Slashdot Mirror
Beating Comcast's Sandvine On Linux With Iptables
HiroDeckard writes "Multiple sites reported a while ago that Comcast was using Sandvine to do TCP packet resets to throttle BitTorrent connections of their users. This practice may be a thing of the past as it's been found a simple rule in the Linux firewall, iptables, can simply just block their reset packets, returning your BitTorrent back to normal speeds and allowing you to once again connect to all your seeds and peer. If blocking the TCP packet resets becomes a common practice, on and off of Linux, it'll be interesting to see the next move in the cat-and-mouse game between customers and service providers, and who controls that bandwidth."
It'll bust their trace buster buster.
Wasn't this solution posted in the first few comments when this was first reported as happening.
This trick has been around for a while, hasn't it?
The problem is, you can only filter out the RST packets on your end of the connection. But Sandvine also sends RSTs to the other end of the connection. That means it isn't enough for you to be running this iptables rule - all the peers you connect to have to be running it too.
Visual IRC: Fast. Powerful. Free.
Not even a first post.
I heard it through the sandvine.
Disconnect and self-destruct, one bullet at a time.
While it is good that it is easy to ignore reset packets that were created by the ISP, the question still remains:
Why should we have to block forged packets made by the ISP? If the MAFIAA suits are banking on IP == identity, and the ISP is forging packets with an IP that doesn't belong to any computer they own, isn't that a fairly serious form of forgery?
And, wow that site went down fast.
If I have nothing to hide, don't search me
Usenet FTW
It doesn't matter what it is, it'll be worse, more draconian, and will still be subverted quickly.
ISPs (and many other certain groups) need to realize that they have already lost, and will lose, ad infinitum. The fight will only cause hemorrhaging of even more customers.
I tried it and it worked fine...like 3 months ago. I guess the days of this working are now numbered in the dozens.
First. 1001512098
Now if we could just find away to get around them blocking port 25! Pretty inconvienent for those who need to send work email from home.
Now he needs to add a rule to iptables to save the webserver from the Slashdot effect.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Well if you are doing something illegal (like downloading music from bands under the RIAA), not that I condone it, but Usenet would be the best choice.
First of all your provider probably doesn't throttle downloads. Second of all your IP doesn't get sent out to everyone and their mother, the only people that know it are your ISP and Usenet provider.
tl;dr: Usenet binary groups FTW
Is there a version of this what works for IPFW or other way to do it on mac osx
I wonder if they will just say that blocking their RST Packets is a violation of TOS and disconnect you.
Related link here.
I want to be retired when I grow up.
I'd like to know which rule does the magic. Can some one please paste one here....thanks.
Because you know, all of bittorrent is used for ilegal stuff
There is no more good reasons and not any easier for the ISP's to block or rate limit our web-use than it is to centrally control spam. People are different, and have different needs plain and square.
Who should have priority, and how to determine it? I can guarantee that if it is a packet flag, then spammers, virus writers, and even bit torrent users will find a way to use it. And regardless, consider the following:
- Which priority should online Live football have from site X? Should it have over the one from site Y, and Z, and the 1000+ others with different commentators and different languages?
- What if you rather wanted live games? Or Live online music concerts? What should have higher priority?
- What about your live online video rentals - stream from Netflix over one from Blockbuster or should maybe your own ISP be allowed to rate limit all the competition to sell their own?
- What about my VoIP from Skype over Vonage, Gizmo, Provider X,Y,Z?
- What about Online games from Xbox 360 above Playstation 3?
Who are to set the priorities? How on earth should the ISP know what my priorities are? How on earth should the football channel know they should not send with highest priority flags?
And there is also a much easier way that leaves the internet neutral:
As with e-mail spam filtering - let the settings be neutral from the ISP side, then let us set up our own profile or custom rules for the downstream traffic.
cool.. keep your 'awesome' ideas locked away and no one will steal them from you. Maybe you IP whores should try building bridges to new places instead of troll-guarding common sense.
As a Comcast customer, I've never had my torrents completely stop, they just go around 300k... I did notice a speed increase when I chose to encrypt the traffic (uTorrent has it under Speed Guide).
