7 February 2006

NAT Detection

Posted under: at 00:58

This ISP account has been acting up lately. It will happily keep its connection up for hours and sometimes days, even with heavy usage. But once I begin to share this connection with my wife’s computer, it will start dropping connection every minute. After I turn off NAT, the connection will be back stabilizing again. It looks like as if the ISP knew when I’m doing NAT or not.

At first I didn’t know if this is even possible, primarily because I’m using kernel 2.6. In previous version of Linux, any NAT connection will originate from port 61000 to 65095 I believe. It was easy to detect if a connection comes from behind a Linux NAT box or not simply by observing remote port number even if this is not completely accurate. In 2.6 however, NAT connections share the same port space as normal connections from the NAT box itself.

But if my ISP is doing this to me, then there should be another way for them to determine if I’m doing NAT or not. After a bit searching, I found the program p0f. I remember p0f from several years ago, it is a small program that passively detects remote operating system by observing network patterns. It seems that it has evolved into a tool that can detect the presence of NAT gateway according to several factors:

  • Differences in OS fingerprints from the same IP
  • Differences in NAT and firewall flags set
  • Link type differences
  • Distance differences
  • Timestamp differences
  • Time from previous occurence

So it is possible alright. But why are they doing this to their customers? Probably to avoid the connection being used on cheap ‘warnets’. However my Internet usage is completely legitimate. I’m not using this on a ‘warnet’ and I don’t appreciate being disconnected just because my wife needs to use her Yahoo Messenger account.

So, is there any workaround? Of course there is: simply use application level proxy such as Squid for HTTP/FTP and SOCKS for everything else. It needs a little more configuration for every client (OK, maybe not a little), not as transparent as with straightforward NAT gateway, but it works.

68 Responses

Trackback: Use this URI to trackback this entry. Use your web browser's function to copy it to your blog posting.

Comment RSS: You can track conversation in this page by using this page's Comments RSS (XML)

Gravatar: You can have a picture next to each of your comments by getting a Gravatar.

Leave a Comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Warning: Comments carrying links to questionable sites will be removed!