Slashdot Mirror

← Back to Stories (view on slashdot.org)

Working With The Bandwidth Problem?

Posted by Cliff on from the managing-your-network-traffic dept.

macdaddy asks: "Being a Network Admin in a small university, I have to fight the Napster issue every day. I don't want to ban it but we only have 1 T1 and it maxes out around 10AM when the dormites wake up, and finally teeters off around 4AM when they go to bed. That really hinders legitimate use. My question, how does a Netadmin work with Napster and its users to keep from blocking it while still being able to use out lowly T1 for other purposes? What options are there? Proxies? Firewalls? Traffic shapers?" This problem is not just about Napster. There will be other services that, due to their popularity, will stress your network's bandwidth to the limit. It seems to me that establishing network controls would be more fair than completely filtering out the entire service, so what's the best way to implement them?

28 comments

  1. Re:traffic inside instead of outside by ameoba · · Score: 1

    The Gnutella idea, at first, seems like a good one, unfortunately, there's one catch to it:

    as soon as one person connects to a host/client outside of your LAN (remember, the gnutella network does NOT have a central authority), your precious internalization goes down the drain. Firewalling Gnutella ports, would in essence, be just as bad as what you're trying to avoid (firewalling napster).

    Perhaps the simplest way around this would be to write some custom 'internal use only' gnutella-ish program. The simplest solution might just be to use a slightly modified gnutella client that uses a dif. range of ports, and filters out IPs not on your subnet.

    Hrmm... I have been looking for a project to do for my Software Engineering class, and this would be a great project... if yr. interested, email me (by Sunday night) maybe we can work something out... =)

    --
    my sig's at the bottom of the page.
  2. Dealing with high traffic by Koos · · Score: 3
    Sounds familiair, and what you don't want to get into as a network admin at an educational institution is the 'us against them' situation. Both sides lose, and both sides end up feeling bad. You for having a lousy job with lousy students making your work impossible, the students for the Internet connection being 'unusable'.

    There are a number of possible solutions, and I'll mention some possible solutions.

    • Firewalling napster ports. This is just the start of an arms race. You block one port, clients move to another port, repeat until bored.
    • Using proxies and nothing can be done without using such a proxy. Not an ideal situation and you make any server a student wants to run inaccessible where such a server could be very usefull and nice (hey, slashdot started on a student account :)
    • Traffic measurements per IP. Using IP accounting you can find out quite fast who abuses the network. Set a policy in advance (no 'fair use' blabla, a 'more then 768 megabytes Internet traffic in one week and your connection is dead' or whatever number works best). Have that policy be accepted as school policy by the people in charge. It's not your rule (those pesky network admins at it again), it's the school rule for using the school's resources.
    • Traffic shaping. Allocate an amount of bandwidth to the dorms, maybe allocate a larger amount after hours. Maybe allocate bandwidth per IP. (Can perfectly be combined with the previous one).
    Remember one thing and don't be afraid to repeat it : The school is not an ISP and is therefore not obliged to give its student Internet access. Internet access is an aide to your studies. If you need more Internet access then that, get your own access and be prepared to pay for it.

    Succes, and good luck, and I hope you find a way to keep your student network users as friends so you can do your work a lot easier.

    --
    The Virtual Bookcase: book reviews
    1. Re:Dealing with high traffic by NetJunkie · · Score: 2

      Yes, students do pay. They pay to access the network for their studies. Napster isn't included in that. I think he should just block Napster..there will always be the argument that a student could go over their quota with legit usage. Just block the things that aren't.

  3. So obvious it's overlooked? by Operandi · · Score: 2

    Have you tried actually talking to the "Dormites?" Quite honestly, they may not be aware of their detrimental affect their MP3 hayday is having on the net connection. Use a dorm mailing list or your school newspaper or something to communicate the problem to students and then hold a 1 or 2 series open forum in a public place like library or something. Invite all Napster/ users and any other interested party to come and talk about *friendly* ways to remedy the problem. I can vow to you this, those "Dormites" would much rather coexist than have *zero* Napster access, even if it meant self-control, et cetera. You mention that if nothing is done you will have no option but to disallow it and you'll have a good number of people show up. I've often found that when people are shown that 1. They are causing a problem nd 2. You want to work *with* them to solve the problem, you will get 100x better results than pulling some staff management type thing. I hope this helps and if you don't mind keep me updated by email how it goes.

