[sllug-members]: mac address

Lamont R. Peterson lamont at gurulabs.com
Sat Jul 15 20:45:15 MDT 2006 

On Saturday 15 July 2006 08:17, Brad Midgley wrote:
> I've read that some implementations of NAT would allow the ISP to
> estimate the number of hosts behind the NAT by examining tcp sequence
> numbers.

That's one technique, but it's one of the most unreliable.

I know that Cox (cable company in several states, but not Utah) use the IP TTL 
field to determine if you have multiple hosts hooked up behind NAT to your 
cable modem service, so that they can bill you more for having more than one 
system connected.  But that's easy to defeat with Netfiler in Linux.

> OpenBSD is paranoid about this too and tries to eliminate tcp 
> sequence patterns in their NAT.

Not exactly.  OpenBSD has one of the best TCP/IP stacks when it comes to 
randomizing variables like TCP Sequence numbers and client random TCP/UDP 
ports.  However, this has nothing to do directly with NAT.

In Guru Labs' GL510 Network Security course, we talk about the security 
implications of have poor randomness for such things and describe several 
scenarios where an attacker could use TCP Sequence number or port guessing to 
steal connections, therefore gaining "authenticated" access to data.  Don't 
worry, though; if you know how to configure those services that can be 
vulnerable to such things, you can mostly eliminate the possibilities.

BTW, Linux is the second best (barely behind OpenBSD) when it comes to the 
quality of the randomness found in it's TCP/IP stack.  You have (almost) 
nothing to fear when using Linux from attackers trying to use such guessing 
techniques.
-- 
Lamont R. Peterson <lamont at gurulabs.com>
Senior Instructor
Guru Labs, L.C. [ http://www.GuruLabs.com/ ]
GPG Key fingerprint: F98C E31A 5C4C 834A BCAB  8CB3 F980 6C97 DC0D D409
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://sllug.org/pipermail/sllug-members/attachments/20060715/483dba29/attachment.pgp

More information about the sllug-members mailing list