Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
How is ATT discovering tethering? And possible Countermeasures!
- Thread starter bachelier
- Start date
- Sort by reaction score
- Status
Would not suggest this at all. Screwing with the registry will only screw up the entire computer on Windows. Also, DWORD is a Assembly linguo word. Stands for Double Word or rather 32-bit value like a register EAX, EBX, ECX and on....
Messing wrongly with a register value will definitely screw something up.
I start the first theory.
Theory:
The way they are most likely doing this and the way most carriers do it is using some deep packet inspection kit or maybe even a transparent proxy. They can look for browsing traffic on port 80 then simply pick out any users where the user agent string is that of a computer OS so Windows|Mac|Linux.
Countermeasure (CM):
Two options to get around it are:
1. either change your browsers UA to that of the iPhone although this will often give you mobile sites or 2. better still send everything down a VPN, that way its encrypted and they can;t see what your doing just how many bytesHigh VPN usage shouldn't be odd either as the iPhone has a VPN client so you could feasibly be using that.
This was posted by Sammachin, who used to work for a carrier
If your theory is correct then it's safe to assume that tethering to iPads/iPods should be relatively safe. I'm hoping it is
This is a very harmless registry entry, it won't screw much up besides, MAYBE your internet connection.
FYI Windows only assigns a DWORD (and it is 32bits although words on a 32 bit machine are typically 32 bits in length making a DWORD 64 bits; but I digress) to the registry value but only uses the lower 8 bits; anything above 255 is invalid. IPV4 packet header only supports values from 0 to 255 because it is an 8 bit field. IPV6 doesn't have a TTL field but it does have HOP Count and that is also only 8 bits.
A couple of hours ago I was tetheing at my aunt's house (she doesnt have internet), using MiFi to do my homework, and used 7.9MB down and 1.8MB up and have not gotten any dubious text msg about tethering, now like I have stated b/f I use my tethering in exigent circumstances and I try not to abuse it.
My overall internet usage last month was 2.8GB on "unlimitted" data, in contrast to those 20+GB users, I think I'm whitin that safe 95% margin....right.
My overall internet usage last month was 2.8GB on "unlimitted" data, in contrast to those 20+GB users, I think I'm whitin that safe 95% margin....right.
You should be fine ... hardly anything AT&T would be worried about.
it seems it is the 20+GB hogs they will be targeting.
How does a router know it is routing?
Seriously it is probably not too hard for them to identify the rerouting of traffic outside the phone, and it is probably not trivial to hide it from them, so good luck.
People have a lot of weird ideas and scenarios, but it is likely not any of those convoluted things. A phone doesn't just mystically and magically route traffic from one interface to another. It has to actively do it. It is pretty easy to identify that.
By the way, tethering without the tethering plan is theft of service. I don't think MacRumors condones the forums be used for breaking the law, but I am not sure.
Seriously it is probably not too hard for them to identify the rerouting of traffic outside the phone, and it is probably not trivial to hide it from them, so good luck.
People have a lot of weird ideas and scenarios, but it is likely not any of those convoluted things. A phone doesn't just mystically and magically route traffic from one interface to another. It has to actively do it. It is pretty easy to identify that.
By the way, tethering without the tethering plan is theft of service. I don't think MacRumors condones the forums be used for breaking the law, but I am not sure.
all these tight wads need to get off their high horse. Oh no YOU dont think I should be tethering? Good for you I dont care what you think.
Do you really believe coming into this thread voicing your opinion is gonna stop me just because you think I shouldnt be doing it?
lol get real people....buncha drama queens here
Do you really believe coming into this thread voicing your opinion is gonna stop me just because you think I shouldnt be doing it?
lol get real people....buncha drama queens here
can we have this as a pop up window every time someone clicks the new thread button
It depends on how much packet inspection is being done and if the phone is routing through a NAT (odds are it does). About the only way to shield the traffic is to completely encrypt it and run it via a tunnel the phone normally supports (VPN).
The problem is that if you want to have a carrier handle your traffic, you have to expose some information about what type of traffic it is that you want them to carry. It can't be completely blind to the traffic and the destination. As a postal worker, if they wanted to, they can glean quite a bit from the mail without ever opening the mail, just knowing the address it is being sent to.
Much like if I see a piece of mail to certain addresses, I can tell what is inside, I can do the same with internet traffic only knowing the destination IP and port number. There are certain connections that will only be made from a computer, rather than a smartphone. For example, I won't be connecting to a Battle.net game server from an iPhone (the IP address and port don't match what would happen when I launch Blizzard's iPhone apps).
