Remotely Counting Machines Behind A NAT Box 618
Overtone writes "Steve Bellovin of AT&T Labs Research has published a paper showing how to remotely count the number of machines hiding behind a NAT box (in IMW 2002, the
Second Internet Measurement Workshop). Your friendly DSL or cable broadband provider could implement this technique to enforce their single-machine license clause. Bellovin explains how to change the NAT software to defeat the measurement scheme, but the fix is complicated and unlikely to appear in commercial home gateways anytime soon."
damn. (Score:2)
Not where I'm from (Score:5, Interesting)
There are still providers that limit you to only one computer per connection? Wow. I guess the high competition in my area (GTA) has allowed the customers a little bit more freedom. In fact, my provider will give minor tech support for most routers and hubs.
Re:Not where I'm from (Score:2, Funny)
Re:Not where I'm from (Score:2)
Re:Not where I'm from (Score:2, Informative)
Re:Not where I'm from (Score:2, Informative)
Re:Not where I'm from (Score:5, Funny)
Re:Not where I'm from (Score:3, Interesting)
1. Cable gets cut - no more basic + digital package + cable modem: Cable Co will lose $115/mo
2. Mini-dish goes up and DSL comes in.
Who's your daddy? (Score:3, Interesting)
But then I went to DirecTV, and it felt good to not be the hostage of the cable company... until I realized I was still a hostage.
I do have DSL, but we finally booted DirecTV. It was just too much money every month. I tried calling customer service to see if I could step down to a more economical package (maybe with the 10-15 channels I actually watch) but they told me I was already at the lowest level (which has seemingly hundreds of channels). The infuriating part: when I called to cancel they said I could switch to a cheaper package with less channels.
But anyway, this is about IP addresses and NAT; coudln't we have a kernel/netfilter module that will resequence all outgoing packets consecutively and reverse on the return?
What do these clauses typically look like? (Score:5, Informative)
here's one. [sssnet.com]
Seems a little arbitrary, but they're small fry. let's go bigger:
here's another. [yahoo.com]
I think this bit applies to the question at hand (emphasis is mine):
How does this imply that you can't share a DSL connection? OTOH, it explicitly says that sharing a connection is OK.
however, if we look to AT&T DSL [att.net] TOS, they are somewhat more restrictive:
A little tougher, but it doesn't actually rule out connection-sharing entirely- just requires that AT&T grant you permission, right? So they must have a process for granting the approval, and a list of approved equipment.
Since I'm bored today, I called them up. I pointed the nice lady at their TOS, section 8(a), and asked if she could provide me with a list of AT&T approved equipment, and/or the approval process for home networking. She put me on hold for a bit. When she came back, she told me that AT&T DSL is not the same as AT&T WORLDnet DSL, and i had the wrong phone number- but WORLDnet doesn't allow any kind of connection sharing- and she'd happily transfer me to the REAL AT&T. The second phone monkey had no idea what I was talking about- ditto the 3rd. Neither of them could understand why I would want to ask questions about their TOS if they couldn't even deliver service to my residence. The fourth phone monkey told me that they don't support any kind of multiple connection, and that the "grant you permission" line is in the contract for things like automated security systems that call the police department when someone breaks into your house.
So. Score: SBC +1 (but -1 for their stupid 'frames' patent), AT&T 0. Interesting article, but since I'm on SBC, i won't be changing my NAT settings...
Re:What do these clauses typically look like? (Score:3, Informative)
Remember, outside of the support issues, supporting this technology makes their life EASIER. They limit your up and down rates, and your number of connections to the news server (4 simultaneous) so why limit the number of machines? The whole point of these devices is that one machine looks like multiple machines, so they have no reason to care.
If you want multiple IPs, then you have to pay more.
Re:What do these clauses typically look like? (Score:3)
Anyway, IANAL (yet), so don't rely on this information as legal advice (see, cover my own ass). But this is actually a pretty basic contract, and though you don't have any leverage at all to negotiate it, a court may - depending on the state - let you wiggle out of a number of the provisions. Then again, they may not.
Oh, and it doesn't say a word about operating a firewall, router, or multiple computers, unless they were able to construe the "excessive use" provision as prohibiting multiple computers.
Re:Not where I'm from (Score:5, Insightful)
We don't conceal this fact, and customers who are not happy with this clause are, almost uniformly, the customers who would cost us money instead of being a source of income.
We are a small mom-and-pop ISP, and we get charged by the telco per kilobyte of traffic. If we charged everyone more to compensate for the bandwidth hogs, it would certainly be unfair to the low or moderate users, so we instead assign static IP's and charge per IP/computer. In other words, every computer attached to the Internet via our services must have a unique IP. We do make exceptions, but we still charge for one-IP but five-PC's connected/downloading from the Internet at the same rate as one-IP/one-PC.
The telcos keep our costs so high that we can't afford to do otherwise.
The customer's cost for five IPs versus one IP is a difference of $12.50, which is quite reasonable.
We let you run servers on your static IP connection, and will host your DNS for free. We aren't money grubbers, in other words. But we are a business which intends to stay solvent.
We do kick people off periodically, usually because they lied when they signed up, indicating that they would have one machine connected and actually had three or four, using IP masquerading. It isn't THAT hard to determine who the dishonest are, using the simple question: you are using twice (or three times) the bandwidth that an average customer would use connected with one PC 24/7. Do you have more than one system connected? If they say yes, we give them opportunity to pay at the increased rate. If they decline, we kick them off. If they answer no, we start investigating where our system might be reporting eroneous data. We don't assume that they are being deceitful. More people than not are telling the truth.
This is also largely why we disallow P2P file sharing applications. After an audit, we discovered that fewer than 5% of our customers were consuming the majority of our bandwidth. It was either raise prices for everyone, or disallow P2P file-sharing. We _do_ allow P2P file-sharing for customers who are sharing their own files; their own songs, etc., as those customers actually consume very little, if any, extra bandwidth.
Whoops. I appear to have gone off-topic. I think it was relevant, as it helps explain the realities why an ISP would need to enforce a single-machine license clause.
Re:Not where I'm from (Score:5, Insightful)
AMEN (Score:3, Insightful)
I understand the need to make money-- you are a business after all. But don't charge based on how people use the bits after they get there (whether they all go to the same PC or get split up by a router)-- charge them based on how many bits they use. If they want extra IPs for $12, that's cool too. But don't enforce it on everyone. That's a massive waste of IP space.
Re:Not where I'm from (Score:3, Interesting)
Recently they just lifted the Download metering for weekend and night time. Pretty cool I think.
Re:Not where I'm from (Score:5, Insightful)
I also operate an ISP, and we have a flat-rate T1. We don't care how many computers a customer has connected--we only care how much data is transferred, and we bill accordingly.
I would not use an ISP that placed restrictions on how many computers I could connect, mom-and-pop ISP or not. Life's too short. I live in a house with four computers, and they all get used a good portion of the evening. Why should I have to put up four antennas just so I can hook up four computers?
Wouldn't use such a dinky ISP then (Score:4, Insightful)
And I don't like your phrase 'bandwith hogs' anyway. Either commit to a level of BW or an amount of data to transfer, or don't bitch about a subset of users using more than 'their share'. To me, it sounds like a fitness club owner complaining about some of the members who actually come in and use the equipment! The nerve! And they stay for hours too!
If you are charged per KB, then charge your users per KB. McDonalds doesn't charge customers on their cholesterol level, they charge customers on the food that they order. I just don't see how multiple computers are the root cause of your problems.
Re:Not where I'm from (Score:5, Insightful)
One machine could suck as much bandwidth as 10 machines doing next to nothing.
Also, the idea behind NAT is that it only uses one IP address.
Here at home, I have an army of computers (most junk). My cable modem hooks to a NAT/firewall (Linux). Behind that is my desktop. I also have a wireless access point so when I'm sitting outside in the hammock I can get on from there, or the wired bedroom or living room, or my wireless iPaq.
And regardless of how many machines I have, I am still capped at 512k for all of them. While it is true I could use all of them to saturate that 512k, I could easily do it with just one machine as well.
Sounds like you need to get some equipment that can do rate limiting and just sell bandwidth instead of hasseling customers.
Re: I'll use how ever much bandwidth I want. (Score:3, Insightful)
Your argument is that having multiple machines correlates strongly with high bandwidth usage. I am not going to debate this.
My problem starts when you try to say users shouldn't be using that much bandwidth. When you say that P2P burns bandwidth like popcorn, and you can't support those users.
Here's the thing: I pay for *unlimited* bandwidth. I should be able to saturate my 768/128 pipe 24/7 and no one should be able to complain. That's what my ISP advertised.
Now, if the ISP can't afford to provide unlimited (and they advertised that they would), then they should fix the advertising. Don't cap my bandwidth usage, I pay for unlimited.
