to block our analytic technique - which
      > turns out to be the behaviour required for
      > correct functioning of NAT boxes - is
      > described in Section IV.

      As I understand it, if the NAT box does NOT rewrite the IPid, then there is a risk of IPid collision if two sources behind the NAT are sending to the same destination, and the packets fragment.

      This means it is possible to demonstrate a bug in most home gateways - perhaps that way they may get a fix long before most major ISPs can implement this.

      Meanwhile, they hint at another way to confuse the scanner. Since your ISP does not see intranet packets, have each machine generate lots of itty bitty packets (pings?) and just send them to the gateway. Have a background task do this - all those IPid increments will break up the patterns in IPid on the outside of the gateway. Since most home LANs have higher inside bandwidth than outside bandwidth, this shouldn't affect available bandwidth too much.
  • Silver Lining? (Score:5, Insightful)

    by Anonvmous Coward ( 589068 ) on Wednesday February 05, 2003 @05:49PM (#5234711)
    "Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause."

    Yeah, that pretty much sucks. There may be a silver lining, though. The more crap these ISP's pull to push their saavier customers away, the more demand there'll be for an uber geek-friendly ISP to come along. Maybe I'm too optimistic, but tell me it wouldn't be cool for a business to start up in order to cater to those of us that really like to play with networking. "Sure, go ahead and set up a wireless lan in your complex. We'll even let you pay to increase your bandwidth to accomodate all those users! Tell them that for $5 a month, they can each get a mail account or some other fairly interesting service."
    • It's already here (Score:5, Informative)

      by ptbarnett ( 159784 ) on Wednesday February 05, 2003 @05:58PM (#5234857)
      The more crap these ISP's pull to push their saavier customers away, the more demand there'll be for an uber geek-friendly ISP to come along. Maybe I'm too optimistic, but tell me it wouldn't be cool for a business to start up in order to cater to those of us that really like to play with networking.

      It's already here: SpeakEasy [].

      Their TOS [] explicitly states:

      "Speakeasy believes in the right of the individual to publish information they feel is important to the world via the Internet. Unlike many ISP's, Speakeasy allows customers to run servers (web, mail, etc.) over their Internet connections, use hubs, and share networks in multiple locations."

    • Speakeasy DSL seems to be pretty much that type of service, for the most part.

      Too bad it's not available where I live, except for the uber-expensive IDSL and therefore ultimately useless variety.

    • Re:Silver Lining? (Score:4, Interesting)

      by digitalsushi ( 137809 ) <> on Wednesday February 05, 2003 @06:03PM (#5234932) Journal
      A geek friendly ISP, that is, one that would want customers that utilize their connections, would be more than happy to sell them all full T1 service for about 400 to 1200 dollars a month, depending on where you happen to live :)

      I think in general (not aimed at you, Anonvmous) people tend to not realize that everybody has to share when it comes down to it. Sure, most ISPs cover that fact with a healthy dose of greed, but in the end, a 50 dollar price point is what you get after you trim the 1% of us, the power users. They dont like us and there's a good reason- we cost them money when we use more than the normal user! And I dont blame an ISP for enforcing; it's not a matter of being fair as they are just doing this to make money.. a geek friendly ISP would last all of 10 minutes with similarly priced services as what is regularly available. Oh well. I got my plan all worked out. Another 40 a month and I can have business dsl- full servers, whatever i want, nat, all perfectly cool with the ISP. ah, but i lose cause i gave up the 40 extra a month? not when they make a policy change to the residentials and I'm the only one left with a working web and mail server :D
      • Re:Silver Lining? (Score:3, Insightful)

        by bnenning ( 58349 )
        They dont like us and there's a good reason- we cost them money when we use more than the normal user!

        I'm not sure about that, we also use less of their expensive tech support. And even if excessive bandwidth use is a problem, it's far more reasonable (and effective) to simply limit bandwidth than to dictate that home networks aren't allowed.

      • It's people who want streaming audio and video, or massive file sharing. Power users just want to be able to download the data they need, when they need it, without a long wait. I don't say this to put down people who do streaming - I use it too, sometimes. But a power user probably consumes an order of magnitude less bandwidth than a user who has the connection primarily to do streaming media. Personally, I'm exquisitely happy with my broadband DSL connection, and with my ISP (speakeasy).

