Question: How can a cable provider tell if you have a router attached?

I have a friend of mine who got a letter from Comcast telling him that a
recent survey of his account indicated he had more than one IP address
active on his connection and that if he was running a network on it they
were going to charge him more money... how can they tell if this is so
if the router supposedly insulates the network through the use of NAT.
He has a D-Link DI-614 Wi-Fi router.
--

Ben E. Brady
http://www.clariondeveloper.com/wepgen
FREE! Effectively manage your Wi-Fi network.
Change your WEP keys often!

http://www.clariondeveloper.com/webcloak
FREE! Encrypt email addresses on your web site!
Keep spam bots from sending you spam!

http://www.firewallreporting.com
Personal firewall log analysis tools for
ZoneAlarm, BlackICE, WinRoute Pro and Windows XP
Take stock of your firewall settings and take action against intruders.

http://www.videoprofessorscam.com
Don't get stung by this scam!

In message <(E-Mail Removed). com>, Ben
E. Brady <y2kbrady-no-(E-Mail Removed)> writes
>I have a friend of mine who got a letter from Comcast telling him that
>a recent survey of his account indicated he had more than one IP
>address active on his connection and that if he was running a network
>on it they were going to charge him more money... how can they tell if
>this is so if the router supposedly insulates the network through the
>use of NAT. He has a D-Link DI-614 Wi-Fi router.

Statistical analysis of the sequence numbers on IP packets can reveal
how many clients are hiding behind some NAT implementations, I don't
doubt there are other ways to guess as well. It is possible and not
particularly hard to do though I'm surprised anyone is actually
bothering, here in Britain I'm allowed 3 'devices' (not including
routers) simultaneously using my connection. I can use as many as I like
as long as its not simultaneous.

Changing router probably won't help unless he can find one running BSD.

Another possibility is that his WIFI has been compromised and someone is
stealing enough bandwidth to alert Comcast and trigger a deeper
investigation.
--
Paul Shirley: email unwelcome, reply by news

Ben E. Brady <y2kbrady-no-(E-Mail Removed)> wrote in
news:(E-Mail Removed) ews.com:

> I have a friend of mine who got a letter from Comcast telling him that
a
> recent survey of his account indicated he had more than one IP address
> active on his connection and that if he was running a network on it
they
> were going to charge him more money... how can they tell if this is so
> if the router supposedly insulates the network through the use of NAT.
> He has a D-Link DI-614 Wi-Fi router.

I know that if I don't tell the Linksys router to *clone* the NIC MAC of
the computer that was originally connected to the ISP's network, then any
additional machines connected to the router the ISP will detect.

When I clone the NIC's MAC into the router using the routers MAC Cloning
feature, then the ISP cannot detect any additional machines with their
NIC MAC's using the single IP issued by the ISP for my account that was
provisioned for the original machine's NIC MAC.

I think I also read something one time way back when about the ISP(s)
wanting to install software on one's machine to *Better Serve you*, which
I would think could track what's happening as well.

Duane

Ben E. Brady <y2kbrady-no-(E-Mail Removed)> wrote:

> I have a friend of mine who got a letter from Comcast telling him that a
> recent survey of his account indicated he had more than one IP address
> active on his connection and that if he was running a network on it they
> were going to charge him more money... how can they tell if this is so
> if the router supposedly insulates the network through the use of NAT.
> He has a D-Link DI-614 Wi-Fi router.

In my opinion they cannot establish for certain that oen has more than 1
PC hanging behind a router. Unless either you have installed software
from the provider or have not setup the router correctly.

So they are probably guessing because of the volume.


--
Groeten,

Antonio (Voor email, verwijder X)

The ISP is examining the MAC address of the port that is connected to the
cable modem. For your friend, that is his router's WAN port. A MAC address
is composed of two parts: an OUI (Organizationally Unique Identifier) which
indicates the manufacturer of the network adapter (port), and a serial
number. The OUI is assigned by the IEEE, and you can look up OUIs on the
IEEE web-site. One manufacturer may have many OUIs, but one OUI is never
shared between manufacturers. Usually the OUI will reveal the manufacturer
of the router, but technically it's the manufacturer of the network adapter
within the router, so it might not be the same.

