blocking traffic comming from a LAN

Hi,

I have a server with dial-in clients and I suspect one dial-in client
of using his account to serve his whole LAN. Now the question is:

1) How do I detect if this is indeed going on?
2) How do I stop him from doing it without denying him access from a
single computer at a time.

The server is running rh with iptables as a firewall, in console mode
only. Any ideas would be greatly appreciated.

oh, I also have a third question, btw:

3) Should ISP's (morally speaking) limit their dial-in accounts to be
used from a single computer? or should they allow the usage of IP
sharing devices (as I am suspecting is happening) on normal cheap
dial-up accounts?

What do you think?

Best regards,
Tobias Skytte

"Tobias Skytte" wrote
> Hi,
>
> I have a server with dial-in clients and I suspect one dial-in client
> of using his account to serve his whole LAN. Now the question is:
>
> 1) How do I detect if this is indeed going on?
> 2) How do I stop him from doing it without denying him access from a
> single computer at a time.
>
> The server is running rh with iptables as a firewall, in console mode
> only. Any ideas would be greatly appreciated.
>
> oh, I also have a third question, btw:
>
> 3) Should ISP's (morally speaking) limit their dial-in accounts to be
> used from a single computer? or should they allow the usage of IP
> sharing devices (as I am suspecting is happening) on normal cheap
> dial-up accounts?
>
> What do you think?
>
> Best regards,
> Tobias Skytte
I'd say the modem bottleneck keeps 'em from making excessive
demands on your service, no matter how many users at their end.
Your dial-in service must be pretty low-margin; it is a real headache
maintaining the phone/modems at your end, and even if you could
force all your clients to open multiple accounts for multiple users,
I'd almost say that should make you cry more than laugh. Most
likely tighter restraints would just make them dedicate one box and
line up to use that, not reduce their overall use.

In line with that, you'd sure hate to see them tie up your modem a
large number of hours per day; I do hope you've mentioned
near-24/7 penalties in your terms of service.

At the client end, I suspect various users would go through different
numbers of routers/whatever, and so you'd see the time to live {ttl}
count differ from one client to another when the packets hit your
modem. As far as proving multiuse, I'd say noticing several
concurrent dhcp or smtp connections, or long-term clustering of
connections to what turns out to be each users' home web site,
would be a hint.

If you've got a lot of subscribers, and just a few problem cases, you
could gradually degrade service on the multiuser cases, perhaps
preferentially on just those additional concurrent dhcp connections.
If their ping times are always great, and so is one of their browser
sessions a time, they won't get much sympathy when they badmouth
you to their pals or the press, especially if this is an unannounced
and gradually instituted policy.

"Frank Winans" <(E-Mail Removed)> wrote in message news:<buos11$(E-Mail Removed)>...
> I'd say the modem bottleneck keeps 'em from making excessive
> demands on your service, no matter how many users at their end.
> Your dial-in service must be pretty low-margin; it is a real headache
> maintaining the phone/modems at your end, and even if you could
> force all your clients to open multiple accounts for multiple users,
> I'd almost say that should make you cry more than laugh. Most
> likely tighter restraints would just make them dedicate one box and
> line up to use that, not reduce their overall use.

We are using an expensive satellite link with little bandwidth and our
margins are also low, on top of that we are running an internet cafe
and the customer I am suspecting runs a rival internet cafe. I suspect
he may be using his account for access from his internet cafe. So
this case is particularly important. If it was just some company using
their LAN I probably wouldnt worry too much about it.

>
> In line with that, you'd sure hate to see them tie up your modem a
> large number of hours per day; I do hope you've mentioned

Yes, this is also a problem.

> near-24/7 penalties in your terms of service.

huh? should have thought of that one..... :-) it's going in now...

> At the client end, I suspect various users would go through different
> numbers of routers/whatever, and so you'd see the time to live {ttl}
> count differ from one client to another when the packets hit your
> modem. As far as proving multiuse, I'd say noticing several
> concurrent dhcp or smtp connections, or long-term clustering of
> connections to what turns out to be each users' home web site,
> would be a hint.

ok. In this case though I think it's mainly being used for web access.
I suppose I should be able to see traffic from different MAC addresses
comming from him? or is there a better way.

> If you've got a lot of subscribers, and just a few problem cases, you
> could gradually degrade service on the multiuser cases, perhaps
> preferentially on just those additional concurrent dhcp connections.
> If their ping times are always great, and so is one of their browser
> sessions a time, they won't get much sympathy when they badmouth
> you to their pals or the press, especially if this is an unannounced
> and gradually instituted policy.

What would be the best way to degrade service? (i.e. how?)

Thanks alot.

Tobias Skytte

Tobias Skytte wrote:

> We are using an expensive satellite link with little bandwidth and our
> margins are also low, on top of that we are running an internet cafe
> and the customer I am suspecting runs a rival internet cafe. I suspect
> he may be using his account for access from his internet cafe. So
> this case is particularly important. If it was just some company using
> their LAN I probably wouldnt worry too much about it.
>

Send someone into that cafe, to do a traceroute. That will show if they're
passing through your network. If they can't do a traceroute, arrange for
some known traffic on the network and watch for it.

--

Fundamentalism is fundamentally wrong.

To reply to this message, replace everything to the left of "@" with
james.knott.