I understand that you guys can't afford to allow unlimited access: stop advertising it, then.
Protection for Linux (Score:2, Interesting)
So how would a geek like me hide my machines with a Linux firewall, using ipchains? Or am I protected? Would my vmware instances show as multiple machines?
Re:Protection for Linux (Score:5, Informative)
While you MIGHT be able to use the "mangling" abilities of iptables to rewite headers on the way out -- I suspect the key is monitoring fragment IDs on the way IN. This would be by an upstream connection, before the packets got to your machine. Thus, there isn't a damn thing you can do about it.
Match an outgoing request (via IP destination) to incoming fragments (via IP source and IPid). Not only could the monitor build a map of the destinations, they could reasonably determine via statistical analysis of the access times and frequencies, how many machines are behind the NAT making the requests.
That's probably the long, hard way. I need to finish reading the article, first.
Re: proxy, proxy, proxy (Score:3, Interesting)
I've got DSL and cable. My DSL is a general purpose connection (and more widely used). It's natted, with some filtering preventing certain egress traffic.
My cable has a single box hooked up to it, but all of the machines use it. However, this method will not help the cable company to see how many machines I have behind it because it does not NAT. It's got a SOCKS5 proxy and a squid proxy running on it. Everything that uses that connection rides over one of those proxies.
The other benefit is that when the cable goes down, it just picks up and moves to the other connection. Sure, current connections break, but that doesn't so much matter for web browsing (which is mostly all the thing does).
Re:Protection for Linux (Score:4, Informative)
No, the paper argued that when the IPid field is zeroed, like Linux does, NAT information can still be leaked. Consider what is says on p. 5:
In such situations, the NAT box can rewrite the IPid field freely, since there will never be any reassembly. Setting it to 0, as Linux does, is one possibility; as discussed below, in a NAT situation this can leak information, and hence is probably undesirable.
And then:
Some hosts never use Path MTU Discovery; some use it only for TCP. A NAT that treated DF packets differently than non-DF packets for the same protocol would thus leak the fact that at least two different policies exist behind it.Therefore, to preserve privacy the NAT should do the same thing send a unique IPid field on all packets.
So they're claiming that it is possible to detect whether a Linux host is using NAT, because packets with the Don't Fragment bit set are treated differently (IPid=0) than the ones with cleared DF bit (IPid=random).
Not a bad thing (Score:5, Informative)
Still be screwed by proxies, though...
what if they are chained? (Score:5, Interesting)
Most users just want web access, and this technique doesn't work on proxies.
Re:what if they are chained? (Score:5, Funny)
You mean there are some that aren't?
Re:what if they are chained? (Score:2, Interesting)
Thanks in advance,
PaGeN
Re:what if they are chained? (Score:5, Informative)
In reading the paper, it is apparent that this is not a particularly cheap thing to attempt. I can't see how it could be easily automated and deployed on a large scale, even assuming someone could be sufficiently bothered to do so.
If you want protection from this, you're going to need to do some serious work on iptables to add tracking of fragments to the connection tracking code and to rewrite the field on outbound packets to some psuedo-random value. Interestingly this is the "correct" thing to do anyway - otherwise it is theoretically possible to generate two packets with the same id, both fragmented from different internal hosts to the same destination, and screw up the fragmentation reassembly at the receiver.
Tim
Re:what if they are chained? (Score:5, Informative)
Another user already posted that there's already a patch (or kernel option) for linux to do random ipid's just like BSD does.
This is more an admin utility than a policing tool. Just kick back, get yourself a beer and watch the knee-jerk reactions and paranoid theories from all the nerds who think the man is out the get 'em.
Re:what if they are chained? (Score:3, Informative)
Top 5 ways to count # of machines behind a NAT box (Score:4, Funny)
5 -- Via the traditional finger point, coupled with the ever-popular audible counter increment
4 -- Thermal image detection scan
3 -- Utilize the same finger pointing mentioned in 5, but avoid the audible count as an enhanced privacy measure
2 -- Avoid counting and caring about counting altogether; continue browsing Slashdot
1 -- Call the dude with the NAT box and ask him!
Free tech news & blogging for life -- *nix.org [starnix.org]
What about NAT behind NAT? (Score:5, Funny)
Re:What about NAT behind NAT? (Score:5, Funny)
"No, no, not 'Anti-NAT," that's my Aunt Natalie!"