Duane's trick of cloning the MAC address of his computer makes it look like
the router's WAN port was manufactured by Dell, Intel, 3Com, or some other
computer or Network Interface Card manufacturer. If the MAC's OUI reveals
Linksys, D-Link, Netgear, etc. then they suspect that you're using a router.
Since most router manufacturers also manufacture NICs for computers, you
could probably convince them that you have no router, but I like Duane's
trick.

I don't believe that if you don't clone the MAC address that the ISP can
actually "detect" your additional computers. I think that they're just
inferring the existence of these computers by their assumption that certain
OUIs probably indicate routers.

Every MAC address in the world is supposed to be unique. This is done by
issuing unique OUIs to manufacturers and relying on the manufacturer to
issue unique serial numbers to every NIC. There are a large, but finite,
number of serial numbers for each OUI. For this reason many manufacturers
have multiple OUIs assigned. It's possible that a manufacturer might use
one OUI for their router production line and another OUI for their NIC
production line. There is no requirement to do so, but it would make
management of the serial numbers easier. If the ISP caught on to this
pattern, they would be able to tell not only the manufacturer of the port,
but also which product line it came from. Then they would know reliably if
you were using a router.

Ron Bandes, CCNP, CTT+, etc.

"Duane Arnold" <(E-Mail Removed)> wrote in message
news:Xns94E231CEE2947notmenotmecoml@63.240.76.16.. .
> Ben E. Brady <y2kbrady-no-(E-Mail Removed)> wrote in
> news:(E-Mail Removed) ews.com:
>
> > I have a friend of mine who got a letter from Comcast telling him that
> a
> > recent survey of his account indicated he had more than one IP address
> > active on his connection and that if he was running a network on it
> they
> > were going to charge him more money... how can they tell if this is so
> > if the router supposedly insulates the network through the use of NAT.
> > He has a D-Link DI-614 Wi-Fi router.
>
> I know that if I don't tell the Linksys router to *clone* the NIC MAC of
> the computer that was originally connected to the ISP's network, then any
> additional machines connected to the router the ISP will detect.
>
> When I clone the NIC's MAC into the router using the routers MAC Cloning
> feature, then the ISP cannot detect any additional machines with their
> NIC MAC's using the single IP issued by the ISP for my account that was
> provisioned for the original machine's NIC MAC.
>
> I think I also read something one time way back when about the ISP(s)
> wanting to install software on one's machine to *Better Serve you*, which
> I would think could track what's happening as well.
>
> Duane
>
>
>
>

If your friend is using a router with NAT, then he is using only one global
IP address. Although he is using multiple private, local IP addresses on
the LAN, it is the nature of Port Address Translation (the flavor of NAT
actually used by Residential Gateway routers) to translate all the local
addresses to a single global address assigned to the router by the ISP's
DHCP server.

Most broadband ISPs don't care if you use a router, and they shouldn't. You
are consuming only one IP address from their pool of addresses. The only
possible objection to your running a network is the increased traffic. I
have two issues with that: first, a single computer constantly downloading
MP3s or whatever could easily cause as much traffic as a network of lower
usage computers; second, if their real problem is with the level of traffic,
then contractually regulate that directly.

I have the same problem with ISPs that prohibit customers from running
Internet-exposed servers. Don't tell me what content (as long as it's
legal) that I can transfer. If their real problem is with the level of
upload traffic, then contractually regulate that directly.

Ron Bandes, CCNP, CTT+, etc.

"Ben E. Brady" <y2kbrady-no-(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ews.com...
> I have a friend of mine who got a letter from Comcast telling him that a
> recent survey of his account indicated he had more than one IP address
> active on his connection and that if he was running a network on it they
> were going to charge him more money... how can they tell if this is so
> if the router supposedly insulates the network through the use of NAT.
> He has a D-Link DI-614 Wi-Fi router.
> --
>
> Ben E. Brady

In message <jNLmc.156739$(E-Mail Removed) >, Ron
Bandes <(E-Mail Removed)> writes
>Then they would know reliably if you were using a router.

