Slashdot Mirror
UC Irvine Cracks Down on P2P
grendel20 writes "After years of dialup, one thing I was looking forward to the most about college was the fast ethernet connection. Upon arriving at UCI though, I found my kazaa speeds to be way below subpar. Apparently, UCI has limited access for all P2P programs with this fine piece of hardware. Now what do I do?" Whether you agree with what UC Irvine is doing or not, I do applaud them for publicizing and being straightforward about it. Upstream entities can implement these sorts of controls without telling users, and it's tempting to do so because it will reduce the number of user complaints.
They're allowing your to pirate music, movies, and software. Most schools block all P2P programs and that's the end of the story. What could you possiblye be complaining about?
Is your browser retarded?
University of West Florida does just this-they have a firewall that completely blocks all P2P software ports. Kazaa, gnutella, whatever, it just doesn't work. I think I have the only solution - get Timbuktu installed on my home computer, remotely download files from my cable modem and then upload to my college box. Ta-da!
about a year ago, someone had stolen a password on a system of mine and I found them in the act, connected from UCIrvine. Phone calls to campus police, the IT department, and the IT security desk (ha), were worse than fruitless. They said I was being attacked by nimda, and when I told them no, I was running linux and this was a different sort of thing, they ignored me and passed me up the chain. NOTHING came of my reports except about $10 of phone calls. UCI is now firewalled from my network. Maybe it should be firewalled from the rest of the net, as they don't know anything about security and don't want to learn.
The number 1 point there seems an encouragement to set up an in-college P2P system...
This would be a great feature for P2P developers to add - the ability to first search an internal network for your file before resorting to a search of the wider internet.
Tim
Omnia vestra castrorum habetur nobis.
This is very widespread. I am the network admin at a small college, most places I talk to have a packetshaper in place to limit bandwidth. We bought ours this summer so we could reopen the P2P networks. Boy am I regetting this. We went from totaly blocked last year to slightly above dialup speeds this year and I have never heard the end of it. Usualy showing people the graph that shows our uplink at 97% 24hrs a day stops people from complaining but not always. What most students don't understand is that bandwidth is limited, very limited, and they are not the only ones using the network. When we have an outage I don't usualy hear from students first its from faculty who cant work on their research. I do applaud them for being so upfront about the bandwidth controls, but I would be interested to hear from their Admins as to how much this has helped their network. I know from my personal experance that it has prevented our network from just grinding to a halt.
and so is the RIAA, it doesn't seem too wrong to explain a workaround. I've never tried it, but kazaa has the option of tunnelling through a SOCKS proxy in the Firewall tab of the settings. I assume that would bypass any filtering server. If it works, you are limited by the bandwith of the proxy. You could also consider using a different P2P client; such as overnet or giFT.
When all freedom is outlawed only the outlaws have freedom
At McMaster U. (Hamilton, ON, CA) they use a program called ResX. Think of KaZaA (in fact, suspiciously EXACTLY like Kazaa...) except it only works on the LAN. Think DivX DVD-rips in 40 seconds, 5-meg MP3s in 3 seconds. Now that's tasty.
McMaster actually paid a company to write a Kazaa-clone that would only work on the LAN. It was cheaper than bandwith-shaping the Internet pipe. However, I doubt all universities will do this.
My recommendation to you is to find other P2P people and set up a Direct Connect hub or something similar. Make it only avaialbe to people within the university.
Good luck!
-cruz
Karma: pi (Mostly due to circular reasoning in posts).
I don't use P2P, but the majority of the students at my university seem to. Our connection isn't worth a damn most of the time as a result. The method used to "block" P2P is to go after users who download XMB per time period. So I get a citation for downloading 5 Linux ISOs which are legitimate downloads especially since I am a CS major, but the assholes who download MP3s, DivXs, etc on a regular basis get a free ride. So far I am one of only handfull of people I know that has been given such a citation. And yes, it is the P2P users' fault and they should lose their connections for an entire semester. If it weren't for them, the university would never have had to implement such stupid regulations.
I'm a student at UCSC and I know that they do it here. When I lived in the dorm all my friends who used Kazaa or Morpheus experienced terrible speeds (on the order of .5 kB/s). I knew that the school limited the bandwidth almost simply by the fact that you could download a file from a corporate site at 700 kB/s.
One week in January, the limits were taken off. My friends were amazed at the speeds they were getting. Some of them went on downloading blitzes, some just kept going and thought it nice that things came faster. I however, started having serious issues just bringing up webpages. Even Google would take a few minutes to load. Every other process on the network was slowed down durring that week. Thankfully they fixed it and things went back to being nice and fast.
I was thankful for the bandwidth limits (which were port based) because it kept the rest of the network from being bogged down. With a taste of what p2p could do to a network, I knew that it really was necessary. I confess though, that I used WinMX and was able to avoid any visible restrictions when I did my downloading.
