Slashdot Mirror
Application Layer Packet Shaping on Linux
sommere writes "We have added application layer (layer-7) filtering to Linux. That means that you can set up your linux-router/linux-switch to prioritize mail over the web over kazaa or gnutella regardless of what port each program is using. Colleges have been paying thousands of dollars for packet shapers to prioritize their networks, now you can do it for free. Get your kernel patch at l7-filter.sourceforge.net."
PS: fist post fools
If an attacker knows that you prioritize a certain service, wouldn't he cause a greater disruption with his DOS with this?
Another thing: couldn't the ??AA get ISPs to use this feature, not to kill P2P sharing, but to reduce its priority (perhaps as a compromise from not being able to kill P2P outright)?
Of course, there are many benefits to this as well, I'm just pointing out possiblities.
Well to be fair, you probably wouldn't consider doing something like this for high-volume deployment (ie corporate/enterprise level). Chances are, they already have some kind of Cisco or other big box in place anyways.
However, for SOHO applications, this could save people thousands of dollars (especially small-to-medium businesses).
If you can't beat them, arrange to have them beaten. -George Carlin
How does a router know what the intended purpose/application a packet is destined for? Does not only the receiving computer actually know what applications have bound what ports?
Some drink at the fountain of knowledge. Others just gargle.
Yes! Hopefully my college's sysadmin will be nice enough to make Kazaa so slow that people will stop installing that spyware-infested, OS-breaking POS software, so that I (being a dorm's paid computer janitor) won't have to fix their computer later on :P
Now, if something could be done about stopping those fine young college girls inadvertantly running attacks on their campus's servers? :P
(Now that I think about it, I don't mind the girls needing help so much as the dumb college guys spilling beer on their laptop's keyboard...)
Why isn't anyone trying to make a home-server linux distro? "just put the cd in and wait, in half a hour you will have a printer-sharing, file-sharing server that will greatly enhance your internet experience! Now you and your family can download, surf and game without any problems in the bandwidth!" If Linux is going to break into home of joe average that might very well be the way. As a black box that does wonders for you. No learning, no configuring, just advantages.
This packet shaping software must be watching for embedded packet headers within the stream.
Suppose you have a Kazaa packet that is tunneling through HTTP. The shaper notes the HTTP header and passes the data according to HTTP rules until the embedded Kazaa packet is found. Now the shaper switches to Kazaa mode and shaping changes accordingly.
Now, if you want to defeat the shaper, tar and compress your kazaa files, then uuencode them and embed them inside html files. To the packet shaper, it looks like you are transfering some very large web pages. Alternately, drop your uuencoded text into mail messages, instant messages, etc.
Actually, no. To the best of my knowledge (none of the info I've read on altq has contradicted this) ALTQ only filters based on port... While it may be a good system for SSH, HTTP, etc., with protocols like Gnutella where the traffic could be on any port, you need something like this patch to recognize Gnutella traffic, and limit it, no matter what port is being used.
Personally, I hope to see this kind of thing in OpenBSD soon myself. However, all the guys working on PF don't seem to be too interested in reaching out into newer territories. I would prefer to see deep packet inspection above all else, but the response I got essentially said they are not interested in working on it.
In their defense though, they have been making progress in other advanced fields, such as PF-Auth (which is very cool and not available in any other firewall/routing package), and merging Altq into PF.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Does anyone else use Wondershaper? It works very well for my cable modem and is extremely easy to set up and use. Any comments on how it compares to this one?
That's not entirely acurate.
The Fact is that a properly configured PC router is going to be faster than a special purpose cisco box simply beause you can throw more hardware at the problem for less money.
I.e. A PC with 3x 1 Gig NICs on a 64 bit PCI bus with 2GB ram, 3 disc raid 0, 2.4 GH CPU and prperly tuned kernel will still cost $1200 or so. Far less than any cisco box that even aproches the performance it will deliver under high loads.
($1200 Cisco boxes don't even do layer 7 filtering. So performance dosn't even matter until you enter the high priced stuff)
--= Isn't it surprising how badly I spell ?
This only works until the protocols become smarter. An encrypted IPIP (or SSH, or IPSec, et. al) stream carrying kazaa traffice looks the same to a packet inspection system as an encrypted IPIP tunnel carrying data from your rotodynamics sensors. There will come a point when bandwidth usage will be dealt with at the social level because all technical solutions have been obsoleted by encryption and tunnelling.
Thankfully, once your packets get routed onto the backbone, you shouldn't have to worry about this. Why? Because your data is packetized, and the internet is best effort. That means that your packets may travel over several sources to get to the destination. Thus, it would be possible to fragment your packets locally to a very high degree so that a router in the backbone would never be able to tell what protocol is in use because the packets would be sent via various hosts. So, the MPAA can't go an install this in the backbone of the net to stop your l33t divx pirating.
On a local network, well that's another story. There will always be ways around stuff like this though. It wouldn't be hard to get another link (cellphone?) and send just enough packets over that to make stuff confusing.
