[clug] How to prevent port forwarding
sam at couter.dropbear.id.au
Sun Apr 23 04:42:23 GMT 2006
Christopher Zhang <u4123459 at anu.edu.au> wrote:
> I am interested to find out if it is possible, if so, how, that some
> ISPs prevent 1 registered Internet user to distribute their Internet
> connection by running their computer as a gateway for other users to
I don't believe it's possible to do this reliably.
> route through. The closest thing I can think of is TTL, since if
> other hosts are routed through the legitimate host, then their TTL
> will be at least be 1 less than if it were coming from the legitimate
> host, without any artificial changes.
This isn't reliable. The sharing machine could leave TTL alone instead of
decrementing it during packet forwarding, or even set it arbitrarily.
TTL is decremented every second a packet sits in a router buffer
somewhere. Slow/congested links would look like multiple machines to a
scheme relying on TTL to identify different sources.
Another unreliable scheme could include OS fingerprinting by examining
outgoing packets and counting the number of unique fingerprints seen.
This can make mistakes due to fuzzy OS recognition, or fooled with
application-layer proxies on the connection sharing machine.
Or you could drop everything from certain client port ranges, said ranges
being the default ports used for NAT/PAT (eg, 64,000+ for Linux). This
is trivial to change in Linux.
I think the take-home message for ISPs who want to limit IP-based
connections to one machine has to be: Suck it, that's not how IP works.
Sam Couter | mailto:sam at couter.dropbear.id.au
| jabber:sam at teknohaus.dyndns.org
OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 191 bytes
Desc: Digital signature
Url : http://lists.samba.org/archive/linux/attachments/20060423/d9e190f6/attachment.bin
More information about the linux