Comcast is evil and I want them to DIAF, but my torrents, which are legal, haven't been that impacted.
When I want fast, I use the Comcast sponsored newsgroups through Giganews.
I noticed my WoW connection suddenly became unstable at the beginning of the month.
I implemented similar firewall rules on my mac and the instability was cut in half.
Guess the other half is being forged to the blizzard servers.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
Of course, they could have just kicked you for using bittorrent in the first place, if they wanted to.
But they want your money.
They were hoping they could slow down bittorrent enough to not cause anyone to leave, but still get an under the table payoff from the *AA groups. I'm sure they'll keep tweaking and keep watching their subscription numbers.
THe article says that encrypted bit torrent does not help.
Now why is this. If they can't tell what is in the packet how do they know if they should block it.
Is it some port ID. You can set bit torrent to use something besides 50,000. But perhaps there are specific ports that are also used that can't be changed?
Or are there some behavioural markers they are using?
Or perhaps bit torrent encodes, don't actually wrap the whole packet, but instead just wrap the data portion and not the bit torrent headers?
By the way - While onto it - if they are to ratelimit live sports events and do on, they MUST prioritize the version for hearing impaired which have a square with a commentator speaking in sign language in the corner ABOVE the one for the rest. This simply because it is illegal to discriminate against hearing impaired and everyone is able to see the screen even though a part of it might not be of such interest to most of us. Of course - if the hearing impaired could set these option themselves, then we don't need to degrade the performance for those not hearing impaired neither.
It doesn't matter because we all use bit-torrent for legal purposes, and 99.9% of those provide HTTP downloads, too, amirite?
And not just IP! When I'm done stealing IP I'll steal BGP and ICMP!
The internet will be mine, mine! Mwa ha ha ha ha ha ha!
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
In any kind of digital dialogue between computers over the Internet, a third party may send packets that are either malformed or are valid but are not part of the conversation. This is done to cause a number of effects that are not desired by the communicating parties. A common example is an attempt to break in to a system. Another example is the classic man-in-the-middle attack. Yet another example is the denial of service attack, which can take many forms.
Perhaps by shifting our thinking a bit, we'll find that these reset packets sent by ISPs to throttle certain types of connections represent the latter form of third party communication, designed to achieve denial of service! The ISP, then, is a "hacker" (for the mass media and Joe Luser definition of "hacker").
McCain/Palin '08. Now THAT's hope and change!
Not to mention the fact that, seeing as I do very little BT, why did they target me so quickly?
Free Conference Call -- No Spam, High Quality
Maybe you missed the recent news that several large ISPs are shutting down Usenet service. You can always pay for Usenet, but why pay for warez?
I think that would make my day, actually. I've already got a DSL line, so I won't even feel it. They will though, when I cancel my cable television service which costs me considerably more than my cable internet each month. We've finally got fiber service here, too. Teeheehee.
As my subject says. This is why you only put the filter on the specific port you are using for P2P traffic. For instance, my rule is as follows:
iptables -I FORWARD 3 -p tcp --dport 36745 --tcp-flags RST RST -j DROP;
The above does what it says, drop TCP RST packets on port 36745. That is all you need to do to keep it from affecting your other network applications which may be getting legit reset packets.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
I believe this is it
http://www.networkmirror.com/rdDEvxh7svNGl9W1/tuxtraining.com/2008/06/21/beating-sandvine-on-linux-with-iptables/index.html
It's when I see a comment on Slashdot, that seems to have no relation to the comment above it. Then I discover that the real parent post has been hidden by Slashdot's new comment system, and the child post linked to the grandparent.
It's damn annoying! Slashdot, please, at least link the child to the "hidden comments" link. That way, I won't get head spins when someone appears to viscously lash out at an interesting post.
viciously, not viscously. I'll have to learn to read my previews more closely.
If only they could have found a way to block packets from Slashdotters on their webserver . . .
Wouldn't subtitles be easier? like they do on DVD/s
If my call is important, why am I talking to a recording?