        My main worry right now is that Congress will kill my ISP by fiat, and I'll be forced to buy service from a baby bell again. :'}
    • by MrLint ( 519792 ) on Wednesday February 05, 2003 @06:34PM (#5235225) Journal
      History does not bode well for the broadband providers on this. If one recalls back in the day, the Telco (MA-Bell/AT&T) user to tack on an additional charge for every actual receiver (that you were forced to rent from them) on the phone line. For those who know POTS (plain old telephone system) an extension can be added but just tapping a wire onto the existing wire in the house. However when MA-bell got broken up in the 70s(?) I believe they did away with this foofah, and you paid for the telephone *service*

      CATV (cable) used to be the same way.. you day to pay extra for each TV. And then they stopped doing that and you paid for *service* of the signal.

      Now here is where it gets tricky, unlike POTS and analog CATV the line is hot or its not (so to speak), broadband you actually have discrete data you are passing around. This should be the *service*. However it could end up being a pay as you go service (bad for the users, good for the money grubbers) or a limited throughput 'unlimited' service (which is mostly how it is now). Currently I don?t see a metered usage model flying right now and this is why:

      Everyone that adopted broadband early wanted it (and could get it) go it. Dialup services are cheap and unlimited. If you start charging for broadband based on usage you aren?t not very attractive to those people you want to take away from dialup who are complacent and will cope with what they have. A metered service is not (in consumers minds) a *NOT* better value than an unmetered service.

      As we know there is a mega glut of fiber, broadband should be getting cheaper rather than more expensive.. but that?s another article. Its going to be hard to justify metering people when there is so much capacity unused. (hopefully supply and demand will work out here).

      Now this is what is going to happen, when a critical mass of people stop using dialup, and then modems stop coming standard in computers, and then the broadband guys think they have a captive audience they will get everyone in the cartel on board and raise rates and meter usage. What?s worse is that they will claim there is a lack of long haul bandwidth, which probably wont be true, because as the broadband market picks up they will still be doing expansion of the network because of the expectation of even larger amounts of growth.

      Conclusion, this are probably good for the short term, *VERY* bad for the long term.

      PS the document was spell checked for those with delicate constitutions.
  • Why is it a big deal for some company (broadband provider) whose ToS contract up-front says only X number of machines can use this connection or else additional fees apply to expect their customers to comply with the terms of their contract?

    If you want 10 machines to share an internet connection, sign up with a company which doesn't care or charge for how many computers share the connection OR pay for the additional machines for ISPs who do.

    It's interesting to note that this would only ID the number of machiens behind NAT boxes -- not those using proxy servers (a la squid). At least from what I read...

    • Yes, it is in fact a big deal. Not every community has multiple options for high speed internet access -- if you're unlucky enough to be stuck in an area with only one ISP that offers cable/DSL and they have the draconian requirement that you have only one machine on the network, you have a problem.

      The telephone companies did this a while ago about the number of phones you could have connected to your phone line. They monitored the voltage drop on the line when your phone rang. They eventually gave up trying to enforce it.
    • If you want 10 machines to share an internet connection, sign up with a company which doesn't care or charge for how many computers share the connection OR pay for the additional machines for ISPs who do.

      Not everyone has a choice among multiple broadband ISPs, or their choice may be limited to companies that all have a similar TOS. The additional fee for extra machines may be beyond what they can afford, and they may not be using any additional bandwidth, meaning the extra cost to the ISP is zero. Under these circumstances, violating the TOS seems like a reasonable thing to many people.

      Personally, I blame the FCC for allowing this to happen. But that's just me.
  • Like the RIAA... (Score:5, Interesting)

    by hndrcks ( 39873 ) on Wednesday February 05, 2003 @05:50PM (#5234725) Homepage
    the cable / DSL operators will soon find out that trying to wage this battle through technical means will result in an arms race they cannot possibly win...

    ...which will, of course, result in their attempts to find more onerous legal solutions to the problem.

    I say - let the games begin!

  • hrmph. (Score:2, Insightful)

    by zod1025 ( 189215 )
    Well, this sucks. Looks like I'll be flashing my Router soon...

    All those single-computer use clauses are evil anyway. A DSL line gives you X bandwidth, so X bandwidth is what you use, regardless of how many machines you multiplex it to. Arbitrary fees for extra machines behind the connection are just more ways to rape^H^H^H^Hmilk the customer.
    • Re:hrmph. (Score:3, Interesting)

      by Phroggy ( 441 )
      All those single-computer use clauses are evil anyway. A DSL line gives you X bandwidth, so X bandwidth is what you use, regardless of how many machines you multiplex it to. Arbitrary fees for extra machines behind the connection are just more ways to rape^H^H^H^Hmilk the customer.

