SlashDot: "Comcast Gunning for NAT Users"
Chris Adams
chris at improbable.org
Fri Feb 1 06:55:06 UTC 2002
On Thursday, January 31, 2002, at 02:09 , Eric A. Hall wrote:
> "Bill Woodcock" <woody at zocalo.net> wrote:
>
>>> Besides the technical difficulties of detecting a household that is
>>> running a NAT...
>>
>> Can you think of a way of doing it reliably? Anything that provides
>> anything more than a guess?
>
> HTTP proxies indicating that multiple browsers are in use, especially
> if multiple platforms (Win95, WinXP, as simple test)
This is one of the better ones (assuming you only check platform & not
browser - it's not uncommon to have more than one of IE/Netscape/Opera
running). Even better might be sniffing windowsupdate requests as
proxies and some browsers can easily spoof user-agents but there's no
reason other than NAT or proxying to explain automatically downloading
both the NT and XP patch lists.
> More than ~4 simultaneous TCP connections open at once.
Really, really bad idea. Opening a page with images causes multiple HTTP
requests in most browsers, particularly if someone's used one of the web
accelerators - if you have a few windows open, this could easily cause
>30 simultaneous connections (particularly with slow servers). Many
programs poll for updates, chat software involves permanent connections
(my opening Trillian opens 4 connections), most cable modem users keep
their email clients running and it's pretty common to be streaming music
or playing online games.
I think that blocking based on known MAC address ranges or traits (e.g.
HTTP banners) of NAT devices would be the only acceptable route. That'd
probably get the majority of the NAT users but would avoid those who are
capable of stealthing a system (this would become particularly
interesting with some of the kernel patches floating around which mimic
another TCP/IP stack) and these users are the most likely to be soaking
bandwidth.
Even this would have problems - there'd probably be a class action if
they required users not to use firewalls and I doubt they'd want to deal
with the support headache in convincing users to give up their wireless
access points.
The real lesson is that filtering on equipment is a bad way to control
bandwidth usage. Of course, these are the same people who will complain
about something listening on port 80 which transfers 5KB/month but won't
say a thing if you spend 18 hours a day deathmatching and downloading
crap.
Chris
More information about the NANOG
mailing list