NAT Detection

This ISP account has been acting up lately. It will happily keep its connection up for hours and sometimes days, even with heavy usage. But once I begin to share this connection with my wife’s computer, it will start dropping connection every minute. After I turn off [NAT](http://en.wikipedia.org/wiki/IP-masquerading), the connection will be back stabilizing again. It looks like as if the ISP knew when I’m doing NAT or not.

At first I didn’t know if this is even possible, primarily because I’m using kernel 2.6. In previous version of Linux, any NAT connection will originate from port 61000 to 65095 I believe. It was easy to detect if a connection comes from behind a Linux NAT box or not simply by observing remote port number even if this is not completely accurate. In 2.6 however, NAT connections share the same port space as normal connections from the NAT box itself.

But if my ISP is doing this to me, then there should be another way for them to determine if I’m doing NAT or not. After a bit searching, I found the program [p0f](http://lcamtuf.coredump.cx/p0f.shtml). I remember p0f from several years ago, it is a small program that passively detects remote operating system by observing network patterns. It seems that it has evolved into a tool that can detect the presence of NAT gateway according to several factors:

* Differences in OS fingerprints from the same IP
* Differences in NAT and firewall flags set
* Link type differences
* Distance differences
* Timestamp differences
* Time from previous occurence

So it is possible alright. But why are they doing this to their customers? Probably to avoid the connection being used on cheap ‘warnets’. However my Internet usage is completely legitimate. I’m not using this on a ‘warnet’ and I don’t appreciate being disconnected just because my wife needs to use her Yahoo Messenger account.

So, is there any workaround? Of course there is: simply use application level proxy such as [Squid](http://www.squid-cache.org/) for HTTP/FTP and [SOCKS](http://en.wikipedia.org/wiki/SOCKS) for everything else. It needs a little more configuration for every client (OK, maybe not a little), not as transparent as with straightforward NAT gateway, but it works.

68 comments

  1. wah udah mulai ya disconnecting pelangggan yang pakai NAT? gue pertama kali denger hal ini di milis id-mac. si dicky tahu juga tuh, dan sama herannya, berarti ISP udah pinter ngedeteksi ada NAT atau tidak. berarti ya sekarang mainan koneksi level aplikasi dah, cuman ya jadi repot aja.

  2. eh itu beneran bisa nge-detect kalo di nat pri? ditempat gw lagi ada masalah nih, pengen memetakan subnet mana aja yang melakukan nat. Padahal semua departemen udah dapet jatah ip public, tapi sama adminnya di nat, terus di LAN-nya dia pake ip privat

  3. pindah ISP ajah om pri,
    kenapa juga musti membatasi apa yang seharusnya gak dibatesi (heheh sok teu gue).
    bukane mereka jual bandwidth? terserah mau dipake buat kebutuhan apa aja/berapa aja khan wong ya itu bandwidth sudah punya kita.
    ditempatku perasaan bebas tuh um pri, mau dipakek nat berapapun, toh udah ada bandwidth limiternya khan? :)>-

  4. #24: ya lewat/melalui ISP tersebut, tunnel ke server/network mananya bukan parameter pertanyaan (kecuali ISP tersebut memang membatasi juga gak boleh ada tunelling)

  5. #16: biarin aja kena bandwidth limiter =))

    #27: bikin server UI tambah cepet? ya ganti servernya dong.. koneksinya?

    *kabur*

  6. Yang bingung ga usah bingung sekalee, soalnya ini emang kerjaan orang-orang IT (biasalah ‘inovasi bisnis’). Ada banyak hal yang terjadi di dunia underground komputer mulai dari yang programming, networking, databasing, linux, graphic design, scheme, security, abuse dan hoax. Sorry not in focus topic above because any other friends is in confused mode. It’s a pity. Kalau aku ingat-ingat memori, sederhananya masquerade/NAT (Network Translation Address) adalah pemetaan IP address/nomor komputer di jaringan supaya dikenali oleh jaringan satunya lagi (berupa file konfigurasi). Yang melakukan NAT adalah si router namanya. Kurang lebih gitu dah. Silahkan klo ada yang betulin. Ada kelebihan dan kekurangan dengan memakai NAT. Ketika mas Pri mengaktifkan NAT, sama ISP di-blocking kecuali si NAT ini dimatikan. Solusinya pasang tuh program proxy Squid dll. Gitulah kronologis ceritanya. Buat yang pingin servernya tambah cepat pake aja speedy (alternatif lain servernya direplikasi/cluster-lah sama pak rektor, he..he..). Cerita berlanjut, ada keanehan yang ga berhenti di sini aja, waktu aku posting yang sebelum ini koq lokasi IP-ku terdeteksi di luar negeri (bukan aku lho penyebabnya), padahal aku ngenet di kampung di sudut Indonesia … (apa gara-gara si NAT itu yah?)

