Slashdot Mirror

I have been looking at this product for a similar situation I am in: http://www.packeteer.com/products/ishaper/
Basically it is a WAFS box, with WAN traffic shaping, caching, etc, plus it acts as a Domain Controller, print server, authentication, dns/dhcp, etc.
If it works like they say it will it would be a good solution for you based on the problem description. Basically it is a server, plus WAFS, without being a server...
I wonder if anyone here has some hands on experience they could share?

Particularly when you only want to take the remaining bandwidth and not impact users.

There is Packeteer, but most people can't afford them.

At the university I attended, P2P file sharing was blocked using Packeteer. Which essentially scanned every packet to/from the Internet and cross referenced them with a list known P2P protocol packets. It was highly effective. That was until some enterprising students set up SSL tunnels to remote machines. The reason that the university cited for blocking P2P was of course bandwidth utilization, but as I remember there was an issue where the University holds some liability for students who violate copyright laws by downloading pirated content. However I am not familiar with the laws regarding this. Overall, P2P file sharing was tolerated on the internal network as long as it wasn't obvious. Meaning that anonymous FTP servers with 100GB of movies would attract attention. However setting up and FTP server with a password that was given out to friends went by unnoticed.

Further information: as is only sane, Normal users where I work don't have admin accounts with which to install software. We also run Packeteer http://www.packeteer.com/ to throttle down P2P applications. Packeteer will throttle down P2P packets even if they're disguised as Web packets.

This way even if they're installed, when they run on our network they're prevented from hogging bandwidth.

MAC's are spoofable.

They can always shape the traffic they see, that's about it.
When they see ssh sessions passing they can block them if they use something like Packeteer, layer 7 filter or other traffic shaping solutions.

Fuck, my 3rd post in the last year(s), my average is going up again ;)

Check out Packeteer or some other QOS company. Those devices can show you what is going over your network and block or limit the unwanted traffic while protecting the business oriented applications. You can also find out who is playing games and surfing all day

I would think that changing the port of the tracker to 80 or 21 would make a lot of difference for most ISPs, lest they be running PacketShaper or an equivalent.

Unfortunately, a lot of ISPs block inbound communications on port 80 and other significant (#1024) ports outright to keep people from hosting their own servers off of their connections.

Yup, that was the product and we even new its IP. But there was nothing we could do about it. http://www.packeteer.com/prod-sol/products/packets haper.cfm Evil product if I ever saw one.

I was envisioning something to get past Miami's fascist device

More bandwidth for the rest of us.

You did not mention what type of school/school system/ district you are in... but it may not be possible since MANY schools/school districts are using traffic shaping software like pacekteers packetshaper to make sure that their ample bandwidth is not abused.

You may also want to remember that in many cases the bandwidth is there, but not for "full use"; example... One location I know of has multiple 45mb pipes from multiple providers. The pipes each can handle the full rate at 45mbs, but they are only guarenteed ~19mbs for the "base price"; any peak use above that is charged at higher rates. Currently with the packeteer device and tight controls they are peaking at ~30mbs during the extremely heavy usage times. Imagine what it would be if they had no controls at all.....

You may only be using 128kb/s for an hour a day, but if like many schools and school systems, you connect to the district's central network, which then connects the school to the internet, calculate the amount of aggregate bandwidth that 20 students from YOUR school would use; then multiply that by the number of schools in your district....

You did not mention what type of school/school system/ district you are in... but it may not be possible since MANY schools/school districts are using traffic shaping software like pacekteers packetshaper to make sure that their ample bandwidth is not abused.

You may also want to remember that in many cases the bandwidth is there, but not for "full use"; example... One location I know of has multiple 45mb pipes from multiple providers. The pipes each can handle the full rate at 45mbs, but they are only guarenteed ~19mbs for the "base price"; any peak use above that is charged at higher rates. Currently with the packeteer device and tight controls they are peaking at ~30mbs during the extremely heavy usage times. Imagine what it would be if they had no controls at all.....

You may only be using 128kb/s for an hour a day, but if like many schools and school systems, you connect to the district's central network, which then connects the school to the internet, calculate the amount of aggregate bandwidth that 20 students from YOUR school would use; then multiply that by the number of schools in your district....

Many universities are already implementing packet shaping at the router-level. They want to protect their bandwidth from abuse by p2p apps that are mostly used to transport illicit content. They use filters like Packeteer. I'm curious if the encryption can trick these types of filters.

Unfortunately, most campuses use Packeteer or other packet-shaping devices to analyze the packets to determine the traffic type in order to throttle bandwidth-hogging applications rather than blocking ports explicitly. While port-changing tricks may have worked in the past, even the most incompetent administrator can set up one of these, and no matter how many ports you try, you're not getting around it.

They were probably using packeteer. For fun\profit port scan your res-halls network; you can usually find it pretty easily.

This happened where I went to school at least once...pulled the network down for a while (days, not a week). Of course, this was right around the time where we had almost an entire semester of 'net access that could be clocked in bytes -- my downloads typically ran at under 512 bytes/sec and of course it took like 10 minutes to load a single web page. The next semester they had Packetshaper installed (but didn't get all the kinks worked out of it for a while...).

Then there was the time my newly installed Linux box was sending its anacron logs to root@the-university.org rather than root@localhost. Apparently three guys in suits came to my room (while i was out), looked at my computer set up (two desktops and a laptop, along with the appropriate networking gear), and left a message for me to call them -- my roomates were pretty shook up by it.

Have you tried Packeteer? Many educational institutions use it to shape and manage traffic. They also have a help page describing how to control instant messaging including MSN.

Mmm... But a small Cisco router or firewall can't do advanced packetshaping.
Not even the large ones can do really advanced shaping.
You'll need specialised boxes that *aren't* routers or firewalls at all but only do packetshaping.
They're usually totaly transparent to the network, except that they shape the traffic.
The best product I know in this field is the Packeteer Packetshaper, but there might be other products that are as good or even better out there...

Cisco-like functionality is old hat. Cisco doesn't do any traffic classification this sophisticated. This is along the lines of what Packeteer does.

At the College Where I work, We have 2 T1's Generating about 3MB/s bandwidth.

Before we got a Packeteer to throttle p2p bandwidth Roughtly 2MB's were dedicated to Kazaa alone. The rest of the bandwidth, 1MB's was everything else, Including other p2p apps that may have gotten through the firewall. After The Packeteer, we average about 1-1.5MB's Total including p2p apps where before we would saturate the 3MB's.

60% seems about accurate to me. Also if a Network Admin Reading this wants to throttle p2p Bandwidth I'd suggest looking into a packeteer. Its saved us a ton of money vs a new T1 line.

Just a couple unrelated observations:

* This is nothing new in WA. Around 2000 we were shopping for an apartment in Issaquah, WA. There was a small ISP providing fibre-to-the curb service for comparable prices, with no bandwidth limits in a planned community. I cannot recall the community's name nor the ISP name, but for those who are in the area, take exit 17 on I-90, Northbound on SE Front St, Right on Issaquah-Fall City Rd., then take the first right (Black Nugget Rd.). Follow it all the way to the end and there it is.

* Without a doubt, the amount of bandwidth available for Internet-bound traffic is not going to be 100Mbps. But assuming they don't do QoS at the port level, having that kind of bandwidth to the curb will at least speed up P2P and gaming traffic within your neighborhood. You may also achieve better performance for certain applications than traditional DSL and cable services if the provider were to do QoS at the edge with something like this.

Basically we're looking at 512kb/s [in both] directions

For the prices you will pay for 512kb/s, you can afford to hire an engineer who has done this before for less than your first month's bill. If you have so little clue "being the solo IT pleb here" you have to ask /., then your company is going to be in for some very nasty surprises. A company with only one IT guy doesn't have the budget for what the satcomms companies will propose, 512k with both/several ground stations, maintenance contracts, SLAs, installation, training, commisioning, licensing, etc.

Others have pointed out the technical problems you will face, TCP slow start vs. transaction mode, TCP windows, TCP/UDP/ICMP timeouts. Those technical problems are small compared to the administrative, billing, negotiation and regulatory problems you must deal with. Find an expert, pay them what they are worth, and avoid being screwed by the satcomms companies. It will be worth it, even in the short term.

Packeteer was working on specialised satellite gear, but I don't see anything on their web page. Ask them, their boxes work great for tweaking long latency and high congestion links. Somehow you will have to tweak the machines on both sides of the link, either at the router level or each machine's TCP stack. Consider not allowing "interactive" traffic, especially not web browsing, or putting some severe restrictions on which web sites the lusers can view.

the AC

The Packetshaper

Basically, this technology allows you to cap or switch off traffic categorised by packet signatures. We've just implemented two of them at the university I work at, and the moment our network engineer enabled it, you could search on kazaa, but downloads would simply fail to connect. Other P2P services were equally sucessfully blocked.

Of course, there are plenty of HTTP tunnels out there which provide an effective means of bypassing such a system...it will be interesting to see if the P2P networks themselves start to look at encryption layers and such technologies to bypass devices like this one.

The product we use is the Packeteer Packetshaper. AFAIK (I'm not in the telecom area), this allows us to shape our traffic and place higher priority on "legitimate" traffic during the day. I have no idea what the pricing is on this beast (expensive, I think), but it has allowed us to continue to allow all traffic without resorting to more draconian methods.

Unfortunately, the PacketShaper is a little smarter than this... it doens't solely rely on ports to identify traffic. It actually analyzes the stream data as it passes through the system, and recognizes the individual P2P protocols in use (among hundreds of other specific traffic types and sub-types). Some P2P protocols are quite crafty and send their data over a seemingly innocent HTTP stream... but the PacketShaper catches those too... ;)

Actually, there are a lot of universities across North America that run PacketShapers for the very purpose of controlling P2P traffic. I work for Packeteer, and universities/schools have been an important customer since P2P networks blossomed...

My university [Kutztown University (Pa, USA)] has done this for about a semester. Bandwith was a huge issue here before that; it was so slow that half of all web pages timed out. It was literally a 10-15 minute process to simply get to a hotmail or yahoo inbox - not to mention getting the mail. Using outlook express took 5-10 minutes to check mail. Other web sites and network programs like AIM were just as slow. The blame was placed on the p2p apps being run.

The university implemented a hardware device made by packeteer called PacketShaper which seems to be doing the trick because we've got our decently-fast connection back (I usually get about 150k downloads, slightly faster uploads but I rarely upload anything).

This is (in our case, and looks like in the article too since they mention packetShaper) a physical device that sits between the outside world and the inside world. It does slow p2p applications down - a lot.

My university [Kutztown University (Pa, USA)] has done this for about a semester. Bandwith was a huge issue here before that; it was so slow that half of all web pages timed out. It was literally a 10-15 minute process to simply get to a hotmail or yahoo inbox - not to mention getting the mail. Using outlook express took 5-10 minutes to check mail. Other web sites and network programs like AIM were just as slow. The blame was placed on the p2p apps being run.

The university implemented a hardware device made by packeteer called PacketShaper which seems to be doing the trick because we've got our decently-fast connection back (I usually get about 150k downloads, slightly faster uploads but I rarely upload anything).

This is (in our case, and looks like in the article too since they mention packetShaper) a physical device that sits between the outside world and the inside world. It does slow p2p applications down - a lot.

Packetshaper Actual Device.

When napster first came out, it took up more than 85% of the total bandwidth. That meant people trying to do searches in the library weren't able to do so in a timely manner. This way, everything works, and people are still happy (because happy students == more tuition). It just means that you can't get instant gratification. You actually have to wait for your songs to download overnight. And movies/pr0n? They turn into a week-long wait.

I am very happy with what the school did with it's P2P apps, even though I live off campus. :P

~Mike

Not an Apache based solution, but check out Packeteer Packetshapers..specifically the ISP models.. lets you set SLA's by protocol, IP, etc, perform rate limiting, and all other kinds of really cool stuff. Not exactly cheap but extremely effective, and simple to manage.

You might want to have a look at the following projects:

Traffic Control - Next Generation

Differential Services

GTC - A Graphical frontend the Linux kernel Traffic Control

WRR and WIP

And, yes, those are all Linux solutions, but that's simply because that' all I found available without paying 20.000 dollars.

Packeteer can do things like this to traffic. See their management-level Flash presentations. It's a quality-of-service system, with a "lousy service" option. There are other vendors; I have no idea whether RoadRunner uses Packeteer, but there's a good chance that they have something comparable.

I'm in a similar position regarding P2P software. What we did was install a Packet Shaper between our router and out network (It's a 1U box that sits in our rack). It lets us reserve bandwidth and set priorities of what services (so even if Kazaa and Audiogalaxy is able to use all of the availible bandwidth, the packet shaper starts dropping packets for that service. We group all the P2p services together, throttle down the outbound bandwidth for p2p (don't want to pay for bandwidth that my users aren't using), set http as top priority and let them (teachers and students alike) share as much as they want. From the user point of view, the program is very slow. We do get some complaints, but when we explain (and demonstrate) that when the filter is off, then the web stops working (and show some handy charts showing what is using the internet connection) most users understand (even the 15 year olds trying to download LOTR)

It manages traffic though a web (or command line), supports partitions and policies on classes created from just about anything you can thing of.Easy to change on the fly for when someone in IT needs to dlownload so ISOs in a hurry...

Watch out for it sending clear text passwords - perhaps it's worst problems are it's a bit sluggish on the web interface, and it does not support a secure authenication method. You can, however, create a policy that will limit access to it's web and telnet interface to particular workstations, which helps a bit...

Where is the largest repository of music, movies, warez, and porn? University networks!
Same with CS servers etc. (I get a "local" ping time to many sitting on .edu networks).
We see the majority of security attacks originate from college campuses. Melissa/ILOVEYOU originated from a college (albeit overseas), and nimda hit college campuses heavily because the largest and least secured netbios networks can be found on college campuses too. At the same time we also dealt with distributed fserv trojans that prefer university networks due to the high bandwidth allocations that we typically own. The minimum pipe spec'd for I2 is 155mbps, and usually you get the connection from your upstream ISP cooperating with the local I2 consortium. Same set of lines; the routing changes at the ATM or peering point. It is typically 10ms out to that, and then you either route through I1 or I2.

A good half of the hosts on p2p networks are college student dorm room machines. Any packets between .edus will preferentially route through I2, so there is actually going to be a substantial number of "those napster type progies". Hence, we have traffic shaping applied to restrict p2p traffic during day down to 1k/s. :) We use Packeteer technology to achieve this across our whole wan.

Is this a project for which your company is hoping to generate revenue from ? Or is this "we have too much free time and money in our budget and should spend it here" ;)

Either way I'd suggest you you look at the 'competition' -- surely you would glean a lot of very useful information from the whitepapers of people like Packeteer Corp

Or if you don't have the bazillion dollars to buy their products, try a really nifty software only solution from the folks at Emerging Technologies -- their bandwidth manager is really pretty cool -- we use it to control our co-location client traffic.

Ultimately, any kind of traffic shaping you do is really about Quality of Service (QoS) issues.

These two products do wonders for bandwidth hogs, QOS Works by Sitara also has a built in HTTP cache. Packeteer's Packetshaper does the same thing (without the cache). Initially you simpy plug them into your LAN and they monitor the types of traffic for a while then provide you with charts and graphs. You choose what types of traffic to give how much bandwidth. If some new hog show up you find out pretty quickly and can limit it easily. Really slick products. Can be costly though.

In any case, as The Belfry is an index, a lot of comics linked from it are dubious at best. Sturgeon's Law prevails. There are some gems in there, though.

I don't know the fellow who submitted the link to slashdot. It was a total surprise to me. Thank goodness for our PacketShaper, though.

I'm the one who runs the Belfry comics index. I'm not the one who submitted this story. I was happy with my obscure thousand visitors a day. Honestly, if it weren't for our PacketShaper this slashdotting would have caused us an annoying denial of services. Still, it is amusing.

It's mod_gzip from Remote Communications. You can also get dedicated hardware to manage compression from Packeteer.