      If you have two computers, they figure you're going to be using more bandwidth than if you only had one. for example, if you and your wife are both surfing the web at the same time, more bandwidth is being used than if you only had one computer (so only one of you could be surfing at a time). If this is generally true, then the ISP has a higher cost for users with two computers than for users with one (remember that the ISP has to pay for bandwidth from their backbone providers; they don't pay a flat monthly rate like you do).

      Of course, in many cases this is not true. I have several computers, and I use far less bandwidth than the guy with only a single PC who leaves Kazaa running 24/7.
  • by guido1 ( 108876 ) on Wednesday February 05, 2003 @05:50PM (#5234733)
    The method described decodes packets from the NAT, using the IP header's ID field (which is normally a simple counter) to determine number of nodes behind the NAT. (Find X distinct ID field chains, that is the number of PCs...)

    Some hosts take evasive measures. Since the IPid field is used only for fragment reassembly (see below), some Linux kernels use a constant 0 when emitting Path MTU discovery [5] packets, since they cannot be fragmented. Recent versions of OpenBSD and some versions of FreeBSD use a pseudo-random number generator for the IPid field.

    Hurray for Linux... :)
    • Setting it to 0, as Linux does, is one possibility; as discussed below, in a NAT situation this can leak information, and hence is probably undesirable.

      On OpenBSD and FreeBSD, however:

      A keyed generator, as is used in OpenBSD and FreeBSD, provides some protection, but one needs to be careful to avoid duplication if the generator is rekeyed periodically.

    • You should of continued your quote...
      All of these [evasive measures] complicate (and to some extent block) the analysis.

      it never flat out says that the methods don't work or don't work with linux or *BSD.
      Complicate || Some extent block != Completely block

  • jerk (Score:2, Funny)

    by io333 ( 574963 )
    Please allow me to express the sentiment of most if not all home network users, as well as that of the companies that make routers for home use:

    Thanks a lot Steve you PRICK!
    • There's every possibility the ISPs and cable companies already know about this. Why do you think they would tell us? This is the same tired argument used to justify security through's specious.

      I say, thank you Steve for making me aware of this. Now I have the option to take action, as do the companies that make these home networking devices.

  • No way! (Score:4, Funny)

    by Arcaeris ( 311424 ) on Wednesday February 05, 2003 @05:51PM (#5234741)
    "Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause."

    Crap! Now I have to worry about my internet conn
  • Telephones (Score:2, Interesting)

    by Smallpond ( 221300 )
    At one time the telephone monopoly measured ringer current to locate
    "unauthorized" telephones that customers would (gasp!) install without
    consulting Bell. People installed phones anyway.

    Once everyone has many devices with IP addresses on their home LAN,
    there is no way the ISP's can keep up. Just ignore this.
  • by Snork Asaurus ( 595692 ) on Wednesday February 05, 2003 @05:51PM (#5234752) Journal
    Or maybe they think it's another Slapper.

    Maybe someone can fill us in.

  • FreeBSD (Score:5, Funny)

    by PunchMonkey ( 261983 ) on Wednesday February 05, 2003 @05:55PM (#5234802) Homepage
    Our technique is based on the observation...that the "id" field in the IP header is generally implemented as a simple counter

    Recent versions of OpenBSD and some versions of FreeBSD use a pseudo-random number generator for the IPid field.

    So my FreeBSD will look like thousands of PCs? LOL, that sure would piss the cable company off.
  • have the pseudo-random IPidfield specifically to avoid this sort of information leakage, or is this a happy side effect from addressing some other problem?

    I find it especially interesting that this method works best on home users and small businesses. Interesting and frustrating.

  • `Cuz if it is, strictly speaking, there is only one computer connected to the ISP's network.
  • by Heghta' ( 246911 ) on Wednesday February 05, 2003 @05:58PM (#5234844) Homepage
    I can already imagine conversations like this:

    ISP: We'll have to cut your net access! We detected several dozen computers simultaneously accesing the net through our service, while the contract only allows you one!
    Customer: Uh, I only have one box, I just love to have 30 windows of VMWARE open at once. How better to show off system performance!
    ISP: arglllll

    I mean, if the customer says he uses VMware, what's the ISP gonna do? Cut off the line without real evidence? I'd assume there are enough people who'd not mind a lawsuit.
    • >>what's the ISP gonna do? Cut off the line without real evidence?