    Regards

    1. Re:So obvious it's overlooked? by macdaddy · · Score: 1
      Hi Operandi. Thanks for your comment. I have considered something of this nature. Some of our faculty/staff are part of the Napster problem as well. I would like to put a article in the campus paper explaining the situation, giving examples of what just one user can do, and asking for the assistance of those users. Our dorm tech has posted signs around the dorms that list Napster (and others) as prohibited and warnt that losing your network connection for up to a semester is possible.

      We really need to add another T1, maybe two. Problem is our network layout inhibits any growth in our upstream pipe. I could go into the gory details but I'm too tired for that tonight. Let me say this though, we don't have what can be called a "functional network". We have what most would call a miracle. Broadcasts account for 65-70% of our total packet count (with peaks much higher), where as it's only supposed to be 37% at a maximum. Whole segments of buildings falling off the network at almost regular intervals due to the broadcast problem. A MTBF of less than two weeks. A MTTR of sometimes an hour, sometimes 2 weeks or more. It's all shared and flat as a board. Top that off with roughly 2000 nodes, 1/3 Mac, mostly PC, and a network that isn't routed and you draw a picture of a big problem. We are going to firewall and NAT the dorms soon. I'm looking for a Linux-based traffic shaping method at the moment. The dorms may have their own 'Net connection or they may get dumped back into our network at a limited speed. Feel free to email if you want the details on my plan. Thanks again for your reply. I assume the email address you gave in your user info is correct, edited of course.

    2. Re:So obvious it's overlooked? by Operandi · · Score: 1

      Yes I was. I just suppose I and the circle I run in is far more mature and has far more class than you.

      Regards

  4. Just the solution you need...... by jcrb · · Score: 2

    Trying to put a cap on useage... i.e. X megabytes per week and you will cut access is a losing proposition from a game theory point of view.
    There will always be the student who desides that the response to this is to download as much as possible before you cut access.
    Or the student who thinks it would be realy cool to push the useage over the limit so you cut everyones access off.

    Your best answer by far is to use a QoS aware firewall which can control the bandwidth used based on a policy you set.
    There are a number of companies who make them, and one of them, Packeteer, even has a page devoted to exactly your problem.
    You might want to check it out at http://www.packeteer.com/wintherace/

    --
    -jon
  5. How small *is* your school? by Wog · · Score: 1

    I've heard reports of some tiny schools setting up a few napster terminals in public places. The students who absolutely *must* have the newest Madonna album can go to that terminal, download it, then move it to their PCs over the LAN. Block Napster access for all other nodes on the network.

    Obviously, this is far from ideal for the vast majority of colleges. But if you're not that large, it might work better than it would seem at first glance. I wish you well.

  6. Packetshaper will do it by Frogball · · Score: 1

    We are currently evaluating bandwidth devices for our WAN. I am trying to purchase Packeteer Packetshapers (www.packeteer.com). They are the only device that can manage bandwidth at layer 7. In other words, it doesn't matter how Napster port hops, the Packetshaper is able to recognize Napster activity by matching it to a signature database (like IDS or anti-virus), and then throttle the connection per a pre-set rule. This is the same for Real Audio, IRC, etc. Other tools are really only able to handle up to the IP and port, which is useless if the app port hops.....

  7. Time based rules by Ripp · · Score: 1

    This is what I would try and do....
    Shut off the Napster ports during business hours. Simple as that. from about 8am-6pm. Send out a blanket e-mail to the student body that the network *has* to be open for legitimate use during those hours. Also make it clear that after 6pm that Napster and other traffic will flow freely, you're not attempting to censor anyone's rights or anything, and you have a real problem that you have to solve.

    You're probably in the position where you have to do *something* right?