It appears I have control over ICMP packets with my AVG firewall. What exactly should I be doing, ie which packets need to be blocked as they have numbers and no description? Thanks
Yes, but you use the term 'priority' with careless abandon. Its like 'Joe should have to wait for Fred' is an assumption automatically made. Give your head a shake (big shake). In 2000 and the years just before and after, a lot (A LOT!!) of fiber went into the ground. Much of it is still dark. At the same time, compression algorithms made the amount of data (lossless data) that you could send increased dramatically. Neither group was expecting the other. What resulted was enough bandwidth to increase data traffic by several million times. Now that people are actually starting to use some (not all yet) of that bandwidth, noise is being made. The real issue is business wanting to put meters on everything. Greed is the issue. ISP's are selling web TV and don't want P2P. Same traffic amount. One is free, and one you pay for. (Actually with webtv you pay twice, with p2p you pay once only). Thats the issue. Net neutrality is about giving people what they paid for. Any nonsense about 'bandwidth' is rubbish.
They recently bumped up service to a full megabit upload speed, mostly because of Verizon FiOS service (which still isn't available anywhere in MA except the rich white suburbs- Boston's completely "dark", yet surrounded by towns and cities which have it.) However, if you use it past the old limit (384kbit), after a few minutes, latency skyrockets.
It takes anywhere from a minute to several minutes to kick in, but when it does, ping times to google jumped from 20-30ms to over 300ms. Sometimes I found ping times would be *seconds* long, and ssh became almost completely unresponsive. Curiously, none of the packets would actually be dropped- they'd just very, very badly delayed.
Seems very clearly designed to a)look the same as Verizon "on paper", 2)Satisfy people who want to email photos of the kids to grandma and grandpa (I will admit, it's insanely nice to be able to upload at four times the speed, when it works).
Please help metamoderate.
Technical merit? I think not.
They can't block the packets, they sold their users "unlimited" internet. If certain packets are just blocked that's not really unlimited, is it?
They sure didn't tell anyone they were secretly installing Sandvine boxes that nobody had heard of specifically to screw up certain kinds of traffic. They did it in secret. It was subterfuge. A dirty trick. Mischief.
Now that they are found out their story is they are just "managing bandwidth".
But what they are really doing is trying to stop 2% of their customers from using 98% of the bandwidth, bandwidth they have to pay for. Remember, though they are selling "unlimited" internet access at some level *all* bandwidth is measured. Theirs is certainly measured by their upstream provider. There is really no "unlimited" bandwidth.
.
I believe that this rule should work for macos X ipfw :
sudo ipfw add 100 drop tcp from any to any 6881 tcpflags rst
change 100 for the rule number that fits in your list
change 6881 for your bittorrent port number
feel free to correct me !
so that makes it right or legal to discriminate against the people who are not hearing impaired?
hmm seems like another lawsuit...
gg comcast?
in all seriousness, encryption is a bitch for companies who want to spy on us and limit our freedoms on the internet. as another user pointed out, utorrent has a feature for encryption -- you should use it.
If they could get someone who could transcribe them in real time. Possible, I guess, stenographers need to be able to do something like that.
Flamebait/troll...
But just to make sure you understand: File sharing is NOT theft! - There is no loss involved as the subject is copied, not transferred.
I myself download some movies as a way of sampling them before either deleting them or buying the DVD/Blu-ray. I don't keep the downloaded copy around - it's always deleted, either right away (because the movie is crap) or when I buy the DVD. So my copies doesn't cost anybody anything; no loss and thus no theft.
This is off topic, but southeastern MA is going to be getting FiOS soon. My relatives, who live in Braintree, had Verizon people working for a month to get everything set up in that city, now they're moving to southeastern MA. So I should have Verizon aviable soon :)
Just a question, do you need to have your Linux PC connected directly to Comcast's cable modem for this to work? It sounds to me like you do, but my PC is in my room, and we have a wireless router connecting everything.
Now, imagine you buy a year membership card.
Then you start showing up each morning, and again in the evening.