      Have you read your ISP's AUP (Acceptable Usage Policy)? Is there anything in there about them needing evidence?

      I bet it's more to the effect of 'at our discretion', like the fudgy way they define how you use 'too much bandwidth' on your 'unlimited' connection.
    • Your ISP probably doesn't even know what VMware is. I'm with ATT^H^H^HComcast, and they don't know squat. I recently had a problem with email, and they asked, "Are you using Outlook Express?" When I said no, the reply was, "We only support Outlook Express." So, if they don't support VMware, you're probably not allowed to use it. I have a small (3-4 computer) network at my house, and I don't dare tell them I have a file server because, per the terms of my service agreement, I'm not allowed to run a server! I'm not hosting any web pages or anything, but technically if I want to share files among the computers in my house, I should do it peer-to-peer. OK, so I have 5 computers, and one of them is on all the time and it holds a lot of files but nobody ever sits at its keyboard and it runs OpenBSD but not X Windows and has no desktop apps, but it's not a server, I swear :-)
  • How this works (Score:5, Interesting)

    by szquirrel ( 140575 ) on Wednesday February 05, 2003 @05:58PM (#5234853) Homepage
    Counting boxes is done using the "id" field in the IP header. The id field is relatively unique to each datagram sent between two hosts and is used to reassemble datagram fragments. This scheme depends on the observation that most IP stacks keep this field unique by just incrementing a counter for each datagram. By examining the id field of each packet coming from a NAT box and finding trends in the values you can tell how many boxes are behind the NAT. Each trend you can identify is another box hiding behind the NAT.

    But as the article states:

    We do not currently attempt to deal with the randomized IPid generator used by OpenBSD and FreeBSD. Cryptanalyzing the generator may be infeasible in any event.

    So there you go. Write a patch for your IP stack to randomize the id field instead of incrementing it. I couldn't do it, but I imagine someone else can (and will).
    • Re:How this works (Score:4, Informative)

      by leviramsey ( 248057 ) on Wednesday February 05, 2003 @06:09PM (#5234991) Journal

      One of the grsecurity patches for the kernel already gives Linux the random IPid field.

  • Quick! (Score:3, Funny)

    by kliklik ( 322798 ) on Wednesday February 05, 2003 @05:59PM (#5234876) Homepage
    Let us quick slashdot the server before those "friendly" ISPs get the information and use it to count our machines.
  • Possible fix (Score:5, Interesting)

    by entrager ( 567758 ) on Wednesday February 05, 2003 @05:59PM (#5234879)
    After reading the document (something that is rarely done among posters), it appears to me that this wouldn't be TERRIBLY hard to fix. The different machines are recognized by the sequences of IPids that are generated for the packets that are sent out. This field must be unique for each packet with the same protocal, destination, and source. This prevents the NAT from simply mangling the number in the field, making it impossible to track the number of machines.

    Someone correct me if I'm wrong, but it seems to me that iptables could be updated to change the IPid of outgoing packets to a single sequence and just keep a table of old ids -> new ids. When necessary, it performs the translation. So basically it acts as a two way filter, packets behind the NAT will all have the correct id, packets beyond it will all appear as a single sequence. Would this work?
  • In case this gets /.-ed (like it won't =| )... [] Have at it!!
  • by DoofusOfDeath ( 636671 ) on Wednesday February 05, 2003 @06:00PM (#5234895)
    There must be some way to make it so that an ISP doing this kind of analysis becomes a DMCA violation of the customer. Any ideas?
  • by a7244270 ( 592043 ) on Wednesday February 05, 2003 @06:01PM (#5234907) Homepage Journal
    It probably annoys the telcos to no end that a connection can be shared - they are more used to the "telephone" model, where there is one line going into the house and if 2 people want to have separate converations then they need two lines.

    Contrast that with a high speed connection that can been shared with a bazillion users.

    I'm guessing they are not as concerned with people who are running more than one machine at home - the precedent has been set already with telephone extensions, cable TV and satellite TV.

    I know of at least one person that is sharing his connection with 5 houses on his block via 802.11, which is a fair chunk of high speed connections that could be sold, and more than likely these are the people they are trying to find.

