Hi all!
Does anybody knows how to prevent users(customers), sharing their internet connection? There is a solution for this, but I don't know it.
Thanks for your help!
Thanks for the fast answers.
Yes I mean that. So, the reason of this idea was that, there is a linux based os similar to MikroTik called Wnet Router Project. It can limit users, and prevent sharing their connection. It's a 100% working thing, but offcourse they don't realy want to share this knowledge. But I'm on it, and if I have some information I'll share it with you immedietaly.
Thanks again!
Yes I mean that. So, the reason of this idea was that, there is a linux based os similar to MikroTik called Wnet Router Project. It can limit users, and prevent sharing their connection. It's a 100% working thing, but offcourse they don't realy want to share this knowledge. But I'm on it, and if I have some information I'll share it with you immedietaly.
Thanks again!
-
-
Hugh Hartman
Frequent Visitor
- Posts: 92
- Joined:
- Location: Fort Kent, Maine
The simple answer is no--all a subscriber has to do is plug in another router using NAT and run off that.
The complex answer, would be to inspect the packet for the IPid field and see what IP is being translated..
Google : "A Technique for Counting NATted Hosts" there is a pdf file from columbia.edu
The complex answer, would be to inspect the packet for the IPid field and see what IP is being translated..
Google : "A Technique for Counting NATted Hosts" there is a pdf file from columbia.edu
I've just checked that documentation on counting natted hosts. According to this documentation, there's no way in mikrotik to prevent sharing the internet connection, exept the tricks you told me. (connection limits) Altough I'll try to contact the developer of the mentioned software, to tell me how they manged to limit this sharing.
Thanks again for the fast reactions.
Thanks again for the fast reactions.
Perhaps the first thing to address is, "What am I selling?" Bandwidth? Connections? Convenience? Annoyance?
Here in the U.S. we have approximately a fifth of the workers in our "healthcare industry" busily occupied with figuring out why people should --not-- get healthcare. It costs us "heathcare consumers" billions per year to --not-- get healthcare. Somehow the idea of prohibiting customers from running multiple hosts behind NAT reminds me of this.
Anyway, why not just throttle (strangle) the customer connection and leave it at that?
Here in the U.S. we have approximately a fifth of the workers in our "healthcare industry" busily occupied with figuring out why people should --not-- get healthcare. It costs us "heathcare consumers" billions per year to --not-- get healthcare. Somehow the idea of prohibiting customers from running multiple hosts behind NAT reminds me of this.
Anyway, why not just throttle (strangle) the customer connection and leave it at that?
The connection thing will definalty work. It will keep say, a home user from having 250 connections open, also works good for P2P apps.
Most people get from an ISP, "bandwidth". And they expect to get that regardless of what they are using it for. A good rule would be to put a connection limit on the single IP or MAC they are using, and then put a limit that a few people could use it.
I would get ticked if my DSL at home would slow down when I had 5 buddies over gamming on line! But, it is conceivable that 30-50 connections should never really be used by a home user. Even if I did have 5 buddies playing games online, 5 connections each is good. But what you want to stop is me putting an AP on my house and selling service or "GIVING" it to my neighbors, once you hit something like 10-20 users, that 30-50 connection limit will get hit more often.
Most people get from an ISP, "bandwidth". And they expect to get that regardless of what they are using it for. A good rule would be to put a connection limit on the single IP or MAC they are using, and then put a limit that a few people could use it.
I would get ticked if my DSL at home would slow down when I had 5 buddies over gamming on line! But, it is conceivable that 30-50 connections should never really be used by a home user. Even if I did have 5 buddies playing games online, 5 connections each is good. But what you want to stop is me putting an AP on my house and selling service or "GIVING" it to my neighbors, once you hit something like 10-20 users, that 30-50 connection limit will get hit more often.
Do not mess with ping times, it will for sure drive you to nowhere. Changeip`s TTL suggestion makes the most sence, i think.
NO, i don`t have the solution
I just think that it might work.