    --
    Blech. Signatures.
  8. traffic inside instead of outside by RGRistroph · · Score: 3

    One thing that I've wondered about these napster bandwidth issues -- is it possible to direct traffic within your network instead of through the internet ?

    The napster users should be on your side for this, as it would be faster for them also. Of course, they may be able to saturate that network also.

    Could you hold a dorm meeting and convince everyone to get a napster user name with the same prefix or suffix, and prefer those names when selecting who to download from. It would be kind of like a distributed web proxy cache for the music -- check first to see if someone already pulled it through the T1, and if not, get it from the internet but make it available from your machine so it doesn't have to come through again.

    Would gnutella do this automatically ? Could you get some dorm techie in each dorm to set up his machine in the manner of www.gnute.com, so that those people without systems that have a gnutella client could connect to it ? The napster and gnutella clients I have used on linux don't seem to allow uploads from my machine; this was a while ago, but of course you would need clients that worked in both directions for everybody.

    1. Re:traffic inside instead of outside by davidu · · Score: 3


      some students run local napster servers. It saves an awesome amount of bandwidth, plus transfers go about 1000k/s [not 100, 1000] (nearly instantaneous for mp3s.)

      Washington Univeristy in St. Louis has one at Phreedom.Net/wustl .

      Lehigh also has one. (no URL)

      -Davidu

      --

      # Hack the planet, it's important.
    2. Re:traffic inside instead of outside by RGRistroph · · Score: 2

      That's a good point. And yet if you allow no connection to the outside at all, then it damages the system because it is not very likely that all the songs desired are already somewhere inside the campus.

      What you want to do is prioritize the download site by whether or not the download will travel through the bottleneck. It is in the interests of the user to do this also, because then they get a faster download; so all you have to do is give the user the opportunity to select the fastest download site. To a limited extent, your interests coincide.

      Maybe you could write a napster client that would allow a configurable list of IP addresses to prefer. Does the client have access to the IP addresses of the other clients ?

      But what you want to do in general is have the information available to do some kind of optimization, maybe based on the speed of previous file transfers. It is kind of like what Akamai (www.akamai.com) does, keeping track of some sort of network topology for efficiency.

      Because of the huge difference between speeds when you are within campus and off campus, this akamai-like system doesn't have to work that well to acheive what you want -- unclogging the campus-to-internet bottleneck.

      So suppose you distributed a new napster client that kept track of the IP addresses it downloaded from, and it's own IP address, and the file size and time, and whether it was canceled -- etc. It could then connect to a server (doesn't have to be the napster server, this is just the network calculation server) and upload that information into a database, where it can be analyzed, and then the clients can somehow use that information to select the right download target. (You could make the ability in the napster client to sort by network connection, sort instead by this estimated download speed.)

      So then the algorithm to estimate the download speed should always wait anything in campus higher.

      But that calculation is pretty tricky. It would be nice if you could just take in IP addresses and speeds, and do everything from there; but some knowledge of the network topology would surely help.

    3. Re:traffic inside instead of outside by Vassily+Overveight · · Score: 2
      some students run local napster servers.

      That sounds good, but I'd be afraid of getting sucked into the lawsuit the RIAA has brought. My feeling is that if Napster I loses in court, all of the other servers that have sprung up are going to start drawing fire. A university can probably get away with telling the RIAA to stick it with their demands that the schools cut off access to Napster, but running actual servers might be beyond the pale.

      --

      "If I have seen further than other men, it is by stepping on their glasses." - Michael Swaine

    4. Re:traffic inside instead of outside by matthewd · · Score: 1
      ...convince everyone to get a napster user name with the same prefix or suffix, and prefer those names when selecting who to download from.


      This is a good idea, but as I understand how Napster works, it has many different servers, any one of which you may connect to, and you can only see files from users logged into the same server as you. If there is a likelyhood that everyone from the school is going to go to the same server, there may be no problem, but otherwise the users will be fragmented among different server unable to see each other's files.

      Scour Exchange on the other hand is supposed to enable you to see files from all users logged into their system.
    5. Re:traffic inside instead of outside by Wesley+Felter · · Score: 1

      AFAIK, Napster connected their servers recently, so you should be able to see everything.