Maybe not home gateways... (Score:3, Interesting)
This is similar to the paketto suite. That allowed pinging behind a NAT wall.
Re:Maybe not home gateways... (Score:4, Insightful)
> turns out to be the behaviour required for
> correct functioning of NAT boxes - is
> described in Section IV.
As I understand it, if the NAT box does NOT rewrite the IPid, then there is a risk of IPid collision if two sources behind the NAT are sending to the same destination, and the packets fragment.
This means it is possible to demonstrate a bug in most home gateways - perhaps that way they may get a fix long before most major ISPs can implement this.
Meanwhile, they hint at another way to confuse the scanner. Since your ISP does not see intranet packets, have each machine generate lots of itty bitty packets (pings?) and just send them to the gateway. Have a background task do this - all those IPid increments will break up the patterns in IPid on the outside of the gateway. Since most home LANs have higher inside bandwidth than outside bandwidth, this shouldn't affect available bandwidth too much.
Silver Lining? (Score:5, Insightful)
Yeah, that pretty much sucks. There may be a silver lining, though. The more crap these ISP's pull to push their saavier customers away, the more demand there'll be for an uber geek-friendly ISP to come along. Maybe I'm too optimistic, but tell me it wouldn't be cool for a business to start up in order to cater to those of us that really like to play with networking. "Sure, go ahead and set up a wireless lan in your complex. We'll even let you pay to increase your bandwidth to accomodate all those users! Tell them that for $5 a month, they can each get a mail account or some other fairly interesting service."
It's already here (Score:5, Informative)
It's already here: SpeakEasy [speakeasy.net].
Their TOS [speakeasy.net] explicitly states:
"Speakeasy believes in the right of the individual to publish information they feel is important to the world via the Internet. Unlike many ISP's, Speakeasy allows customers to run servers (web, mail, etc.) over their Internet connections, use hubs, and share networks in multiple locations."
Re:It's already here (Score:4, Informative)
Re:It's already here (Score:4, Informative)
Re:Silver Lining? (Score:2)
Too bad it's not available where I live, except for the uber-expensive IDSL and therefore ultimately useless variety.
Re:Silver Lining? (Score:4, Interesting)
I think in general (not aimed at you, Anonvmous) people tend to not realize that everybody has to share when it comes down to it. Sure, most ISPs cover that fact with a healthy dose of greed, but in the end, a 50 dollar price point is what you get after you trim the 1% of us, the power users. They dont like us and there's a good reason- we cost them money when we use more than the normal user! And I dont blame an ISP for enforcing; it's not a matter of being fair as they are just doing this to make money.. a geek friendly ISP would last all of 10 minutes with similarly priced services as what is regularly available. Oh well. I got my plan all worked out. Another 40 a month and I can have business dsl- full servers, whatever i want, nat, all perfectly cool with the ISP. ah, but i lose cause i gave up the 40 extra a month? not when they make a policy change to the residentials and I'm the only one left with a working web and mail server
Re:Silver Lining? (Score:3, Insightful)
I'm not sure about that, we also use less of their expensive tech support. And even if excessive bandwidth use is a problem, it's far more reasonable (and effective) to simply limit bandwidth than to dictate that home networks aren't allowed.
Power Users aren't bandwidth hogs. (Score:3, Interesting)
My main worry right now is that Congress will kill my ISP by fiat, and I'll be forced to buy service from a baby bell again.
Today and tommorow (was Re:Silver Lining?) (Score:5, Informative)
CATV (cable) used to be the same way.. you day to pay extra for each TV. And then they stopped doing that and you paid for *service* of the signal.
Now here is where it gets tricky, unlike POTS and analog CATV the line is hot or its not (so to speak), broadband you actually have discrete data you are passing around. This should be the *service*. However it could end up being a pay as you go service (bad for the users, good for the money grubbers) or a limited throughput 'unlimited' service (which is mostly how it is now). Currently I don?t see a metered usage model flying right now and this is why:
Everyone that adopted broadband early wanted it (and could get it) go it. Dialup services are cheap and unlimited. If you start charging for broadband based on usage you aren?t not very attractive to those people you want to take away from dialup who are complacent and will cope with what they have. A metered service is not (in consumers minds) a *NOT* better value than an unmetered service.
As we know there is a mega glut of fiber, broadband should be getting cheaper rather than more expensive.. but that?s another article. Its going to be hard to justify metering people when there is so much capacity unused. (hopefully supply and demand will work out here).