And you don't use any one technique, you mix it up. You use TTL, packet destinations, the type of data spikes generated by the user, etc to build a profile and sort of fingerprint. The fingerprint of usage from a tethered user will be different from one that isn't. Some of this is information that you can control (such as the TTL or how much inspection the carrier can perform), but some of it you can't.
Not odds. Your packets are NATed. Hence the 10.*.*.* ip address you get from both AT&T and verizon. All your traffic on AT&T and verizon happens over their super secret network where they can do anything they want. Given that the world "ran out" out IP addresses not too long ago, this is a probably pretty standard practice no matter where you are.
Encryption doesn't even make a difference here. Your packets are still sent via very plain and very jane packets. There is a huge difference between being able to read the contents of a packet, and being able to trace the source and destination of zthe packet. Don't confuse the two. One day, IPV6 should change this.
VPN or encrypted tunnel or not, all your packets are belong to your ISP.
Last edited:
You seem to be missing the points I was trying to make. Yes, AT&T/Verizon will put you on a NAT, but that doesn't tell them if you are tethering. The mobile hotspot likely works through a NAT of some kind (USB may be different, and I'm not familiar with the bluetooth protocol used for tethering here), which means the iPhone itself is a NAT. Someone earlier in the thread pointed out the TTL issues there. If OS X or Windows uses a TTL of 64 normally, your TTL at certain hops will be one lower than expected (or higher, even). You can adjust the TTL on desktop systems, but not an iPad or other closed device that you haven't cracked the security on. That TTL will be a dead give-away that a NAT is running on the phone, and that you are running devices behind it.
And you seem to miss that I say that to shield it, you need to encrypt and tunnel it. This is a fairly important distinction. If I use a VPN or SSH tunnel, the ISP doesn't get the destination of the final packet, they get the VPN/SSH endpoint (the real destination is included in the encrypted packet). Although using something like SSH with tons of data is a fingerprint someone can use to figure out that you are likely tethering. Something like Tor is even more of a dead giveaway due to the lack of a client on the iPhone.
The whole point I was trying to make is that the ISP can gather quite a bit of information on the packets themselves without actually inspecting the data (even if you use encryption at the protocol layer).
You clearly don't have anyidea what you're talking about.
The registry in Windows has absolutely, positively, nothing to do with the physical registers in the CPU.
The values are for purposes of length only.
What it boils down to is:
If your carrier really wants to know whether you are tethering or not, then you won't be able to stop them unless you write some kind of remote desktop proxy app for your phone that pulls the data up on the phone first and then passes it on to a tethered device.
The easiest way is to check what traffic is being pulled down. If it isn't a web port or a streaming port, then that is a huge indicator that something might be going on.
Even if it is web traffic, then user agent strings or other packet inspection give a pretty good indication.
Sux!
If your carrier really wants to know whether you are tethering or not, then you won't be able to stop them unless you write some kind of remote desktop proxy app for your phone that pulls the data up on the phone first and then passes it on to a tethered device.
The easiest way is to check what traffic is being pulled down. If it isn't a web port or a streaming port, then that is a huge indicator that something might be going on.
Even if it is web traffic, then user agent strings or other packet inspection give a pretty good indication.
Sux!
Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_2 like Mac OS X; en) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C134 Safari/6533.18.5)
So, if AT&T can easily figure out who exactly is tethering (not just based on excessive usage), then why can't they figure out a way to block tethering from devices/users that don't carry the tethering plan?
My money says they are just bluffing and are basing their accusations on usage.
So, if AT&T can easily figure out who exactly is tethering (not just based on excessive usage), then why can't they figure out a way to block tethering from devices/users that don't carry the tethering plan?
My money says they are just bluffing and are basing their accusations on usage.
Registry, not register. It's just a bunch of parameters, like in an OSX plist.
Messing wrongly with the wrong parameter on any OS can screw something up.
However, adding or modifying optional values like this one, is an easy and safe thing to try out, and to later switch back if it doesn't work.
How exactly is "stealing" tethering any different than stealing clothes from a store, or stealing an app via Installous?
Stealing is still stealing.
Stealing is still stealing.
Look at these people who are saying they are so right about tethering with their unlimited plans. No, you are not. You are stealing. People think they are so smart and can get away with everything. This is why this country is dying. No, you cannot cheat the system forever. Stealing is stealing.
The problem is that this sort of detection takes time and effort. You can't block something until you can build up a usage profile that matches someone tethering versus someone who doesn't. And the techniques available will generate false positives and false negatives from time to time. It is actually better in this case to detect and warn, than immediately block, which would be a bigger problem in the case of a false positive.
Plus, how do you detect what traffic should be blocked vs passed when not all of it will be tethered and only some of it sticks out as an indicator?
- Status