Slashdot Mirror

← Back to Stories (view on slashdot.org)

Application Layer Packet Shaping on Linux

Posted by michael on from the bofh-made-easy dept.

sommere writes "We have added application layer (layer-7) filtering to Linux. That means that you can set up your linux-router/linux-switch to prioritize mail over the web over kazaa or gnutella regardless of what port each program is using. Colleges have been paying thousands of dollars for packet shapers to prioritize their networks, now you can do it for free. Get your kernel patch at l7-filter.sourceforge.net."

16 of 353 comments (clear)

  1. DOS potential? by yozzle · · Score: 4, Interesting

    If an attacker knows that you prioritize a certain service, wouldn't he cause a greater disruption with his DOS with this?

    Another thing: couldn't the ??AA get ISPs to use this feature, not to kill P2P sharing, but to reduce its priority (perhaps as a compromise from not being able to kill P2P outright)?

    Of course, there are many benefits to this as well, I'm just pointing out possiblities.

  2. Re:This will be nice by mrjive · · Score: 5, Interesting

    Well to be fair, you probably wouldn't consider doing something like this for high-volume deployment (ie corporate/enterprise level). Chances are, they already have some kind of Cisco or other big box in place anyways.

    However, for SOHO applications, this could save people thousands of dollars (especially small-to-medium businesses).

    --
    If you can't beat them, arrange to have them beaten. -George Carlin
  3. How does it work? by goombah99 · · Score: 3, Interesting

    How does a router know what the intended purpose/application a packet is destined for? Does not only the receiving computer actually know what applications have bound what ports?

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:How does it work? by demaria · · Score: 4, Interesting

      The same way Antivirus software knows which files are viral. It uses signatures to figure out what the traffic really is. No matter what port it runs on, you can always tell FTP traffic because of the format of the protocol, types of commands, and so forth. Part of the reason people buy commercial packet shapers is for these signatures. You can't do effective traffic shaping at just layer 4, you need to look at layer 7.

    2. Re:How does it work? by djtack · · Score: 3, Interesting
      Yes, demaria (above) explains this pretty well. Certainly it's not hard to trick the filter (you could tunnel everything through SSH on port 22, and nobody would be the wiser), but that isn't necessarily the point. It's still useful if you can (mostly) trust your users not to cause mischief.

      To better illustrate how this might work, consider this packet:
      17:26:26.288988 66.35.250.110.http > azrael.47969: . 1:1461(1460) ack 446 win 6432 (DF)
      0x0000 4500 05dc 67fd 4000 3106 07a6 4223 fa6e E...g.@.1...B#.n
      0x0010 80ff 16e8 0050 bb61 0000 16ef 7765 bbbe .....P.a....we..
      0x0020 5010 1920 e122 0000 4854 5450 2f31 2e31 P...."..HTTP/1.1
      0x0030 2032 3030 204f 4b0d 0a44 6174 653a 2046 .200.OK..Date:.F
      0x0040 7269 2c20 3330 204d 6179 2032 3030 3320 ri,.30.May.2003.
      0x0050 3232 3a32 363a 3235 2047 4d54 0d0a 5365 22:26:25.GMT..Se
      0x0060 7276 6572 3a20 4170 6163 6865 2f32 2e30 rver:.Apache/2.0
      0x0070 2e34 3620 2855 6e69 7829 206d 6f64 5f73 .46.(Unix).mod_s
      0x0080 736c 2f32 2e30 2e34 3620 4f70 656e 5353 sl/2.0.46.OpenSS
      0x0090 4c2f 302e 392e 3663 0d0a 4361 6368 652d L/0.9.6c..Cache-
      0x00a0 436f 6e74 726f 6c3a 206d 6178 2d61 6765 Control:.max-age

      This is clearly web traffic, even if we ignore that fact that it's on port 80, you can see evidence of http in the data itself.
      17:34:06.098988 mgc.ssh > azrael.46148: . 447953:449401(1448) ack 1296 win 9648 <nop,nop,timestamp 339772381 279677933> (DF) [tos 0x10]
      0x0000 4510 05dc 088d 4000 4006 fd93 80ff 1605 E.....@.@.......
      0x0010 80ff 16e8 0016 b444 7ee3 8e22 7d94 24ff .......D~.."}.$.
      0x0020 8010 25b0 ff13 0000 0101 080a 1440 83dd ..%..........@..
      0x0030 10ab 8bed 7fdd cb10 3f79 eb7e ffce 1950 ........?y.~...P
      0x0040 a295 3003 bc21 4ffe 0e6b 231a 6ce7 748c ..0..!O..k#.l.t.
      0x0050 e9aa 4d74 ea34 16ff a456 5795 2176 b4b4
      Now this SSH packet could be carrying anything... it's hard to tell. Still, certain applications might have patterns, as suggested.
  4. Wohoo! by Kirby-meister · · Score: 3, Interesting

    Yes! Hopefully my college's sysadmin will be nice enough to make Kazaa so slow that people will stop installing that spyware-infested, OS-breaking POS software, so that I (being a dorm's paid computer janitor) won't have to fix their computer later on :P

    Now, if something could be done about stopping those fine young college girls inadvertantly running attacks on their campus's servers? :P

    (Now that I think about it, I don't mind the girls needing help so much as the dumb college guys spilling beer on their laptop's keyboard...)