Now this is what is going to happen, when a critical mass of people stop using dialup, and then modems stop coming standard in computers, and then the broadband guys think they have a captive audience they will get everyone in the cartel on board and raise rates and meter usage. What?s worse is that they will claim there is a lack of long haul bandwidth, which probably wont be true, because as the broadband market picks up they will still be doing expansion of the network because of the expectation of even larger amounts of growth.
Conclusion, this are probably good for the short term, *VERY* bad for the long term.
PS the document was spell checked for those with delicate constitutions.
Is this really a big deal? (Score:2, Interesting)
If you want 10 machines to share an internet connection, sign up with a company which doesn't care or charge for how many computers share the connection OR pay for the additional machines for ISPs who do.
It's interesting to note that this would only ID the number of machiens behind NAT boxes -- not those using proxy servers (a la squid). At least from what I read...
-jhon
Re:Is this really a big deal? (Score:3, Interesting)
The telephone companies did this a while ago about the number of phones you could have connected to your phone line. They monitored the voltage drop on the line when your phone rang. They eventually gave up trying to enforce it.
Re:Is this really a big deal? (Score:5, Informative)
With franchise agreements to the cable companies, not necessarily true.
I don't see anything but a poor rationalization in your arguement suggesting that it's not *YOUR* fault that you NEED to break your contract
What about the chance that the contract may be illegal? There's the nice little FCC regulation that the cable company/phone company can't say squat about what happens inside your house provided you don't get services you don't pay for (You're paying for one IP, not one computer in reality) and you don't degrade the service of others.
Re:Is this really a big deal? (Score:5, Informative)
I'm not sure what world you're living in. It IS MOST ASSUREDLY my local ISP's fault that there are not multiple provider's in my area.
Verizon ran every dirty trick in the book to stop me from getting access through DSLi (out of Florida, who had an EXCELLENT TOS) instead of buying Verizon's restricted, overpriced DSL in North Carolina. I fought with them for over 14 months. I called the friggin' Utilities Commission on them. Unfortunately, by the time that bore fruit, every intelligently run provider had read the writing on the wall -- there's no way to make a profit when every single customer has to fight through the SUC for over a year, for God's sake.
The reason I am stuck with crappy TOS is because of Verizon, straight and simple. Verizon covers something like 20% of the country. Most of the Baby Bells aren't any better.
I'm not saying everyone who has a NAT fought with a Baby Bell for a year. But most of them have been cheated out of a decent, affordable TOS by one.
Since virtually none exist because of illegal behavior, you shouldn't be so surprised or indignant that many folks choose to get around them.
Re:Is this really a big deal? (Score:3, Insightful)
Actually, even by your example, his argument stands.
When you get your license you are entering a contract with the state, saying "I am aware that if I exceed the posted speed limit I could get fined or even have my license taken away." When you speed, you're aware of the penalties and do it anyways. When you use multiple computers and your ToS says you can only use one, if you get caught, tough shit.
Paying for the service and then misusing it is only telling them that it *is* in their best interests to leave things as they are, and that they can continue to stick it to you all they want. On the other hand, if they start losing business, perhaps they'll cut their restrictions to draw customers. It works for SpeakEasy -- they have a ton of loyal customers because of their very easy-going ToS.
Yes, monopolies are bad, but breaking the contract you agreed to doesn't make them alright, it just makes you both bad.
Re:Is this really a big deal? (Score:2)
Not everyone has a choice among multiple broadband ISPs, or their choice may be limited to companies that all have a similar TOS. The additional fee for extra machines may be beyond what they can afford, and they may not be using any additional bandwidth, meaning the extra cost to the ISP is zero. Under these circumstances, violating the TOS seems like a reasonable thing to many people.
Personally, I blame the FCC for allowing this to happen. But that's just me.
Like the RIAA... (Score:5, Interesting)
I say - let the games begin!
hrmph. (Score:2, Insightful)
All those single-computer use clauses are evil anyway. A DSL line gives you X bandwidth, so X bandwidth is what you use, regardless of how many machines you multiplex it to. Arbitrary fees for extra machines behind the connection are just more ways to rape^H^H^H^Hmilk the customer.
Re:hrmph. (Score:3, Interesting)
If you have two computers, they figure you're going to be using more bandwidth than if you only had one. for example, if you and your wife are both surfing the web at the same time, more bandwidth is being used than if you only had one computer (so only one of you could be surfing at a time). If this is generally true, then the ISP has a higher cost for users with two computers than for users with one (remember that the ISP has to pay for bandwidth from their backbone providers; they don't pay a flat monthly rate like you do).