  7. oooooo…. (baru mudeng)…
    kalo getoh untung dong si gue, di sini mah bebas aja tuh.. malah ngelanggan yg dynamic ip tapi kenyataannya dapet static ip… trus mo dioprek2 juga (port forwarding dll dll) gag masyalah… apa itu berarti org2 di ISPnya kurang “inovatif”? hehe

  8. #28 and #29
    fyi,
    jika ada NAT, tunneling memang tidak bisa lewat,
    kemudian muncul NAT-Traversal yg meng-allow tunneling.
    by default kemungkinan kecil ISP mengaktifkan NAT-T.

  9. I exactly have the same problem with you. I use Cable Modem in Bandung and using NAT to share my connection to just one computer. I still in doubt, is it they really did that? If they chasing ‘cheap’ warnet, they must look at statistic on YM user and most warnet user use apps, and they hunt directly to the address of cutomer.

  10. Kenapa untuk menghindari cheap warnet dengan ngakalin NAT, kasihan tuh pelanggannya. Sepertinya faktor yang dijadikan acuan kecurangan itu tidak hanya pada pemakaian bandwidth (CMIIW) tetapi juga pada jumlah pemakai disisi pelanggan (galak bener tuh ispnya).
    Harusnya sih menurutku yang dijadikan patokan adalah sisi pemakaian bandwidth saja, jika dibatasi juga jumlah pemakai untuk per-pelanggannya maka harga untuk berlangganan ke ISP tersebut harusnya lebih murah lagi.
    Kalau boleh tahu bandwidth yang disewanya berapa gede mas.

  11. hahaha ada juga tuh ISP yang galak di-bandung, masak orang pakai windows dipasangin .net, security policy dlsbnya seenaknya…pake token per apps pula..tapi pasangin router Linksys, semua beres dah…bisa dishare buat notebook sama istri temen saya.

    adalagi ISP lain yang juga galak, selalu suspect sama kita nge share…ckckck ga percayaan banget, giliran ngeliat pake Apple mereka bingung..hah payah, harusnya ISP2 itu supportnya ngerti segala platform..wong ya unix kok :D

  12. #45 Setuju deh kalau gini, kan sayang istri;-)
    Emang harus di NAT ya? kalau pake proxy seperti saran #22 gimana om pri? apa biar bebas dan bisa akses direct?

  13. Waktu itu memang ada ISP yg di license agreement nya spt ini, kalo gak salah MyNet (www.mynet.co.id)

    Waktu saya baca useragreement-nya, wah yo wis, gak jadi deh, pindah ke ISP lain aja

  14. ternyata meski sudah diberi taut ke wiki banyak yang bingung NAT termasuk saya :d tapi tipsnya belum bisa dijalankan karena isp masih dialup :((

  15. You can actually change port range for the NAT in the 2.2/4 kernel Thus, detecting NAT by ports was never an efficient method. Lcamtuf’s p0f is quite a good method of detecting NATs but as you mentioned, it will not show different hosts behinde NAT if someone decide to share internet connectivity via Proxy (HTTP or SOCKS). Another good method is to tunnel traffic via SSH or SSL tunnels to external server, thus for specific services that are not using HTTP, you can use tunnels. Otherwise, you can modify kernel to send traffic that always looks the same. Oh, and I think your problem is related to configuration of your kernel , hardware problems or other issues. I think using p0f for big ISP networks is quite unlikely as there is totaly no point in use of it, as ISP implement traffic control per bandwidth and simply don’t care how many PCs are behind – the traffic rate always stays within limits. I’d advise you to analyse why your connection drops (in which point). There is a chance that your modem/router/firewall drops when you got higher traffic due to use of the network by 2 computers.

  16. #32 hwahahahahahaha … ada yg ketepu !!!! :))
    #47 yoih ! tapi namanya orang indo itu tukang sulap semua, kadang udah di NAT banyak, masih juga macem – macem tuntutan nya
    #50 memang tidak bisa. eh ada yg lewat ding om jae, YM !

    hehehe niat banget tu ISP massangin p0f, hemm jangan RS lagi yg masang :))

  17. #65: yakin bukan, soalnya didisconnectnya di level PPP. selain itu pakai ISP lain yang double NAT juga gak pernah ada masalah.

Leave a Reply to lantip Cancel reply

Your email address will not be published. Required fields are marked *