I am a sophmore at the University of Rhode island and I work for the department of networking and telecom services, we have a Packeteer packetshaper, had it for a while. We have a nice little setup here for a state University, 60megs from verizon and soon another 60 redundent megs from cox communications.. so we will have admin on one and students on the other. But our ratelimitting is: P2P Inbound 10megs 20 burstable Outbound: 5megs no burst.. no one needs to fill our pipe sending files to leechers outside our network so.. we let kids get whatever they want, but we dont let them fill our whole 60 meg pipe ya know.. Nick D
Home Sweet Home Linux
I would liken it to an employee using the company copy machine for personal use. The company is paying for something it shouldn't be. In this case, the state is paying for something they shouldn't be: use of their network for purposes not in line with the school's mission and purpose.
What?
The students think is is unfair and totally immoral -- but they can't understand that bandwidth isn't cheap. All in campus traffic doesn't count, so some students have set up direct connect servers -- we've had dorm rooms mrtg's showing the buildings maxing out in just local traffic alone so internet traffic coming in wont even be an option...
I think Penn State made a good choice by giving them a limit. There's no slowdown on any of the p2p, but they have to be responcible and think and moderate themselves. It's just a shame though, because there are some legitimate reasons that would put you over the 1.5 gig, but the majority of comptuers I was asked to look at were all from the lovely p2p programs.
Who's the black private dick, who's a sex machine for all the chicks?
The answer, at least in my opinion, is via a QoS mechanism.
The problem is that you can't have students sucking down gigs of bandwidth to grab the lastest porn flicks off of the gnutellaNet, because it costs you too much to keep them and your "legit" users happy. So set up a QoS system. I'd probably like to have a quota of bandwidth that each person gets per month...and after they've exhausted that bandwidth, they only get network space if there's free space on the network -- their priority drops.
So if 128.2.154.2 is sucking down more than his fair share and exhausts his entire quota in the first day of the month. After that, his priority at the router gets knocked down to "two" and his performance suffers. If the network's already jammed, his packet is the first to get dropped. That way, you let people who want to do P2P do P2P, and keep the people who just want a snappy SSH server keep a snappy SSH server.
Since you don't really need real-time response (calculating used bandwidth once an hour in a perl script or something is more than enough), you can do this offline. If I were using a Linux router:
Set up iptables on each router so that you have a chain that sums the bandwidth used by each host in the network that it routes to. Hourly, poll each of the routers and get the latest usage statistics, and regenerate prioritization rulesets based on these. Send these back out to the routers.
Since you can do this offline at your NOC, you can do fancy stuff like sum all the bandwidth used by all the IPs allocated to a single user and stuff like that. Give each user 2GB/month, and if they want to use 1GB on their laptop and 500MB on each of their two desktops, that's okay too.
There is a few potential problems. Technically advanced students could try setting up VPNs. Shouldn't be a huge issue, just means that a slightly larger body of people get 100% utilization of quota.
IP spoofing is always a potential issue, but no end of problems can be caused by IP spoofing already, and the consequences aren't *disasterous* in this case -- if a massive flood of spoofed data is slipped by the sysadmin, the victim would just get somewhat worse performance.
Now, that assumes that the bottleneck is at the outgoing connection to your installation. If it's the LAN and your box is hooked up to a simple switch or hub...well, not much you can do there.
Finally, it's difficult for students to "find loopholes" in rulesets that detect whether software is P2P or not and take advantage of them. Many suggestions that try to rate-limit P2P traffic and P2P traffic alone are vulnerable to this.
That being said, it's also nice to run a big Web opaque proxy server with a policy of no logging (most people get leery of optional proxy servers if they log what they're doing). Also, if you have a bunch of hard drives sitting around, you can set up a Freenet node and do the same thing -- have a big local cache for users
May we never see th
We have 2 Packeteer 8500s now and are probably going to start using them soon. Instead of limiting P2P traffic to a specific amount, we'll probably just use the priority feature, P2P traffic will have a lower priority than all other traffic. So long as the links aren't full, the traffic will not be affected, but if the links start maxing, the Packeteers will start slowing P2P traffic, allowing the other traffic to continue at its normal pace.
Personally, I think it's a really good solution, I don't think banning P2P outright is good since it DOES have legitimate uses and people will always work around a ban in some way or another BUT it can be a real strain at times.
The priority feature the Packeteers offers is great because if it works as advertised (and it seems to) you don't have to be a jerk and set any real hard limits on anything, you can just set up a prioity scale so that the important stuff always gets what it needs.
I used to live in the dorms last year. Even then they have had the bandwidth to all P2P networks limited to 2% of the total bandwidth. Of course you are going to have extremely slow speeds. However there are many alternatives that you should be well aware of. If you believe the extent of your music/movie/bootleg collection should be found on Kazaa then you haven't been tapping the correct resources. I myself was harassed many a time by the Residential Networking Admin, Ted Roberge. All of us who liked to use lots of bandwidth knew him well. Here is one of the many emails I have received from em.