Of course, in many cases this is not true. I have several computers, and I use far less bandwidth than the guy with only a single PC who leaves Kazaa running 24/7.
Score another one for Linux (Score:5, Interesting)
However:
Some hosts take evasive measures. Since the IPid field is used only for fragment reassembly (see below), some Linux kernels use a constant 0 when emitting Path MTU discovery [5] packets, since they cannot be fragmented. Recent versions of OpenBSD and some versions of FreeBSD use a pseudo-random number generator for the IPid field.
Hurray for Linux...
You should have read further: (Score:3, Interesting)
On OpenBSD and FreeBSD, however:
A keyed generator, as is used in OpenBSD and FreeBSD, provides some protection, but one needs to be careful to avoid duplication if the generator is rekeyed periodically.
Re:Score another one for Linux (Score:2)
All of these [evasive measures] complicate (and to some extent block) the analysis.
it never flat out says that the methods don't work or don't work with linux or *BSD.
Complicate || Some extent block != Completely block
jerk (Score:2, Funny)
Thanks a lot Steve you PRICK!
What are you talking about? (Score:3, Interesting)
There's every possibility the ISPs and cable companies already know about this. Why do you think they would tell us? This is the same tired argument used to justify security through obscurity...it's specious.
I say, thank you Steve for making me aware of this. Now I have the option to take action, as do the companies that make these home networking devices.
No way! (Score:4, Funny)
Crap! Now I have to worry about my internet conn
Telephones (Score:2, Interesting)
"unauthorized" telephones that customers would (gasp!) install without
consulting Bell. People installed phones anyway.
Once everyone has many devices with IP addresses on their home LAN,
there is no way the ISP's can keep up. Just ignore this.
research.att.com Slashdotted? Give me a break. (Score:5, Funny)
Maybe someone can fill us in.
FreeBSD (Score:5, Funny)
Recent versions of OpenBSD and some versions of FreeBSD use a pseudo-random number generator for the IPid field.
So my FreeBSD will look like thousands of PCs? LOL, that sure would piss the cable company off.
Attention Customer: (Score:5, Funny)
Our expert system has detected that you are sharing a single connection with 4,179 computers.
Do OpenBSD and FreeBSD ... (Score:2)
I find it especially interesting that this method works best on home users and small businesses. Interesting and frustrating.
Is my NAT router a single computer? Because... (Score:2, Insightful)
Multiple Systems != Multiple Boxen (Score:5, Interesting)
ISP: We'll have to cut your net access! We detected several dozen computers simultaneously accesing the net through our service, while the contract only allows you one!
Customer: Uh, I only have one box, I just love to have 30 windows of VMWARE open at once. How better to show off system performance!
ISP: arglllll
I mean, if the customer says he uses VMware, what's the ISP gonna do? Cut off the line without real evidence? I'd assume there are enough people who'd not mind a lawsuit.
Re:Multiple Systems != Multiple Boxen (Score:2, Insightful)
Have you read your ISP's AUP (Acceptable Usage Policy)? Is there anything in there about them needing evidence?
I bet it's more to the effect of 'at our discretion', like the fudgy way they define how you use 'too much bandwidth' on your 'unlimited' connection.
Re:Multiple Systems != Multiple Boxen (Score:3, Interesting)
Google cache link to the site (Score:2, Informative)
How this works (Score:5, Interesting)
But as the article states:
We do not currently attempt to deal with the randomized IPid generator used by OpenBSD and FreeBSD. Cryptanalyzing the generator may be infeasible in any event.
So there you go. Write a patch for your IP stack to randomize the id field instead of incrementing it. I couldn't do it, but I imagine someone else can (and will).
Re:How this works (Score:4, Informative)
One of the grsecurity patches for the kernel already gives Linux the random IPid field.
Re:How this works (Score:5, Informative)
The field they are using is the IP id field, which exists in all IP packets (including UDP, ICMP, whatever), and which is used for low-level packet reassembly. On many OS'es, this is a globally increasing counter, i.e. two distinct connections on the same machine share the same counter, but two connections on different machines do not.
Workarounds:
Re:How this works (Score:4, Informative)
Re:How this works (Score:3, Interesting)
In any case, IP-ID is good for ICMP requests (such as ping)... If someone drops your ping's echo-request packet, they can be nice and send a response saying I've gone and dropped your IP package uniquely named IP-ID. Many servers don't do this anymore for fear of the "ping-of-death" DOS attack.
