Systems behind routers tracable?
Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: Systems behind routers tracable?

  1. #1
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424

    Systems behind routers tracable?

    Steve Bellovin, one of the founding fathers of Usenet and now working for the Internet Engineering Task Force, claims to have written an algorithm able to make the distinction between packets coming from different computers behind a NAT-router.

    What he did is study the IPid, a 16-bit IP header number (RFC 0760) added to the packets by the TCP/IP protocol. Succeeding packets are numbered with succeeding IPid's. What Bellovin's algorithm does, is search for succeeding sequences, where different sequences belong to different computers.

    A helping hand for ISP's that don't like customers to connect more than one computer on one line?

    There's something that doesn't make the algo 100% effective though. Within a LAN, packets are also numbered. This makes that from outside the router, the visable IPid values appear to belong to different sequences, making it look like there is more than one computer behind the router.

    Another thing is that BSD for example generates random IPid's, making the algorithm useless...

    Here's the research paper.

  2. #2
    Senior Member
    Join Date
    Aug 2001
    Posts
    251
    Hmm, I wonder if Darwin and MacOS X maintain BSD's random IPid's...., I'd like to think that I have that kind of "protection". This technology not only could be used by ISP's to identify user transgressions, but I imagine that if those overly zealous laws being proposed across the US would benefit from this kind of technology, making interesting problems with search and seizure, wire-tapping, etc. What would qualfy as a legal use of this technology to track down "illegal NAT"? Would there have to be a warrant, or would ISP's be obliged to turn in criminals? I imagine that the legislation and enforcement would take the same course as the Kazaa/Napster P2P mess.
    My question, you can identify the IP of the router/NAT/gateway and from that you can identify the network that the computer is on. Is it really that tenuous a position to assume that if you can identify the network that the person is being naughty on, then you can find the computer? After all, if it is a major corporation, they probably have logs out the wazzoo for finding just such data and protecting their butts, and if you are a home user, then 1-5 computers is that hard to find, heck, 1-30 is just time consuming...

    Rediculous. I guess than I now will keep BSD on my server...

    Interesting article Neg, thanks.
    Dhej
    The owl of Minerva spreads its wings only with the falling of dusk. -Hegel

  3. #3
    Kwiep
    Join Date
    Aug 2001
    Posts
    924
    I thought this was found a long time ago already... There are vulnerability scanner services that check these things already... There are pretty some programms that makes you able to change this, like you said BSD already does it in most cases... I don't know if you knew that already, or I'm really wrong... But this isn't really new isn't it ?

    ps
    If I'm not mistaking many routers already have software on board that doesn't need those numbers anymore to send the right packets to the right pc, so they replace it with something random.
    Double Dutch

  4. #4
    Member
    Join Date
    Feb 2003
    Posts
    41
    Interesting. I agree and also like Dhej's question. I use a Linksys NAT CABLE router and have 2 XP boxes and 2 MANDRAKE boxes behind it.

    [QUOTE]There's something that doesn't make the algo 100% effective though. Within a LAN, packets are also numbered. This makes that from outside the router, the visable IPid values appear to belong to different sequences, making it look like there is more than one computer behind the router.

    but isnt this whole Idea behind the NAT??? So why would you even need the Algo???
    Mindpilot

    You can tell lot about a person by how they handle these 3 things: Rainy Days, Lost Luggage, and Tangled Christmas tree lights

  5. #5
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    Welp... what the algorithm tries to take into account, is that some packets stay on the LAN.
    Packets that stay on the LAN are also numbered. So - if I get this correctly - if you send some packets outside your LAN, then send some packets that stay within your LAN, then again send some packets outside your LAN, there are some missing IPid's (the ones that didn't reach the internet), making it look like you have two computers in your LAN.
    And that is basically what the algorithm is capable of: handling those gaps...

  6. #6
    Member
    Join Date
    Feb 2003
    Posts
    41
    Ahh...gotcha. I wasnt totally sure if the Packets were identical. wonder how it handles different forms of encryption. Like when the entire packet is encrypted but not the key that is inside.
    Mindpilot

    You can tell lot about a person by how they handle these 3 things: Rainy Days, Lost Luggage, and Tangled Christmas tree lights

  7. #7
    Junior Member
    Join Date
    Mar 2003
    Posts
    26
    well one would assume there has to be some way to distinguish it, otherwise how would the NAT router know which computer it's forwarding the returning packets to?
    Never argue with an idiot, they\'ll just bring you down to their level and then beat you with experience

  8. #8
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    AT&T is also working on this. As someone already pointed out, this isn't new but just now is being noticed a little more.

    There are scanners that check this field in packets right now but I haven't seen a good one yet. How about anyone else?
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  9. #9
    Member
    Join Date
    Feb 2003
    Posts
    41
    I havent seen any yet either. Maybe if ya put another NAT router behind the first one it will confuse them. hahaha...sometimes the erroneous works..lol
    Mindpilot

    You can tell lot about a person by how they handle these 3 things: Rainy Days, Lost Luggage, and Tangled Christmas tree lights

  10. #10
    Senior Member
    Join Date
    Apr 2002
    Posts
    634
    I think this sort of algo can be made inefficient if you configure well your router. Or maybe would it be interesting to create false "computers" connected playing with the parameters of the algorithm and creating false internal trafic in order to make some honeypots more attractive for crackers.

    KC
    Life is boring. Play NetHack... --more--

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •