Alternate title: Why do you keep telling me I have a virus when my Internet quits working?
Home routers are technically not really routers at all – they are network address translation (NAT) boxes. So what is NAT and why do I care?
NAT was developed in order to conserve address space. NAT is used in consumer routers as it conserves address space, is easy to configure, and provides some firewall protection to the computers.
How NAT works is pretty simple. The router (what we are going to call the NAT box) has an outside and a inside interface. The ‘outside’ is the side connected to the Internet. The ‘inside’ is the side connected to the computers in your house.
For demonstration purposes lets have 2 computers that we call “A” and “B” in the house.
When computer A connects to a site on the Internet the router makes an entry in the NAT table that says “computer A is talking to Google”. Computer B wants to connect to Yahoo. The router makes an entry in it’s NAT table to remember that B is talking to Yahoo. So far so good. When responses come back from Google the router knows that ‘Google’ traffic goes to computer A and that “Yahoo” traffic goes to computer B. The router now has 2 entries in it’s NAT table – one for computer A to Google and one for computer B to Yahoo. Computer A now goes to a different site – this adds another entry in the NAT table.
So – each new connection from a computer to a site on the Internet uses up one slot in the NAT table (actually it uses several as web pages are composed of multiple images, text, advertising, etc.). Most consumer routers have NAT tables that can hold a few thousand entries. How does the router decide when to discard the NAT table entries? If the connection between the computer is terminated cleanly (the TCP protocol has a way to do this) the entries are removed from the NAT table. Entries that are not cleanly terminated (and some protocols do not have a method to indicate they are done transferring data) are eventually timed out of the table. Many routers will also start discarding the oldest entries if the NAT table is full or close to full.
So what happens when the NAT table is full? The router no longer has a place to store information required to process the data coming back from the Internet. The computer will not be able to establish a connection and the connection will time out. Since web sites are actually composed of many items when the NAT table is nearly full parts of the page may load while the remainder loads slowly or not at all. Some routers (that don’t expire entries when the NAT table in nearly full) will appear to lock up at this point and need to be rebooted. Others will reboot spontaneously or recover if the computers are shut off.
So why would a NAT table be full? The most common reasons a NAT table is full (or overloaded) is that the computers are trying to talk to too many sites and/or the connections are not being properly terminated (and therefore not being removed from the NAT table). What kinds of software tries to talk to large numbers of computers on the Internet? Peer-to-Peer file sharing and Viruses. Let’s take each one separately.
Peer-to-Peer networks are programs that enable you to share files from your computer with others on the Internet who would like to download them. This is most commonly used for (illegally, but that’s another matter) downloading music and video files from others. The Wikipedia page has a good description of how peer-to-peer networks work. Depending on the configuration of the peer-to-peer software the program may not limit the number of computers it is sharing files with and/or may not limit the amount of bandwidth being used. All of the programs we have seen have options for limiting the number of concurrent connections and the amount of bandwidth. We suggest setting those as low as possible if you are having lockup issues.
Viruses: Pretty much by definition viruses try to propagate themselves by attacking other computers. Once a computer has been taken over by a virus or other malware it is impossible to say what it is going to do – but they often try establishing so many connections that they quickly overload the NAT table.
So what is Amplex looking at when I call in? Amplex also uses NAT in our customer premise equipment (CPE). The NAT table in our equipment is limited to 4096 entries. When a customer calls in with a connection issue one of the first things we check is to see if the NAT table in the CPE is full. If it is and the customer says they are not running file sharing we are going to assume it is a virus issue. If you are running file sharing we are going to suggest turning it off or adjusting it’s settings.
When we tell you we are seeing signs of virus activity it is not that we are looking at your computer or even seeing the specific traffic . We are seeing the large number of entries in the NAT table of the CPE.
How does an end user figure out which computer is causing the problem? It can be difficult as viruses do their best to hide themselves. Easiest is usually to try turning off one computer at a time and see if the problem goes away. Keep in mind more than one computer may be infected.
But but but.. we don’t want Amplex to do NAT. I want to have a transparent connection to the Internet! Ok – no problem, just let us know. You will need to understand how to set a static IP address on your router. Please research how to do that before contacting us and we will happily disable NAT on our CPE.