    My prediction - they will either give up once netgear, linksys et al. release rom patches to prevent this, or they will try start charging on a "by data" basis.

    This is of course doomed to failure, because the only purpose for a high speed connection is for sharing [censored by the RIAA and MPAA] across the net, and any attempts to change their pricing to this model will be met by massive consumer outcry.
    • by RollingThunder ( 88952 ) on Wednesday February 05, 2003 @06:29PM (#5235191)

      The always-on, low-latency nature isn't a selling point to you?

      Rapid website access isn't a selling point?

      I had the dubious pleasure of being re-acquainted with 56k access on a trip to my parents house, out in the sticks where they're just too far to get any broadband. I rapidly realized that I'm accustomed to -always- being online when my computer is on, and that websurfing is excruciatingly slow in comparison to broadband. No thanks!
    • any attempts to change their pricing to this model will be met by massive consumer outcry.

      But if ALL the high speed isp's start charging "by the bit", then why would they care if their p2p customers start bitching. They are under no legal obligation to provide unlimited bandwidth. And if the p2p people don't like it, they can switch back to dialup is what they'll say. I think that "by the bit" is inevitable. They don't do it now because they are all trying to stay afloat and expand their customer bases. But once they have a nice critical mass built up, then they'll start metering. Makes too much sense. It's "fair" in that those who use the most, pay the most. They wouldn't care how many machines are hiding behind your NAT, because in the end, they'll still get their money (depending on pricing scales of course).
    • by djeaux ( 620938 ) on Wednesday February 05, 2003 @06:50PM (#5235378) Homepage Journal
      For about the last 20 years or so, unless one takes out a service contract, the telco is responsible only for the line to the outside of the building. I am responsible for the interior wiring & any extension phones that split off internally from the gray box outside.

      Why would the telco suddenly be able to impose a different standard on data communications? Just because an AT&T engineer has proposed some (time consuming) method to do something doesn't mean it will be done. A similar attitude about POTS is what got mighty Ma Bell busted lo these many years ago...

      Taking this one stumble father, I note that there is only one "computer" attached physically to the Bellsouth DSL line: a little cheap Linksys router, which having a processor & some flash ROM, qualifies as a "computer." Other computers do not connect directly to the DSL line, they connect to that router.

      Any telco/ISP that "cracks down" on home networking this way is just plain stupid & needs to go back to the mandatory customer service training workshops! In fact, that's where our dear AT&T enginner needs to be this very afternoon. It's the corporate equivalent of Chinese water torture!

    • by ewhac ( 5844 ) on Wednesday February 05, 2003 @08:54PM (#5236524) Homepage Journal

      It probably annoys the telcos to no end that a connection can be shared - they are more used to the "telephone" model, where there is one line going into the house and if 2 people want to have separate converations then they need two lines.

      Well, the cable company is after me, and I can't understand why.

      I picked up a used VAX-11/780 a while back (had the word 'dagobah' scrawled inside the door, never figured out what that was about), and have a couple dozen friends and neighbors hooking up to it via a combinaton of Wyse-50 serial terminals and NDS dedicated X terminals. The terminals are "dumb" and can't do any local processing. All the compute resources are on the VAX, there are no NAT services running, and only one IP address is being consumed. So the connection isn't being shared.

      Still, the cableco is giving me static about connection sharing, saying it's tantamount to running NAT. I countered by saying that running NAT is tantamount to running a large multi-user machine. But their lawyers are better dressed than mine, and are threating criminal cable fraud charges. I have no idea how it will turn out. If they decide to go to the mat, it'll be interesting to watch the local constabulary confiscate the VAX for forensic examination.


      P.S: Anyone know how to compile Quake2 for this thing? It keeps crapping out on the CPU_ARCH #define with the message, "Carmack hits you with a cluestick --more--".

      P.P.S: :-)

  • is lying in the ...

    openbsd-pseudo-random number generating packet filterrrrrrrrr
  • As long as you're sure that packets from your NATed pcs aren't fragmented, the fix is quite easy. You just need to rewrite the ipid of your outgoing packets with an internal counter, as you already need to rewrite ip and port of all outgoing packets, this isn't a problem. The no-fragmentation shouldn't also be a problem. You could also fix that problem by rewriting only the ipids of unfragmented packets, that should be at least 95% of all outgoing packets in common NAT. This should be enough to confuse that analysis technique.
  • by random_nick ( 621821 ) on Wednesday February 05, 2003 @06:21PM (#5235100) Homepage
    Not even an AT&T host can stand slashdotting?