My school uses a packet shaper and firewall combination. The firewall stops all incoming traffic that didn't originate from inside the firewall. Ie, i can connect to outside, but outside cannot connect in. So therefore, since i work for an ISP outside of campus, i can't get into my freebsd box to get any personal work done, while not in my dorm room(yes they block all non-originating traffic in from everything but the dorms). So therefore, Code Red would of had no effect to dorm room students, unless someone got infected on purpose. I will propose putting a limit on people, like a Gig a day or something so people won't run pr0n sites(the reason the firewall was put up).

Well the less net users story might turn out to be more significant than the AOL story. People are already receiving a net experience they choose to do without.

Congratulations, humanity! A big collective "No!" at some subconcious cultural level. It is quite re-assuring, really :)

We [/.ers] can have a cleaner net exerience if we want to, becuase we know how to. But no-ones making much money from us either.

More bandwidth to share between us, eh? I hear there isn't a shortage of bandwidth really these days, just a shortage of people using it. Last week the company I work for decided to reduce it's international ATM link by 50%. Smarter use of what we have by using easy to use and adjust QOS systems QOS, and a saving monthy of A$20,000 per month.

RG

check out www.packeteer.com.
Very very cool box for bandwidth management...

Your best answer by far is to use a QoS aware firewall which can control the bandwidth used based on a policy you set.
There are a number of companies who make them, and one of them, Packeteer, even has a page devoted to exactly your problem.
You might want to check it out at http://www.packeteer.com/wintherace/

Not cheap, but very effective:
http://www.packeteer.com

If you read the article, the security company Packeteer wasn't about blocking access to Napster or Gnutella, it was about freeing up bandwidth because the two have an uncany ability to be pigs about it. This is unfair for the other users who also need that bandwidth to do work, research or whatever. The main complaint was that Napster and Gnutella were making the network unusable because they took up all the bandwidth. On the other hand Palisade Systems had made a product to block them out completely. Could this be the end of the net? No, I don't think so and it doesn't help to run around screaming that the sky is falling either. The companies that offer the most options are going to be the winners in this game. People are too vocal for the worst to happen. I'm for a device that keeps Napster or Gnutella from hogging all the bandwidth. its more fair to everyone. As far as a full cut off. Thats going to be up to the isp to do that and basicaly they'll just suffer when people won't sign up because they can't do what they want.

As mattdm pointed out in an early post, its "the imminent death of the internet" :-) slashtroll style.

All the article talks about is bandwidth shaping by products like Packeteer, who make a cool little box. I regularly put in packeteer boxes to shape bandwidth so legitimate customers get what they pay for, and the bandwidth hogs are throttled back to reasonable rates. Although the box can be configured as a firewall, it really shines in packet shaping. I can easily configure it to choke every flow from every user, then open up bigger pipes for legitimate applications. The whingey napster users still can DL their metallica, but it takes them longer than going out to buy the CD :-)

The university mentioned in the article is doing just that, limiting napster without breaking it, which would have the students screaming at them for censorship.

The tricks swb mentioned, like domainjacking, makes it tough for the (l)users to break your network, and gives the appearance of complying with corporate legal contracts. But the open nature of the internet still allows determined intelligent users to continue using the internet. Domainjacking is easily defeated by users who either stuff their own hosts file with the address of napster, or run yet another DNS server which ignores the 'jacked one, or tunnel around the firewall block.

the AC

As already mentioned, cable modems are typically setup on a shared network. The cable companies usually have 500+ houses/connections hooked up to one node. These connections all share the same bandwidth. Different cable modems have different capabilities, but to keep users from hogging up bandwidth the cable companies use various technologies to control the bandwidth to each user on the system (packet shaping) You may just want to ask if you get purchase a higher quality of service. Having said that... I use to work at an ISP with multiple T1s. Through the life of the ISP, there were multiple ways we load balanced. One way is to use the OSPF and select equal preference for the different interfaces out (the cable modems) and it will round robin packets through them. I suppose you could try to setup OSPF on a linux box using Zebra. You could look into the packet shaping abilities of Linux. Search for packet shaper on freshmeat. Or you could buy a commercial product like the Packeteer.

check out www.packeteer.com. This will do what you need it to do, although its not free/cheap.