Then the fitness center comes to you and says: "You can come here, but we are going to lock all the doors when you show up, because you are using up to much resources and thus denying them to our other members.
Do you think there would be any outrage ?
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
If they could get someone who could transcribe them in real time. Possible, I guess, stenographers need to be able to do something like that.
Turn on any live sporting event or news broadcast and enable closed captioning on your TV (or receiver, DVR, whatever) - they have been doing this for a LONG time.
I expect we'll see development of protocols more robust than TCP to a MITM attack (this is ultimately a MITM denial of service).
Closed captions do exactly that.
First they came for the game crackers,
and I did not speak up because I did not play games
Then they came for the pornographers,
and I did not speak up because I did not view porn
Then they came first for the spammers,
and I did not speak up because I was not a spammer
First they came for the music pirates
and I did not speak up because I was not a pirate
Then they came for me,
and by that time there was no fair-use left.
Couldn't bittorrent be rewritten to use UDP instead of TCP, and therefore bypass their whole throttling technique?
I can count with the fingers of one hand the people in slashdot that understand IP now.... :(
why a device for just this?
when you buy a wireless router, just make sure its a router that will run a decent linux distribution. the linksys wrt54g started the ball rolling, and there is now a rather impressive list of routers supported by just one embedded linux distro; OpenWRT. dd-wrt has a similarly lengthy list. some allow you to attach hard drives via IDE or USB and do file serving as well. most run around 200mhz, have 4mb flash and 16/32mb ram, although better and worse configurations are available. these also have wireless built in, and usually two separate hardware vlans. you can pick up routers for under $50.
802.11n hardware seems to have very poor linux support, and not many routers have gigabit unfortunately. i havent really followed closely as neither of these features is on my "must have" list. the one i've seen moving recently is the wrt350n, which is making pretty good headway and has both features but its still not ready for primetime and is a pretty old router.
in general, i dont see why you'd get specific hardware for this when you could just have a small 5 watt linux router that handles your wan/lan/wifi/simple daemons.
Like everyone else.
Deleted
"Here;s an idea: Stop fucking stealing shit !! If you don't steal you won't care if your stealing facilitation enablers get a fucking RST or not. "
rst hurts anyone trying to keep long lived tcp connections, regardless of how much or what traffic they are sending.
Wouldn't captions be less bandwidth intensive?
.........Maybe that explains why I cannot view the 2nd link in the summary.
I think you're seeing the effect of something else than your ISP killing connections here - there really is no use case what so ever for an ISP to block WoW, and there really isn't any (normal) congestion alleviation algorithm that kills connections. Drop packets? Yes. But that's not the same thing as sending RSTs..
WoW is a pretty light game on resources as well. 1000 simultaneous connections incur a negligible impact on any ISP large enough to have 1000 simultaneous WoW users (say a userbase of 100k total, ballpark numbers)
WTF?! Is downloading some Fedora installation CDs via BitTorrent stealing?
http://code.google.com/p/obstcp/
Obfuscated TCP is very promising, an application-transparent method of encrypting TCP traffic, with graceful failure. Not designed to prevent targeted man-in-the-middle attacks, but will make generalised packet inspection extraordinarily difficult.
Jesus Christ!
Bit torrent is old tech.
The truth is, they (the telecoms and others) have started an arms race.
P2P will become infinitely more sophisticated.
http://offsystem.sourceforge.net/
http://wiki.offdev.org/Main_Page
It's theft! Stop doing it! Stop Justifying it!
You are no better than a petty thief. Stop stealing other people's IP.
Wow. I had no idea Hillary Rosen's parrot learned to type!
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
Well, not on any stations where I live.
For instance, p2p programs can start using UDP spread spectrum... pass packets on random ports.
The ISP has a countermeasure to this: use DNSBLs to identify home-to-home (not home-to-business) packet streams and then screw with them.