    6. Re:traffic inside instead of outside by RGRistroph · · Score: 2

      I think the best solution is to install a local napster server and advertise it around campus as faster than any other. Convince people to connect to that first when looking for music, and then to go outside to other servers only if they don't find what they want. Maybe identifying who is local once you get outside the university isn't worth it. Because some people have the mistaken impression that distributing copies of copyrighted works is illegal, they might feel nervous about what could be interpreted as an attempt to identify them.

      If stricter measures such as port-blocking, bandwidth shaping, banning use during certian hours, or whatever, become necessary, then you can at least leave the local server as active to apease the download addicted.

  9. limit traffic used by napster by po_boy · · Score: 3
    There are devices (the one I'm thinking of is made by visual networks) which limit the amount of traffic used per protocol, IP block, and vary with time of day. That means that you can say you want to allocate 10% of your traffic to FTP, 20% to napster, 10% for the administrative office IP space, and let the rest be distributed as needed. These examples are just that; you can divide up the traffic in a variety of useful ways.

    The visual networks device, I believe is a CSU/DSU, router, and this filtering logic all in one. It's got pretty good remote management features as well.

    1. Re:limit traffic used by napster by Rob+Wilderspin · · Score: 2

      The most effective method will probably be traffic shaping, reducing the maximum bandwidth available to the services in question.

      If you're using Linux on your servers then look into the Quality of Service (QoS) options in recent kernels. If not, you can get routers which have this sort of thing built-in.

  10. Re:Freeware by Frogball · · Score: 1

    This is the mistake that is always made. You can take any OS or just about any network device and do some kind of QOS with ports and IP's. However, that is completely useless if the application can disguise itself as something else. If Napster can be configured to use port 80, you will give it just as much bandwidth as you do normal web browsing. My point was that Packeteer has a huge database of application signatures that can deal with this issue and, yes, they put effort into doing this so that they can make money. Even if you put enormous effort yourself into figuring out how to throttle Napster now, ehat are you going to do about Gnutella, or AIM, or whatever is the next bandwidth hog that comes out next year? Fb

  11. There is only one way. to deal with this QoS by Big+Torque · · Score: 1

    The problem is that given ANY size pipe all users will very quickly eat up all you can give them scream for more. You need to have the ability to separate traffic and users into groups. ( I like doing VLAN Subnets personally) And then you can apply a Quality of Service system. Many users need good bandwidth other don't. And this is not a my computing is more important than yours thing. Video, audio, mainframe based TCP/IP, or (god forbid) if you are bridging 802.2 SNA traffic if you don't have a good repose time (big pipe), sessions just drop. Users are forced to start over, video becomes very painful if not useless and soon you have users who can not do any thing at all besides get very very angry. But things like Email, FTP, and Web are less sensitive about time issues. No one likes slow down loads but these users can often still work under very high trafic. QOS is a very useful tool with it you can have the students and the Administration fight it out for who should have more of the pipe and who should pay for it. You can force the issue of getting a bigger pipe. No one wants to pay for a bigger pipe and have it eaten up by the other side. With QOS you can insure them that they will get what they pay for and not have it eaten up by very one else. Every one gets the band with when it is open but the folks flipping the bill (and can be the students them selves not just the Administration) gets it when they need it. No I don't sell QOS systems just a Network Engineer that has been there. At an university and now at a corporation.

  12. Have you looked here..... by Malk-a-mite · · Score: 2
    http://www.napster.com/help/bandwidth/

    Just a thought....