But at the end .... if you sell the bandwidth to the user, why are you care is it shared or not? It`s payed, isn`t it?
NO, i don`t have the solution
I just think that it might work.But at the end .... if you sell the bandwidth to the user, why are you care is it shared or not? It`s payed, isn`t it?
Read this entire thread to rehash what someone already started. I do not know if they were successful or not, but in theory it should work for most situations:
http://forum.mikrotik.com//viewtopic.ph ... hlight=ttl
Sam
http://forum.mikrotik.com//viewtopic.ph ... hlight=ttl
Sam
also initial tcp window sizes may say something.
but i got to take the opportunity to rant about my views on this.
many people limit ports and protocols but it's almost always attacking the problem from the wrong angle. alot of packets slowing down your network? the solution alot of people reach for is blocking or restricting that sort of traffic.
how many people actually know what they are doing?
inexperienced administrators aka 12'o clock flashers (you know, those people who can't even set the time on their microwave and dvd player, hence 12 o'clock flasher) tend to come to dramatic conclussions like. "I don't want people to ping anything because of XYZ and so i must block icmp". And they do, block all icmp, but ping (aka icmp echo) is just one of many functions that icmp performs. Often this criples their network but in ways they haven't forseen that in turn can cause this 12 o'clock flasher to come to yet another dramatic conclussion.
here is one; "ok! since my <obviously underpowered> access point is experiencing problems i'll limit the number of connections my customers can have, this will show those paying bastards!" and thus the 12 o'clock flasher limits the users to 30 or so connections each.
now this would impede your average peer2peer downloader but one must also remember that firewalls sometimes remember connections long after they are over.
the end user (often referred to as paying bastard) has been surfing a few hours, all cozy and snug under a blanket with a hot cup of chocolate and then b00m! ap thinks the paying bastard has reached limit and thus no more anything! bastard gets upset and spills his chocolate making him enraged, calls the 12 o'clock flasher at 2 in the morning and demands his service back on line.
12 o'clock flasher can, assuming he hasn't blocked icmp echo, easily ping the bastard so he concludes that it must work and the bastard is not only a bastard but also an idiot.
what the 12 o'clock flasher eventually will learn is that firewalls add latency and complexity resulting in what it is used to solve; a slow network.
in the world of networking, when a problem manifests itself, it is in 9 out 10 cases just side effects of a real problem.
but i got to take the opportunity to rant about my views on this.
many people limit ports and protocols but it's almost always attacking the problem from the wrong angle. alot of packets slowing down your network? the solution alot of people reach for is blocking or restricting that sort of traffic.
how many people actually know what they are doing?
inexperienced administrators aka 12'o clock flashers (you know, those people who can't even set the time on their microwave and dvd player, hence 12 o'clock flasher) tend to come to dramatic conclussions like. "I don't want people to ping anything because of XYZ and so i must block icmp". And they do, block all icmp, but ping (aka icmp echo) is just one of many functions that icmp performs. Often this criples their network but in ways they haven't forseen that in turn can cause this 12 o'clock flasher to come to yet another dramatic conclussion.
here is one; "ok! since my <obviously underpowered> access point is experiencing problems i'll limit the number of connections my customers can have, this will show those paying bastards!" and thus the 12 o'clock flasher limits the users to 30 or so connections each.
now this would impede your average peer2peer downloader but one must also remember that firewalls sometimes remember connections long after they are over.
the end user (often referred to as paying bastard) has been surfing a few hours, all cozy and snug under a blanket with a hot cup of chocolate and then b00m! ap thinks the paying bastard has reached limit and thus no more anything! bastard gets upset and spills his chocolate making him enraged, calls the 12 o'clock flasher at 2 in the morning and demands his service back on line.
12 o'clock flasher can, assuming he hasn't blocked icmp echo, easily ping the bastard so he concludes that it must work and the bastard is not only a bastard but also an idiot.
what the 12 o'clock flasher eventually will learn is that firewalls add latency and complexity resulting in what it is used to solve; a slow network.
in the world of networking, when a problem manifests itself, it is in 9 out 10 cases just side effects of a real problem.
