Re: NAT detection

[Anthony Schlemmer <aschlemm_(_at_)_attbi_(_dot_)_com>]

Depending on your ISP, they may be actually using RCF1918 addresses for 
equipment inside there own network. I notice when I run a traceroute 
from my OBSD firewall box the first address in the list is a 10.x.x.x 
one.

Tony

On Wednesday 04 December 2002 08:41 am, Nick Holland wrote:
> Marcus Watts wrote:
> > I can think of at least 4 ways an ISP might be able to detect a
> > NAT (or "something"):
> >
> > (1) mac address -- who assigned the ethernet address your NAT box
> >         owns?  Is there anything special about it?
> > (2) IP differences.  Different IP stacks will generate
> >         IP packets with slightly different contents
> >         or otherwise behave differently.  For instance,
> >         some set DF, some don't, TTL may have different
> >         values, etc.  Even if your computers all run the
> >         same TCP stack, your NAT box might change some
> >         of these, but not others, which might in itself
> >         indicate something is up.
> > (3) time delay.  A NAT box is going to introduce an
> >         unavoidable delay in packet propagation, which
> >         is going to increase local round-trip delay.
> > (4) HTTP differences.  Many browsers insert assorted
> >         library and application versioning data into the HTTP
> >         headers; multiple nearly simultaneous tcp streams
> >         with different browser information fields
> >         would suggest different computers or at least
> >         multiple browsers.
>
> (5) Bizzare DNS requests.  If your address is requesting reverse DNS
> requests for (say) 192.168.3.56 or 10.0.4.22, they know something is
> going on behind your primary machine.  I call your attention to the
> curious behavior that people all over the United States reported
> quite a few months ago, were suddenly having two minute delays in
> getting into their OpenBSD gateway due to ISPs no longer returning
> ANYTHING for RFC1918 IP addresses.  This stopped happening just about
> the time I finished the FAQ on the subject (figures).  Are they
> looking for this?  No idea.  Still seemed bizzare to me that people
> all over the country with different service providers were having
> similar issues at the same time.  Regardless, configure your DNS
> correctly.
>
> (6) Continual connections which go on for weeks or months at a time:
> Face it, the most commonly installed platforms aren't noted for doing
> that.  If your "computer" shows it has been on and connected for
> WEEKS, they know it isn't windows 98. 8-)
>
>
> However, at this point, I think everyone understands that hooking a
> mass-market operating system directly to the Internet is not a really
> bright idea.  A friend of mine had some minor difficulty with his
> cable service provider when he mentioned a firewall, however, he
> persued it up the chain of command until someone basicly said, "yes,
> having a firewall is a good idea".  The fact that virtually all
> firewalls do NAT?  Bummer. 8-)  They really are in a rotten position:
> they don't want trojan traffic or their customers complaining about
> broken computers...but they don't want to be losing prospective
> sales.
>
>
> As for the installers, I used a creative approach: Bribery. 8-)  I
> set up a clean machine for them to install to, with an OS they were
> familiar with.  They come in, see the machine, and they like me
> already (just think how many times they are called to do an install
> on a machine just barely running...so they KNOW when they open the
> thing up and stick a network card in it, it will likely never boot
> again -- and they are going to get the blame).  After they were done,
> I gave each of them (there were two) an older, but still useful
> machine I had set aside and a couple network cards.  They left with
> big grins, and four or five years later, I don't think it was because
> they were planning on roasting me 8-)
>
>
> Nick.

-- 
Anthony Schlemmer
aschlemm_(_at_)_attbi_(_dot_)_com