    Malk-a-mite

  13. Thanks! by macdaddy · · Score: 1
    Thanks for the link! I hadn't seen that page yet. Very useful.

  14. We are this small... by macdaddy · · Score: 1
    Thanks for the comment, Wog. We have about 6000 students and probably 500 faculty/staff (I'm guessing here--I don't have actual numbers). We have roughly 2000 nodes. I think that would work but I somewhat doubt it would happen here, for political reasons. From what I've heard of our dormites that use Napster, most don't know or realize the damage they are causing. Usually they stop as soon as you talk to them. We do have some repeat offenders. We even have a few repeat offenders that are faculty members that think they are smart by switching to a different port... (I won't mention names though!) :-) It is a problem that we have to deal with. Currently we are watching for traffic on all the known Napster (and the like) ports, recording usage, and forwarding that info to Housing. They are contacting the users letting them know that Napster is prohibited on this campus. Soon we will have to watch traffic as a whole and look for people using excessive amounts of raw TCP (stuff not recognized by EtherPeek). Then I have to decide if it's Napster or not. I get to play traffic cop basically. I don't want to censor content, but our pipe is only so big and enlarging that pipe isn't really possible right now either (I posted a reply higher up, see that. Anyhow, this is an idea to consider. I don't know how likely it would be to happen. Thanks for the comment!

  15. Re:Just the solution you need... Packeteer by anticypher · · Score: 2

    I'll second that post.

    Packeteer is what you want if you don't have a big, expensive cisco router in place. Their bandwidth shaping technology is some of the best around, and they have tutorials on how to use their purple boxes to limit napster without killing it, very important with dorms full of screaming kids.

    If you are lucky enough to have a big, expensive cisco router (not likely on just a T1), then you can play around with QoS, and set up different queues and filters to limit napster traffic. Cisco has a tutorial as well, you should poke around on their site for it.

    the AC

    --
    Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
  16. The closest I've been to this situation... by Vuarnet · · Score: 1

    ...was back in 1991, when we didn't have such things as the WWW and Napster. What we did have was MUDs and IRC. And to be fair, the admins tried to block access by several means. Which we circunvented in a matter of minutes every time, of course.

    In the end, we solved everything by reaching some middle ground peacefully. Students and admin can settle on an agreement, and 95% of the time the students will respect whatever they agree on.

    Extremely offtopic: the quote at the bottom of this discussion's page, Lisp, Lisp, Lisp Machine, Lisp Machine is Fun. Lisp, Lisp, Lisp Machine, Fun for everyone, is supposed to be sung to the tune of "Row your boat"?

    --
    Tongue-tied and twisted, just an earth-bound misfit, I
    Learning to fly, Pink Floyd.
  17. Re:Small school, small pipe. by matthead · · Score: 1

    Don't put the limit on the main router. Firewall off the dorms, and limit that traffic. OK, so the students can't run their own servers, but that's why the Uni offers shell accounts to everyone, right? Then, when they complain, tell them that if they can get all the Dormites to shell out the cash for another T-1, you'll devote it entirely to the dorms :).

    You know, a friend of a friend just recently got a job at a small KS school where he ran into the same problem. I'll have to ask Dave if he knows how his friend solved it. :)


    -Matthead

    --

    -Matthead
  18. Utilize networking features and user policies by Playing+A+.+Geek · · Score: 1
    You first need to figure out what the T1 was supposed to be used for and how the expense was justified. This can help you decide what needs to go on the pipe and what you are letting on because you are "nice". Next try to classify your traffic to see what is really going through it, you may just have just outgrown your pipe. You can do this by turning on logging on your router, putting a sniffer on the network in the appropriate place, or using a commercial product.

    Next turn on the QOS features of your router. If you can, classify your traffic and drop it in a queue. Use WRR to prioritize what is important.

    Utilize cache servers to help stretch your bandwidth and improve performance. Some people are able to get 30-50% hit rates on WWW, which means up to 30-50% more bandwidth depending upon what your original traffic patterns look like.

    Educate your users about the impact their non-essential activities are having. Setup guidelines such as amount of traffic being used, hours of use, etc. Make sure you monitor it and enforce it. For example, try to block all napster traffic during the day and allow it only nights and weekends. Use RMON of flow accounting to see who your top talkers are and maybe send them an e-mail.

    Most of these policies are going to need some nice pieces of hardware. Look at perhaps getting a traffic shaper, such as packeteer, or a nice switch router, such as Riverstone Networks. Make sure as your turn on features and implement policies you don't inadvertantly affect your router's performance.