As for your question of how to reassemble packets. This is only really relavent for non TCP protocols (ICMP, UDP, etc). TCP has it's own sequence counter and can easily facilitate mini-sized IP packets. UDP can theoretically send 64k messages however and relies apon the underlying IP to fragment.
My memory is a bit fuzzy, but there are additional IP fields that specify which fragment out of n-total a given packet is. The idea is that routers/gateways can reconstruct/break-apart the packet arbitrarily at each leg of the internet's journey. I believe that each fragment still carries the originating IP-ID.. But it is the IP-ID + fragment-number + timestamp that uniquely identifies a packet (since a server will eventually reuse old IP-ID's).
Quick! (Score:3, Funny)
Possible fix (Score:5, Interesting)
Someone correct me if I'm wrong, but it seems to me that iptables could be updated to change the IPid of outgoing packets to a single sequence and just keep a table of old ids -> new ids. When necessary, it performs the translation. So basically it acts as a two way filter, packets behind the NAT will all have the correct id, packets beyond it will all appear as a single sequence. Would this work?
Mirror of Article (Score:2, Informative)
http://www.public.asu.edu/~jmellen/fnat.pdf. [asu.edu] Have at it!!
Can we make it a DMCA violation? (Score:4, Interesting)
trying to crack down on reselling (Score:4, Insightful)
Contrast that with a high speed connection that can been shared with a bazillion users.
I'm guessing they are not as concerned with people who are running more than one machine at home - the precedent has been set already with telephone extensions, cable TV and satellite TV.
I know of at least one person that is sharing his connection with 5 houses on his block via 802.11, which is a fair chunk of high speed connections that could be sold, and more than likely these are the people they are trying to find.
My prediction - they will either give up once netgear, linksys et al. release rom patches to prevent this, or they will try start charging on a "by data" basis.
This is of course doomed to failure, because the only purpose for a high speed connection is for sharing [censored by the RIAA and MPAA] across the net, and any attempts to change their pricing to this model will be met by massive consumer outcry.
Re:trying to crack down on reselling (Score:4, Insightful)
The always-on, low-latency nature isn't a selling point to you?
Rapid website access isn't a selling point?
I had the dubious pleasure of being re-acquainted with 56k access on a trip to my parents house, out in the sticks where they're just too far to get any broadband. I rapidly realized that I'm accustomed to -always- being online when my computer is on, and that websurfing is excruciatingly slow in comparison to broadband. No thanks!
Re:trying to crack down on reselling (Score:3, Interesting)
But if ALL the high speed isp's start charging "by the bit", then why would they care if their p2p customers start bitching. They are under no legal obligation to provide unlimited bandwidth. And if the p2p people don't like it, they can switch back to dialup is what they'll say. I think that "by the bit" is inevitable. They don't do it now because they are all trying to stay afloat and expand their customer bases. But once they have a nice critical mass built up, then they'll start metering. Makes too much sense. It's "fair" in that those who use the most, pay the most. They wouldn't care how many machines are hiding behind your NAT, because in the end, they'll still get their money (depending on pricing scales of course).
"the telephone model" (Score:5, Insightful)
Why would the telco suddenly be able to impose a different standard on data communications? Just because an AT&T engineer has proposed some (time consuming) method to do something doesn't mean it will be done. A similar attitude about POTS is what got mighty Ma Bell busted lo these many years ago...
Taking this one stumble father, I note that there is only one "computer" attached physically to the Bellsouth DSL line: a little cheap Linksys router, which having a processor & some flash ROM, qualifies as a "computer." Other computers do not connect directly to the DSL line, they connect to that router.
Any telco/ISP that "cracks down" on home networking this way is just plain stupid & needs to go back to the mandatory customer service training workshops! In fact, that's where our dear AT&T enginner needs to be this very afternoon. It's the corporate equivalent of Chinese water torture!
Re:trying to crack down on reselling (Score:4, Funny)
Well, the cable company is after me, and I can't understand why.
I picked up a used VAX-11/780 a while back (had the word 'dagobah' scrawled inside the door, never figured out what that was about), and have a couple dozen friends and neighbors hooking up to it via a combinaton of Wyse-50 serial terminals and NDS dedicated X terminals. The terminals are "dumb" and can't do any local processing. All the compute resources are on the VAX, there are no NAT services running, and only one IP address is being consumed. So the connection isn't being shared.