Actually, it is possible. I have situation with my ISP that they somehow managed to partialy block traffic from users behind local routers. Users without routers can use connections without limits.i don't think that this is possible, because router does not know what happens behind a pc - in the customers local network.
This of course was not intentional, but something went wrong with their MT. We are trying to find out what is the problem but without a luck.
-
-
telephone29
just joined
- Posts: 24
- Joined:
how to work with TTL ?
> it was something about the TTL of the packets - the number for TTL
> change when the packet pass the router.
yes, this would be relatively easy way how to find "sharers". How can we use this in mikrotik? I didn't find anything in firewall nor mangle.
> change when the packet pass the router.
yes, this would be relatively easy way how to find "sharers". How can we use this in mikrotik? I didn't find anything in firewall nor mangle.
I can think of a way to detect if the PC is doing it but cannot think of a way how to actually block it and only allow the main pc to connect unless you block the whole thing...i don't think that this is possible, because router does not know what happens behind a pc - in the customers local network.
however not sure if it really works...
I know there is some java script command to read the user's local IP and gateway... so you must setup a redirect page that will load every once in a while that even can be hidden from the user (no text in the page) which and in that page you can check user's local IP and compare it with what it suppose to be if it is in private ip range like (10.x.x.x) or (192.168.x.x) or (178.x.x.x) then it will be block...
any idea what I'm saying is correct? I think it can be done with javascript and some script in the mikrotik without extra package...
-
-
telephone29
just joined
- Posts: 24
- Joined:
TTL ideas are easily beaten with MT/Linux. Sharerer just uses MT/other, turns on the certain functions and TTL is working and/or normalized as if he's not sharing.
If someone is haring his internet connection, browsers often send HTTP replies to servers that differ from PC to PC. Writing scripts/softs to run on a Linux gateway could detect such things.
But sharing an internet conenction shouldn't be prohibited. Does your water supplier company tell you: you shouldnt let your friends drink your water. You should't water the garden Outside your home, only if it's inside. That's lame.
What about those cases when a customer is splitting his conenction with his family in the next room? Prohibit those? No big ISP does this. ...
If someone is haring his internet connection, browsers often send HTTP replies to servers that differ from PC to PC. Writing scripts/softs to run on a Linux gateway could detect such things.
But sharing an internet conenction shouldn't be prohibited. Does your water supplier company tell you: you shouldnt let your friends drink your water. You should't water the garden Outside your home, only if it's inside. That's lame.
What about those cases when a customer is splitting his conenction with his family in the next room? Prohibit those? No big ISP does this. ...
No, but my water company does say that I cannot run a pipe to my neighbour's house so that they do not have to pay their water bill.But sharing an internet conenction shouldn't be prohibited. Does your water supplier company tell you: you shouldnt let your friends drink your water. You should't water the garden Outside your home, only if it's inside. That's lame.
All ISPs here in the UK prohibit use of the service outside the customers property same as the water company, the electric company, the gas company etc.What about those cases when a customer is splitting his conenction with his family in the next room? Prohibit those? No big ISP does this. ...
One particularly lame "big" cable ISP here used to require you to register a MAC address with them, one MAC address only. Big <> Clever
Of course but unless your solution learns to differentiate between two different users and one user using two computers, it would be doing something it shouldn't.No, but my water company does say that I cannot run a pipe to my neighbour's house so that they do not have to pay their water bill.
Of course, but they detect these scenarios when they notice higher than usual usage and send a guy out to investigate.All ISPs here in the UK prohibit use of the service outside the customers property same as the water company, the electric company, the gas company etc.