My Slashdot account is old enough to drink...
Even better is the fact that when a Telecom or Large ISP hits CAP A, they take developers off of new dev and apply them to fix issues. I have witnessed this, and It's quite amazing and reassuring to their customers.
My bro is an avid Kazaa/WinMX Pr0n colletor, and I'll come home and find 25 people downloading from him and his HUGE collection of trashy pr0n. :)
I'd like to be able to leave it running in a weighted environment without having to manually decide what share he should get or kill all the downloads
errr....umm...*whooosh* *whoosh* Is this thing on ?
The computing service (who're responsible for the university and student networks) monitor general levels of traffic; if you've been using a lot of bandwidth for extended periods of time, they'll contact you, ask you what your excuse is, and tell you to slow down. The idea is that after a few warnings they'll disconnect your network socket, but most people take the hint.
Just looking at the stats rather than the protocol is also good for plausible deniability, since they don't particularly want to know the specifics of illegal file sharing and the like; they have been known to specifically stop a Direct Connect hub, but IIRC that was after another student had a private feud with the hub operator and decided to report them, after which the computing service had little choice.
They also occasionally scan random IPs for common server and trojan ports, then connect to some servers to see what banners etc. they produces, but this is more an anti-h4x0r thing than anything else; they don't even seem to mind students running low-traffic web servers on port 80, but they're likely to contact the student and verbally cluebat them if the server says it's IIS.
+/* XXX Is it ok to do nothing here? This gets called each time a filter
+is added (not sure why). */
This ain't touching my kernel...
If you'd rather have a 2500 series router over a $500 Linux box, you're on crack. There's no comparison. Those pieces of shit (the 2500s) can't handle more than about a T1's worth of traffic, can't do any kind of CAR or shaping, and can barely handle a few dozen ACLs. And yes, Virginia, you need to use telnet to get at them, because they don't support any kind of encryption.
No thanks. Now if you were talking a 2600-series for a small business or ISP, you're still on drugs, but it's only weed. I'd have to take a good look at what I need if presented with a stock Slackware install vs. a Cisco 2600-series router.
I'm curious about this... how much luck would the traffic shaper have telling apart, for example, an SSL-encrypted IMAP session, HTTP session, or Jabber session. If they were going to arbitrary ports how would it tell them apart?
Does it need to perform its own man-in-the-middle attack to get at the transmitted data?
Guys, the XMMS team has been busy with exactly what these L7 guys are trying. Check out http://www.packetlogic.com No wonder XMMS is stuck at 1.2.7 :)
It runs on Linux and blows the doors of anything Cisco, Allot, anybody else can do with Layer 7 protocol shaping/firewalling and better yet, you even get real-time surveillance.
My guess is that they are shaping the packets at layer 3 but doing it based on where it comes from / is headed to at layer 7.
So it still is packetshaping. =) (Haven't read the code though, so I might very well be wrong there.)
But maybe it should be labeled "packetshaping at layer 3 based on layer 7 data" instead. =/ Hmm...
/.Mattsson - My native language is not English, so please don't whine over linguistic errors. (That's lame anyway...)
Not such a big help for a home user but great for corporations.
Well, I packet shape like a son of a bitch on my home network. (it lets me pump out gigs of mutella traffic while still getting speedy response to ssh) But, let me cite a few more conventional uses for this in the home:
(Seriously. A modified PC is more flexible, but it isn't going to beat custom hardware of the same generation. In a few years, though...)
I'm confused. Most of (Cisco/Nortel/Alteon etc. etc. etc.)'s shit is modified PCs, and those whose kernels are not based on Linux are based on BSD.
I started working recently with the packet shaping options in Linux. A modern Linux box can shape easily at line rate on a 100 mbps LAN. You have to get into carrier class routers to do that in "hardware". And the flexibility of Linux's filter technology puts it in a different universe of practicality as more networks are implementing QoS to deal with VOIP.
Since minor changes in configuration can actually cause a reversal of QoS effect under certain circumstances, and because VOIP is damn near impossible to get right anyway, this flexibility will be a life saver for anyone actually implementing QoS/shaping.
I'll look for this to become more mature before considering it for my customers, but it is difficult to overstate the significance of this advance in Linux technology. Way to go, guys!
got a full t-1 going through a linux router box with QoS, I started out just scheduling based on port, but now packet size is the best way. The pipe could have very heavy traffic, but yet my shell is a smooth as silk, DNS querys are quick. I recommend it highly
The Cisco equivalent of this is called Network-Based Application Recognition (NBAR). Rather than use regular expressions, Cisco ship PDLMs (Packet Description Language Modules) that can loaded and unloaded whilst IOS is running, much like you'd get by combining Netfilter's ip_conntrack_helper modules with the ideas these guys have.
(I still think they should be doing this inside Netfilter rather than qdisc)
NBAR can also be - and is - used to filter network worms at ISP borders, by matching the specially-crafted URLs used to compromise vulnerable systems. For example, here's the Cisco config to catch the Nimda worm.