>I am sending you a graph showing your IRC >bandwidth use for the last 24 hours. The graph >is primarily for IRC, not web surfing, e-mail >etc etc.
>I do not block or limit IRC use, however, I do >monitor the top users and as you are clearly >using more than your fair share of bandwidth, >especially your uploading to the internet, I am >asking you to exercise more concern for >bandwidth use and cut back considerably. Your >peak usage for irc consumes almost 10% of all >available bandwidth for the entire housing >network. Excessive bandwidth use affects all >users on the housing network. If this >continues, I will have no other choice but to >limit your bandwidth.
>Thanks in advance for your cooperation.
>Best
Figure it out pal...P2P is dead for us EDU's. If you want to get shit at good speeds use IRC, find some connections, get hooked up with a few ftps, serve as a dump. Of course all this must be done while still avoiding our lovely resnet admin, because he will harass you.
I attend Western Washington University, and we've been using Packeteer for (if memory serves) a year now. Our situation is a little different, let me explain why.
First off, Western isn't a small school, but with about 12,000 enrolled, it's not small either. About 3,500 live on campus and on the WWU LAN. The internet connection afforded to the residence halls is in the form of a fractional T3, of which we lease a 1.5mbyte/sec connection. Back in 2000, when school started we had less than half that connection, and Napster was at its peak. It's probably not necessary to say that our network connection was completely laid to waste by the massive amount of traffic requested of it.
When Packeteer was introduced at the beginning of last year, things seemed mostly normal. HTTP traffic moved along nicely. Then, ResTek (the group who handles the residential network) decided to limit our traffic to 300MB a day, and if you went over it more than once, you would get your port pulled. However, this was made tolerable because from 2am to 10am, you could rape the internet as much as you damn well pleased without repercussion.
After massive complaining, though, they started implementing this homebrew traffic limiter which sharply cut your bandwidth as you downloaded, and quickly made online gaming impossible.
However, we've began to cope with it. We have local game servers, and a local DirectConnect hub which has become a good place to hang out, meet people, and exchange files.
I'm curious though, what kind of connections other colleges of our size have. 1.5MB/s seems quite measly for 3,500 people (granted, not all of them use the net for much more than email).
If you head over to ResTek's webpage, check out the bandwidth section, specifically the FAQ and see what you all think. I'm curious.
I have a general problem with draconian measures that many institutions implement. If the bandwidth is available (i.e. it is not being used) then it should be made available. There are many tools that allow flexible real-time traffic shaping. If the network admins were intelligent they would have implemented one of these solutions to make everyone happy. You know its easy to look down on people especially when they are younger. This makes it easy for many (including other young people) to defend such actions by saying that another person's usage of the network isn't valid. That is very sad a short sited.
UCInet metrics
While I do work at UCI, I'm in a different dept. and don't know much about the workings of resnet. I do feel sorry for the support folks there, though, as most of the hacked windows boxes and klez-infected PCs come from reshsg.uci.edu.
UCI is quite attentive to security issues, as soon NetBIOS blocking at the border router will go into effect. This will keep off campus crackers from trying to break into windows PCs that have windows file sharing turned on.
Now if only commercial ISPs could learn a bit from UCI's policy...
My Daily photo website.
How do I know all this? This is the job I do. I spent all of yesterday and this morning working on a Packeteer Packetshaper 4545. We don't block P2P. That's not the stance we felt we should take. We do however greatly limit the amount of bandwidth P2P applications can consume. We allot more to P2P after business hours. It's really interesting to watch response times plummet when I reboot the PS. For about 20 seconds, ping times climb to 800-1000ms. If I disable bandwidth shaping (which I did for about 10 minutes this summer to make a point during a meeting about the PS) P2P apps climb to the top and sufficate everything else. I can tell you that every regent's Unv in my state that is using a PS is severely limiting the amount of outbound bandwidth that's alloted to applications like P2P. Here at this Unv I give a average priority of 3 to all traffic classes that have known uses on campus. I set the default priorities to 2. I then raised the priority on HTTP and FTP to make them more responsive. I also gave a high priority to terminal emulators like SSH, telnet, and tn3270. Time sensitive applications like NTP and DNS were given a higher then average priority. I use garunteed partitions on different classes or groups of classes to kick start them or limit their consumption. It has worked extremely well for us.
P2P is a major thorn in our collective sides when it comes to the network. I don't think it should be blocked. I don't think that at all. I've gone to great lengths to ensure that it isn't entirely blocked and that other applications have the resources they need. I do think it needs to be kept under control so it doesn't hurt everyone else, those few students that actually use their connections to research and learn. Users that try to get around our bandwidth shaping by setting up tunnels to their buddies cable modem, using NNTP, HTTP, or FTP simply aggravate us and push closer to charging per megabyte transferred. I hope that day never comes.