Application Layer Packet Shaping on Linux

sommere writes "We have added application layer (layer-7) filtering to Linux. That means that you can set up your linux-router/linux-switch to prioritize mail over the web over kazaa or gnutella regardless of what port each program is using. Colleges have been paying thousands of dollars for packet shapers to prioritize their networks, now you can do it for free. Get your kernel patch at l7-filter.sourceforge.net."

DOS potential?

[yozzle]

If an attacker knows that you prioritize a certain service, wouldn't he cause a greater disruption with his DOS with this?

Another thing: couldn't the ??AA get ISPs to use this feature, not to kill P2P sharing, but to reduce its priority (perhaps as a compromise from not being able to kill P2P outright)?

Of course, there are many benefits to this as well, I'm just pointing out possiblities.

Re:This will be nice

[mrjive]

Well to be fair, you probably wouldn't consider doing something like this for high-volume deployment (ie corporate/enterprise level). Chances are, they already have some kind of Cisco or other big box in place anyways.

However, for SOHO applications, this could save people thousands of dollars (especially small-to-medium businesses).

New type of linux distro? (again)

[Lord+Kholdan]

Why isn't anyone trying to make a home-server linux distro? "just put the cd in and wait, in half a hour you will have a printer-sharing, file-sharing server that will greatly enhance your internet experience! Now you and your family can download, surf and game without any problems in the bandwidth!" If Linux is going to break into home of joe average that might very well be the way. As a black box that does wonders for you. No learning, no configuring, just advantages.

Re:How does it work?

[demaria]

The same way Antivirus software knows which files are viral. It uses signatures to figure out what the traffic really is. No matter what port it runs on, you can always tell FTP traffic because of the format of the protocol, types of commands, and so forth. Part of the reason people buy commercial packet shapers is for these signatures. You can't do effective traffic shaping at just layer 4, you need to look at layer 7.

Shape Spoofer, read on

[appleLaserWriter]

This packet shaping software must be watching for embedded packet headers within the stream.

Suppose you have a Kazaa packet that is tunneling through HTTP. The shaper notes the HTTP header and passes the data according to HTTP rules until the embedded Kazaa packet is found. Now the shaper switches to Kazaa mode and shaping changes accordingly.

Now, if you want to defeat the shaper, tar and compress your kazaa files, then uuencode them and embed them inside html files. To the packet shaper, it looks like you are transfering some very large web pages. Alternately, drop your uuencoded text into mail messages, instant messages, etc.

Wondershaper

[Otik2]

Does anyone else use Wondershaper? It works very well for my cable modem and is extremely easy to set up and use. Any comments on how it compares to this one?

this could be a help for me at home

[Archfeld]

My bro is an avid Kazaa/WinMX Pr0n colletor, and I'll come home and find 25 people downloading from him and his HUGE collection of trashy pr0n.
I'd like to be able to leave it running in a weighted environment without having to manually decide what share he should get or kill all the downloads :)

I feel safe using this patch!

+/* XXX Is it ok to do nothing here? This gets called each time a filter
+is added (not sure why). */

This ain't touching my kernel...

Packetlogic already does it!

[unix-oldtimer]

Guys, the XMMS team has been busy with exactly what these L7 guys are trying. Check out http://www.packetlogic.com No wonder XMMS is stuck at 1.2.7 :) It runs on Linux and blows the doors of anything Cisco, Allot, anybody else can do with Layer 7 protocol shaping/firewalling and better yet, you even get real-time surveillance.