  • by Qrlx ( 258924 ) on Wednesday February 05, 2003 @06:30PM (#5235198) Homepage Journal
    According to their FAQ, AT&T lets you connect "four additional computers" to your cable modem.

    I'm thinking that even for Slashdot readers, five computers in the house with broadband internet will be sufficient.

    Read it here: []
    Connect Multiple Computers to the AT&T Broadband Internet Service
  • by tkrotchko ( 124118 ) on Wednesday February 05, 2003 @06:40PM (#5235275) Homepage
    The cable company can't tell when my cable modem is visible on the network.

    And now suddenly they're counting machines behind it?

    This is sounding like fantasy and science fiction to me.
  • IPPersonality.... (Score:4, Informative)

    by jsimon12 ( 207119 ) <> on Wednesday February 05, 2003 @08:37PM (#5236412) Homepage
    Hmmmm this little module [] lets onw configure how you want the IP header id generatored, among a bunch of other options to hide identify. Why not just work this into iptables, PF, IPF and no worries about NAT ID'ing.
  • by evilviper ( 135110 ) on Wednesday February 05, 2003 @08:42PM (#5236439) Journal
    Well, this comment is going to be so far down that most people wont see it, but I'll try it anyways.

    The method described is only one method to count hosts behind a NAT box. Just think how much fun your ISP could have if they utilized a passive nmap-like system. Just by analizing the traffic, they can tell what OS created the packets, among other things.

    That said, there are ways around this already in the wild. OpenBSD's PacketFilter (PF) has a "modulate state" keyword that would solve you problem nicely. That tells PF to essentially rewrite the packets, primarily to give them the benefit of OpenBSD's random sequence numbers, but it will also stop any other analysis of the packets.

    Of course, that still leaves the posibility of them checking your surfing habbits. However, that would be, not only incredibly intrusive, but quite difficult for them to do on a large scale. Besides, if it every happens, and they say they saw your firewall making connections to 12 different websites at the same time, just tell them it was all from your one machine, and there's nothing they can do to refute it.

    Of course, I'm not concerned about this in the least. I'm using Earthlink broadband, who happen to care about customer privacy more than any other. I certainly didn't hear of any other ISPs giving the US government the finger when they wanted to install Carnivore.
  • by fishbowl ( 7759 ) on Wednesday February 05, 2003 @08:44PM (#5236463)
    If someone is routinely monitoring your IP packets like that, how is it different from routinely monitoring your phone calls? Why doesn't this have to be done by a law enforcement agency, with a warrant in hand? Why isn't this covered under the same legal umbrella that affirms our right to have extension telephones? (You might not remember Bell charging monthly for each phone, available only under lease, but I do.)

    We should be allowed to have NAT for the same reason we are allowed to have phones, and if the provider has a problem with that, they need to take a hike. Sniffing for this is unquestionably in bad taste, and it is also a violation of my civil rights.
    • i think an isp is allowed to watch the packets on their network for any number of reasons. Thats why things like ssh, ssl, pgp, etc exist, to keep an isp from seeing exactly what your doing.
  • Better Idea (Score:4, Insightful)

    by StBello ( 647990 ) on Wednesday February 05, 2003 @09:57PM (#5236990)
    It would be better (compared to randomizing) if the sequence of IPids for a single machine were chosen to masquerade as N independent counting values. This would fool them into thinking that you have N machines connected, when in fact you only have one! They'd only have to be fooled by this technique a couple of times before they gave up the technique entirely.
  • Why use NAT? (Score:3, Interesting)

    by Ed Avis ( 5917 ) <> on Thursday February 06, 2003 @06:04AM (#5239138) Homepage
    If all you want is web access, why bother with NAT at all? It is an ugly hack, really. You can just set up a proxy server (squid or wwwoffle) and configure browsers to use that. You'll probably get better performance, too, since the proxy server can do caching. Or you could use NAT for ssh connections and an explicit proxy server for http/https/ftp.

    OK, I know there are some NATting products which do caching internally, but it's not as clean as just configuring the web browsers to talk directly to a proxy, and it's more likely to break stuff. (At least, some 'transparent' web caches are horribly broken.)

A consultant is a person who borrows your watch, tells you what time it is, pockets the watch, and sends you a bill for it.