But that could easily be for different reasons than you think. It could be the modem, it could be for administrative purposes. They obviously knew that people could just get a router and overcome this. It might even be a requirement of the software in the cable modems or a an attempt to control DHCP access. DHCP is extremely vulnerable to DoS or dysfunctional software.One particularly lame "big" cable ISP here used to require you to register a MAC address with them, one MAC address only. Big <> Clever
My example is not universal sorry. Not very right too.No, but my water company does say that I cannot run a pipe to my neighbour's house so that they do not have to pay their water bill.But sharing an internet conenction shouldn't be prohibited. Does your water supplier company tell you: you shouldnt let your friends drink your water. You should't water the garden Outside your home, only if it's inside. That's lame.
....
The biggest telecom here - for normal internet service, just does not help the user share his connection and does not care what happenes after their modem. But will help the user if the user pays for that kind of service where it sais it's for multiple computers. How about that? It's cool IMO. We respect them for this.
If an ISP limits connection sharing or in some other way their connection is less than it should be, automatically they become hated and people want to do them harm.
Hey, don't piss off the customers right ? Keep'em happy.
My example is not universal sorry. Not very right too.No, but my water company does say that I cannot run a pipe to my neighbour's house so that they do not have to pay their water bill.But sharing an internet conenction shouldn't be prohibited. Does your water supplier company tell you: you shouldnt let your friends drink your water. You should't water the garden Outside your home, only if it's inside. That's lame.
....
The biggest telecom here - for normal internet service, just does not help the user share his connection and does not care what happenes after their modem. But will help the user if the user pays for that kind of service where it sais it's for multiple computers. How about that? It's cool IMO. We respect them for this.
If an ISP limits connection sharing or in some other way their connection is less than it should be, automatically they become hated and people want to do them harm.
Hey, don't piss off the customers right ? Keep'em happy.
I agree on part the dont piss customer off and I also believe that some customer trying to download the whole INTERNET so providing the dedicate bandwidth could cost more than 10 time compared to shared bandwidth and the customer is getting that space at one tenth of the price you must think lets block the sharing and blah blah... but querying is better option in my opinion...
what we have defined in our ISP is traffic-limited packages who will switch to unlimited package after for example 1 gigabytes of download... its exactly 10 dollar a month to get 4 MB connection for 1 gigabyte free
and for each extra 10MB customer download in addition we charge until he reaches 20 dollar and thats where he can have a option of 384 or even 512 (unlimited) bandwidth... this way we can maintain the same speed....
however you may go with flat rate of lets say 18 dollar for 1 or 2 mb of speed but in our way ppl who download more will pay more and ppl won't pay more unless they want more... its much better in speed and cost for ppl who doesn't want to download large files and just doing web browsing and email stuff or chatting and believe me its it doesn't matter if they share it within 100 pc or not ...
Last edited by Hellbound on Thu Mar 09, 2006 5:26 am, edited 1 time in total.
-
-
telephone29
just joined
- Posts: 24
- Joined:
connection sharing is quite often not allowed:
a) cable ISPs have legal conditions - on small cheap programs you can't share, on the most expensive ones you can. Many of them limit this possibility to one property as was said before = you can't legally share with your neighbor. They are loosing money (and we are ISPs = we are loosing money).
b) quite often we sell shared bandwidth : you pay for guaranteed 512/512 and get 1536/1536 as you belong to "three customer shared bandwidth". This way, sharing is definitely not wanted as one sharing customer can consume bandwidth for all three almost always and use his connection in a way it was not meant to be. This "shared bandwidth" is sold with intention to "give customers the possibility to use more bandwidth when needed" meaning several times a day when they want to quickly send/receive big files etc.
etc, etc.
okej, let's not discuss why should we detect sharing blablabla, but HOW TO DETECT SHARING. Somebody said that every Linux can "regenerate" TTL meaning that TTL will not be lowered and sharing will not be detected. Let me assure you nobody sharing his/her connection will think of this from the first moment on - and we are able to catch him. Also, many simple routers/proxies sold these days do not have the possibility of manipulating TTL.