Unless their TOC explicitly forbids routers it doesn't really matter if
they detect one, its not evidence of multiple access, just a supporting
clue. I'd guess something else actually got their attention, most likely
a WiFi hijack and increased bandwidth use.
--
Paul Shirley: email unwelcome, reply by news

As Paul Shirley mentioned, a statistical analysis could reveal a connection
pattern that indicates multiple hosts behind the NAT firewall. If any
broadcast IP traffic leaks out from individual hosts behind the firewall, it
could contain direct clues about the existence of multiple hosts. For
example, if DHCP discover packets make it through, they contain sender MAC
addresses that can be counted.

Ron Bandes suggests that they are or should be more concerned with overall
bandwidth consumption. I think that's actually the case. Time Warner, for
example, provides cable modems with integrated wifi router. SBC provides
wifi/ADSL integrated modems. They use wifi availability as a sales point,
and therefore are acknowledging that they expect multiple clients behind the
router.

I don't use Comcast, so I don't know for sure, but I would be very surprised
if it was merely the existence of multiple hosts that concerns them. They
may think this person is reselling their service (acting as a neighborhood
ISP), which almost certainly violates the home-user service agreement. And,
if you routinely use large amounts of bandwidth, you get a nastygram.

"Ben E. Brady" <y2kbrady-no-(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ews.com...
> I have a friend of mine who got a letter from Comcast telling him that a
> recent survey of his account indicated he had more than one IP address
> active on his connection and that if he was running a network on it they
> were going to charge him more money... how can they tell if this is so
> if the router supposedly insulates the network through the use of NAT.
> He has a D-Link DI-614 Wi-Fi router.
> --
>
> Ben E. Brady
> http://www.clariondeveloper.com/wepgen
> FREE! Effectively manage your Wi-Fi network.
> Change your WEP keys often!
>
> http://www.clariondeveloper.com/webcloak
> FREE! Encrypt email addresses on your web site!
> Keep spam bots from sending you spam!
>
> http://www.firewallreporting.com
> Personal firewall log analysis tools for
> ZoneAlarm, BlackICE, WinRoute Pro and Windows XP
> Take stock of your firewall settings and take action against intruders.
>
> http://www.videoprofessorscam.com
> Don't get stung by this scam!
>
>
>

Taking a moment's reflection, Ron Bandes mused:
|
| if their real
| problem is with the level of traffic, then contractually regulate that
| directly.

You've raised the sticking point with me as well. Seems they advertise
these great transfer rates, and then get a little dodgy if you actually use
them to their full potential. For what I pay per month, I am granted 256
upstream and 3000 downstream data rates. I get extremely close to those
numbers in actual performance. However, if I were to have those rates
peaked all the time, how long would it take for my ISP to start crying foul?
My position: They advertised it, I bought it ... it's my prerogative to now
use it.

In article <(E-Mail Removed). com>,
y2kbrady-no-(E-Mail Removed) says...
> I have a friend of mine who got a letter from Comcast telling him that a
> recent survey of his account indicated he had more than one IP address
> active on his connection and that if he was running a network on it they
> were going to charge him more money... how can they tell if this is so
> if the router supposedly insulates the network through the use of NAT.
> He has a D-Link DI-614 Wi-Fi router.
>
Thanks to all who posted the information.
My friend doesn't seem to be doing a whole lot in terms of his bandwidth
so I have to assume they are interrogating the OUI of the router (DLink)
and making the assumption that he's running a router. Comcast has a
'home networking' option for which they charge an additional $7.00 a
month.


--

Ben E. Brady
http://www.clariondeveloper.com/wepgen
FREE! Effectively manage your Wi-Fi network.
Change your WEP keys often!

http://www.clariondeveloper.com/webcloak
FREE! Encrypt email addresses on your web site!
Keep spam bots from sending you spam!

http://www.firewallreporting.com
Personal firewall log analysis tools for
ZoneAlarm, BlackICE, WinRoute Pro and Windows XP
Take stock of your firewall settings and take action against intruders.

http://www.videoprofessorscam.com
Don't get stung by this scam!