Still, the cableco is giving me static about connection sharing, saying it's tantamount to running NAT. I countered by saying that running NAT is tantamount to running a large multi-user machine. But their lawyers are better dressed than mine, and are threating criminal cable fraud charges. I have no idea how it will turn out. If they decide to go to the mat, it'll be interesting to watch the local constabulary confiscate the VAX for forensic examination.
Schwab
P.S: Anyone know how to compile Quake2 for this thing? It keeps crapping out on the CPU_ARCH #define with the message, "Carmack hits you with a cluestick --more--".
P.P.S: :-)
The answer my friend... (Score:2)
openbsd-pseudo-random number generating packet filterrrrrrrrr
Fix is seems to be easy. (Score:2)
AT&T can't stand slashdotting? (Score:5, Funny)
AT&T lets you connect five (Score:4, Funny)
I'm thinking that even for Slashdot readers, five computers in the house with broadband internet will be sufficient.
Read it here: [att.com]
Connect Multiple Computers to the AT&T Broadband Internet Service
Lets be real for a moment... (Score:5, Funny)
And now suddenly they're counting machines behind it?
This is sounding like fantasy and science fiction to me.
IPPersonality.... (Score:4, Informative)
Other methods, and solutions (Score:4, Interesting)
The method described is only one method to count hosts behind a NAT box. Just think how much fun your ISP could have if they utilized a passive nmap-like system. Just by analizing the traffic, they can tell what OS created the packets, among other things.
That said, there are ways around this already in the wild. OpenBSD's PacketFilter (PF) has a "modulate state" keyword that would solve you problem nicely. That tells PF to essentially rewrite the packets, primarily to give them the benefit of OpenBSD's random sequence numbers, but it will also stop any other analysis of the packets.
Of course, that still leaves the posibility of them checking your surfing habbits. However, that would be, not only incredibly intrusive, but quite difficult for them to do on a large scale. Besides, if it every happens, and they say they saw your firewall making connections to 12 different websites at the same time, just tell them it was all from your one machine, and there's nothing they can do to refute it.
Of course, I'm not concerned about this in the least. I'm using Earthlink broadband, who happen to care about customer privacy more than any other. I certainly didn't hear of any other ISPs giving the US government the finger when they wanted to install Carnivore.
4th amendment violation? (Score:5, Insightful)
We should be allowed to have NAT for the same reason we are allowed to have phones, and if the provider has a problem with that, they need to take a hike. Sniffing for this is unquestionably in bad taste, and it is also a violation of my civil rights.
Re:4th amendment violation? (Score:3, Insightful)
Better Idea (Score:4, Insightful)
Why use NAT? (Score:3, Interesting)
OK, I know there are some NATting products which do caching internally, but it's not as clean as just configuring the web browsers to talk directly to a proxy, and it's more likely to break stuff. (At least, some 'transparent' web caches are horribly broken.)
Re:What about Linux? (Score:4, Interesting)
We do not currently attempt to deal with the randomized IPid generator used by OpenBSD and FreeBSD. Crypt-analyzing the generator may be infeasible in any event. It should be possible to detect a random background to other, linear sources; the current version of the code does not do that.
So take that BSD bashers [ggg]. Of course, a gateway implementation to mask/randomize the IPids would be better - giving you a site-wide fix at once.
First one to market with one wins
Re:this sucks (Score:5, Informative)
1. Use proxies instead of NAT and proxy transparently if needed. Yeah, I know, none of the P2P download sucker shit as it does not have proxies but such is life.
2. Use OSes with better randomisation of IP IDs. This is a tuneable parameter on most OSes and after you have turned it on the graphs are no longer so pretty.
Re:this sucks (Score:4, Informative)
Like the RIAA... (Score:4, Insightful)
I say - let the games begin!
Re:This is a mute point for most operating systems (Score:3, Informative)
pf was designed into Open for 3.0, which would be about 18 months ago, I think. This makes it one of the newest and most recently designed firewalls. (Its a whole other topic of whether its the best, ipfilter has some loyal devotees).
FreeBSD's stack does do a pseudo-random ipid, but of the two firewalls available for FreeBSD (ipfw and ipf) neither rewrites the IPID, as is the case with Linux as far as I know.
So if you have a NAT'd LAN of FreeBSD boxes, don't worry about. If you have an OpenBSD 3.0 or greater firewall, don't worry about it. Otherwise, the technique outlined in the paper will work and the boogeyman is being dispatched to your CO as we speak!