Once again, don't discuss why sharing should be/shouldn't be. I am pretty much interested in HOW sharing could be detected in Mikrotik using TTL stuff. I didn't find anything like this in firewall, mangling etc.
a) cable ISPs have legal conditions - on small cheap programs you can't share, on the most expensive ones you can. Many of them limit this possibility to one property as was said before = you can't legally share with your neighbor. They are loosing money (and we are ISPs = we are loosing money).
b) quite often we sell shared bandwidth : you pay for guaranteed 512/512 and get 1536/1536 as you belong to "three customer shared bandwidth". This way, sharing is definitely not wanted as one sharing customer can consume bandwidth for all three almost always and use his connection in a way it was not meant to be. This "shared bandwidth" is sold with intention to "give customers the possibility to use more bandwidth when needed" meaning several times a day when they want to quickly send/receive big files etc.
etc, etc.
okej, let's not discuss why should we detect sharing blablabla, but HOW TO DETECT SHARING. Somebody said that every Linux can "regenerate" TTL meaning that TTL will not be lowered and sharing will not be detected. Let me assure you nobody sharing his/her connection will think of this from the first moment on - and we are able to catch him. Also, many simple routers/proxies sold these days do not have the possibility of manipulating TTL.
Once again, don't discuss why sharing should be/shouldn't be. I am pretty much interested in HOW sharing could be detected in Mikrotik using TTL stuff. I didn't find anything like this in firewall, mangling etc.
Your "business" plans are your "business" plans.okej, let's not discuss why should we detect sharing blablabla, but HOW TO DETECT SHARING. Somebody said that every Linux can "regenerate" TTL meaning that TTL will not be lowered and sharing will not be detected. Let me assure you nobody sharing his/her connection will think of this from the first moment on - and we are able to catch him. Also, many simple routers/proxies sold these days do not have the possibility of manipulating TTL.
Once again, don't discuss why sharing should be/shouldn't be. I am pretty much interested in HOW sharing could be detected in Mikrotik using TTL stuff. I didn't find anything like this in firewall, mangling etc.
Regarding the technical standpoint: You can't do this without also having _alot_ of false positives. You won't get <<proof>> of them doing that. But you might get a hint in some of the cases. Many cheap broadband firewalls automatically do TTL adjustment to compensate for win95/win98/winme, which would have been your only real point of detection. This also causes them to be looptraps, but hey, they're cheap firewalls often made by people who actually do not build networks!
-
-
wildbill442
Forum Guru
- Posts: 1055
- Joined:
- Location: Sacramento, CA
One solution to this is to bill the user based on usage and not give them unlimited transfer. This puts the onus on the user to secure their local network or face paying for those rogue users who are leeching bandwidth.
It would also mitigate problems with virus and worm traffic, as users would now be paying for the traffic their machines generate it might make them more likely to keep their virus definitions up to date.
Anyway that's just my 2 cents.
It would also mitigate problems with virus and worm traffic, as users would now be paying for the traffic their machines generate it might make them more likely to keep their virus definitions up to date.
Anyway that's just my 2 cents.
Nice one indeed, specially with neither solution nor suggestion!!!
What's your POINT????
How do you solve???
Reset your units when they hang????
Rather one client drop than many!!!
Just think of this:
I have recieved denial of service attacks even on port 53 ie DNS
How do you solve that except by limiting the number of connections?? Block it???? I don't think so!!! Leave the attack till it stops????
Anyway, no offense intended.
Cheers.
What's your POINT????
How do you solve???
Reset your units when they hang????
Rather one client drop than many!!!
Just think of this:
I have recieved denial of service attacks even on port 53 ie DNS
How do you solve that except by limiting the number of connections?? Block it???? I don't think so!!! Leave the attack till it stops????
Anyway, no offense intended.
Cheers.
This is right what we are doing. Users have to "prepay" the wished ammount of data to download. We DO NOT charge for upload. It is free at all, to allow users to use P2P software. 0.5% user DO upload much, much more that they download, but hey.... overall bandwidth consumption is always much higher id download than upload. So, who cares...One solution to this is to bill the user based on usage and not give them unlimited transfer.