  5. New type of linux distro? (again) by Lord+Kholdan · · Score: 5, Interesting

    Why isn't anyone trying to make a home-server linux distro? "just put the cd in and wait, in half a hour you will have a printer-sharing, file-sharing server that will greatly enhance your internet experience! Now you and your family can download, surf and game without any problems in the bandwidth!" If Linux is going to break into home of joe average that might very well be the way. As a black box that does wonders for you. No learning, no configuring, just advantages.

  6. Shape Spoofer, read on by appleLaserWriter · · Score: 5, Interesting

    This packet shaping software must be watching for embedded packet headers within the stream.

    Suppose you have a Kazaa packet that is tunneling through HTTP. The shaper notes the HTTP header and passes the data according to HTTP rules until the embedded Kazaa packet is found. Now the shaper switches to Kazaa mode and shaping changes accordingly.

    Now, if you want to defeat the shaper, tar and compress your kazaa files, then uuencode them and embed them inside html files. To the packet shaper, it looks like you are transfering some very large web pages. Alternately, drop your uuencoded text into mail messages, instant messages, etc.

  7. Wondershaper by Otik2 · · Score: 5, Interesting

    Does anyone else use Wondershaper? It works very well for my cable modem and is extremely easy to set up and use. Any comments on how it compares to this one?

  8. Re:This will be nice by Forge · · Score: 3, Interesting

    That's not entirely acurate.

    The Fact is that a properly configured PC router is going to be faster than a special purpose cisco box simply beause you can throw more hardware at the problem for less money.

    I.e. A PC with 3x 1 Gig NICs on a 64 bit PCI bus with 2GB ram, 3 disc raid 0, 2.4 GH CPU and prperly tuned kernel will still cost $1200 or so. Far less than any cisco box that even aproches the performance it will deliver under high loads.

    ($1200 Cisco boxes don't even do layer 7 filtering. So performance dosn't even matter until you enter the high priced stuff)

    --
    --= Isn't it surprising how badly I spell ?
  9. Arms race ++ by Jeffrey+Baker · · Score: 3, Interesting

    This only works until the protocols become smarter. An encrypted IPIP (or SSH, or IPSec, et. al) stream carrying kazaa traffice looks the same to a packet inspection system as an encrypted IPIP tunnel carrying data from your rotodynamics sensors. There will come a point when bandwidth usage will be dealt with at the social level because all technical solutions have been obsoleted by encryption and tunnelling.

  10. correct me if i'm wrong by pridkett · · Score: 3, Interesting

    Thankfully, once your packets get routed onto the backbone, you shouldn't have to worry about this. Why? Because your data is packetized, and the internet is best effort. That means that your packets may travel over several sources to get to the destination. Thus, it would be possible to fragment your packets locally to a very high degree so that a router in the backbone would never be able to tell what protocol is in use because the packets would be sent via various hosts. So, the MPAA can't go an install this in the backbone of the net to stop your l33t divx pirating.

    On a local network, well that's another story. There will always be ways around stuff like this though. It wouldn't be hard to get another link (cellphone?) and send just enough packets over that to make stuff confusing.

    --
    My Slashdot account is old enough to drink...
  11. this could be a help for me at home by Archfeld · · Score: 4, Interesting

    My bro is an avid Kazaa/WinMX Pr0n colletor, and I'll come home and find 25 people downloading from him and his HUGE collection of trashy pr0n.
    I'd like to be able to leave it running in a weighted environment without having to manually decide what share he should get or kill all the downloads :)

    --
    errr....umm...*whooosh* *whoosh* Is this thing on ?
  12. I feel safe using this patch! by Anonymous Coward · · Score: 5, Interesting

    +/* XXX Is it ok to do nothing here? This gets called each time a filter
    +is added (not sure why). */

    This ain't touching my kernel...

  13. Packetlogic already does it! by unix-oldtimer · · Score: 4, Interesting

    Guys, the XMMS team has been busy with exactly what these L7 guys are trying. Check out http://www.packetlogic.com No wonder XMMS is stuck at 1.2.7 :) It runs on Linux and blows the doors of anything Cisco, Allot, anybody else can do with Layer 7 protocol shaping/firewalling and better yet, you even get real-time surveillance.

  14. The equivalent Cisco technology, NBAR by jjgm · · Score: 3, Interesting

    The Cisco equivalent of this is called Network-Based Application Recognition (NBAR). Rather than use regular expressions, Cisco ship PDLMs (Packet Description Language Modules) that can loaded and unloaded whilst IOS is running, much like you'd get by combining Netfilter's ip_conntrack_helper modules with the ideas these guys have.

    (I still think they should be doing this inside Netfilter rather than qdisc)

    NBAR can also be - and is - used to filter network worms at ISP borders, by matching the specially-crafted URLs used to compromise vulnerable systems. For example, here's the Cisco config to catch the Nimda worm.