[45393] in North American Network Operators' Group
Re: SlashDot: "Comcast Gunning for NAT Users"
daemon@ATHENA.MIT.EDU (kevin graham)
Thu Jan 31 19:17:09 2002
Date: Thu, 31 Jan 2002 16:16:00 -0800 (PST)
From: kevin graham <kgraham@dotnetdotcom.org>
To: Jared Mauch <jared@puck.Nether.net>
Cc: nanog@merit.edu
In-Reply-To: <20020131220240.GB22554@puck.nether.net>
Message-ID: <20020131161018.V299-100000@lutra.i.dotnetdotcom.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
> 1) check out mac-address ranges
> 2) count flows/ip to determine if this
> pattern appears to be legit. (this in theory could also be done
> to prevent file sharing systems that keep a large number of
> peer-to-peer connections)
> 3) port/ip based filtering
4) TCP fingerprinting of flows.
Not sure about all NAT implementations, but most seem to rewrite on
the fly, not proxy (as would be sensible). Likewise, by watching sequence
numbers, sack behavior, etc one could certainly recognize different
strains of tcp stacks behind an address, and with practice determine
multiple instances of the same strain.
..kg..
ObNoise. How would one construe whether its proper for multiple logical
partitions of a machine to fetch comcast nntp pr0n?