We also have "real unlimited" monthly packages, but they are pretty highly priced, and only heavy 24h downloaders have the calculation to pay for it.
On this way, ppl who use internet only for surf/email/chat do not have to pay more thay they really use. At the other hand, we do not have to care about who is sharing his connection, and who is not.
Plus, 2 or more neighbours in the same building can share the cost of wifi equipment used to connect to our network, share it with switch and connect simultaneously with different PPPoE connections. Everybodys connection is accounted separately, and PAYED separately.
So, the point is not to limit users from sharing their connection. I hardly imagine that it is even possible. The router has no clue what is going on behind the PC that is connected to your network. The point is to change your business plan
-
-
fivenetwork
newbie
- Posts: 45
- Joined:
My 2 Bits ....
Attack this issue from all sides so that we have a acceptable situation until a better solution comes on ...
1: Limit number of connections ..
Has the pleasant effect of auto-governing p2p. But the optimal limit will have to found that works for each bandwidth plan subscribed to. So methinks we will have to have different limits for different bandwidth packages.
Can we supply this too as a RADIUS attribute at the time of authentication? If possible then we can continue to think on these lines else IMHO we are barking up the wrong tree.
2. Shift responsibility onto USER.
Ideal solutionas we indirectly/directly help create a responsible,educated user. Bwahahahahahahahahahahaha. Sorry the thought of a responsible,educated user just made me realise that then I would be out of a job!
Seriously ... what we have done is for users demanding unlimited usage ... we have created special packs. The daytime usage is restricted to X MB and their night usage is unrestrcited. This works bigtime.
Thats it from me now.
Attack this issue from all sides so that we have a acceptable situation until a better solution comes on ...
1: Limit number of connections ..
Has the pleasant effect of auto-governing p2p. But the optimal limit will have to found that works for each bandwidth plan subscribed to. So methinks we will have to have different limits for different bandwidth packages.
Can we supply this too as a RADIUS attribute at the time of authentication? If possible then we can continue to think on these lines else IMHO we are barking up the wrong tree.
2. Shift responsibility onto USER.
Ideal solutionas we indirectly/directly help create a responsible,educated user. Bwahahahahahahahahahahaha. Sorry the thought of a responsible,educated user just made me realise that then I would be out of a job!
Seriously ... what we have done is for users demanding unlimited usage ... we have created special packs. The daytime usage is restricted to X MB and their night usage is unrestrcited. This works bigtime.
Thats it from me now.
-
-
telephone29
just joined
- Posts: 24
- Joined:
I feel you are not based on competitive markets - in my country, nobody would even think about placing download/upload ratios, prepaid VOLUME of megabytes/gigabytes etc. Company like this would not exist for two months here.
so, I decided to abandon following this thread with "no solution is and will be here". BTW, what we did is we are going to sniffer traffic for some minutes at random intervals throughout a day, save it to file and inspect this file with automated tools. In twenty minutes, we are able to find out standard values for TTL coming from Windows and he are just trying to watch values different than this values. Bit of manual work is involved.
so, I decided to abandon following this thread with "no solution is and will be here". BTW, what we did is we are going to sniffer traffic for some minutes at random intervals throughout a day, save it to file and inspect this file with automated tools. In twenty minutes, we are able to find out standard values for TTL coming from Windows and he are just trying to watch values different than this values. Bit of manual work is involved.
So what about mac (osx and pre osx), linux, openbsd, netbsd, ancient windows versions?I feel you are not based on competitive markets - in my country, nobody would even think about placing download/upload ratios, prepaid VOLUME of megabytes/gigabytes etc. Company like this would not exist for two months here.
so, I decided to abandon following this thread with "no solution is and will be here". BTW, what we did is we are going to sniffer traffic for some minutes at random intervals throughout a day, save it to file and inspect this file with automated tools. In twenty minutes, we are able to find out standard values for TTL coming from Windows and he are just trying to watch values different than this values. Bit of manual work is involved.
Who is online
Users browsing this forum: Google [Bot], MauriceW and 145 guests