Why should we customers be punished for your over zealous use of bandwidth while peering huge files 24/7 and seeding them out just as much. I for one applaud Comcast and any other ISP that does this to P2P Packets. If you want better quality connections then don't get residential, and pay for their business accounts. Otherwise shut the fuck up and stop using bandwidth that other people like to use for their gaming and streaming of Netflix Cartoons for their children. God I am sick and tired of you whiney babies complaining about Comcast or other ISP that does this. Either put forth more money to get better quality service or stop using P2P constantly. THink of other people for a fucking change instead of your fucking selfish self. Thanks for making my blood pressure rise. Fuckin idiots.
I pirate mainly music because it allows me to sample alot more music and subsequently go to alot more gigs and that way the bands that produce good music get more of my money (money saved not buying 2/3 albums is the same as a gig ticket and 2/3 of the stuff i download i would probably not buy anyway).
Im also a linux user so to play most games i have to see if they are worth playing on wine, i prefer to do this before i spend £20/30, and as I have to crack the copy protection anyway even for games i legally own I have to torrent them.
IranAir Flight 655 never forget!
but dont viruses that infect consumer PCs use them as spam relays? Blocking port 25 on consumer IP ranges helps solve this problem, right?
Until the worms start connecting on port 587, using a name and password taken with a keylogger.
...to no avail. But they will decide that users should only run Windows or Mac, and that Linux is the domain of hacker terrorists (for when they have to sell this to the ignoranti congress).
"Obviously, due to these techniques being available, the tool known as iptables must be made illegal. The ability to change how we're sending packets through our networks allows users to engage in piracy, terrorism, and cyber-warfare, and this cannot be allowed to continue in the name of national security."
(Yes, I think that's a load of crap, but I suspect they can get 60 senators with that and a few campaign donations.)
I am officially gone from
Does anyone have any help for a linux noob looking to use this script with DD-WRT firmware running on a Linksys router? Is it even possible?
Why do they still do all this? Why not follow the path of the ISPs of many other countries (such as Australia), where unlimited (broadband) connections simply don't exist?
Don't complain about your torrents going a little slower. When you are limited to 3GB combined upload/download traffic per month, THEN you will feel the pain.
On top of everything, everybody seems to think it's their job to carry the Internet on its back and figure it out somehow. The end customer likes to have huge amounts of bandwidth for pennies.
Damn, those lousy cellular customers are making a lot of calls on our unlimited rates plan. Let's just cut off their calls or make the service so distorted that they hang up themselves.
Damn, those idiotic customers are all watching hi-dev TV on their cable. Maybe we should switch the output signal to low-def.
Stupid drivers, since the population of the city has grown this roadway has been plugged. Let's give them a lesson by dropping speed limits and closing lanes.
Darnit, people are actually using our long-distance plan to call relatives in the other side of the country more... let's just block their calls randomly with a busy signal.
Too many nerds are visiting slashdot these days, it's getting bogged down. We're tired of upgrading servers, so let's just leave them with these Pentium III's and delete the account of anyone who posts too often.
We don't put up with this shit in other marketplaces, why should we put up with it in regards to the internet? Part of a company's planning procedures should be to map out weak areas in infrastructure, predict where/when capacity increases need to be made, and make improvements where necessary.
Sandvine sends RST packets to both ends, so this recipe will will only be effective if both sides cooperate.
Sandvine will now keep just enough state to forge FIN packets instead.
Done with slashdot, done with nerds, getting a life.
Exactly. My inlaws are on Comcast. Their youngest daughter is currently in Thailand, teaching english. Because of the high cost of international calls, they've been using Skype to communicate. At my house (non-comcast) we can use Skype without issue. At my inlaws, they're lucky to get a minute and a half at a time without losing the connection.
Any plan which depends on a fundamental change in human behavior is doomed from the start.
...and people want the unlimited bandwidth they're paying for. What's wrong with that? And why are you blaming P2P users for Comcast's lies?
"When information is power, privacy is freedom" - Jah-Wren Ryel
Post a story about bandwidth and you're getting record numbers of replies. Guess we're all bandwidth whores...
According to the telcos any bit-torrent traffic is automatically illegal, so yes, yes it is. Actually any high volume traffic has to be something illegal.
I suggest the author to read difference between throttling and blocking. Throttling can be done in linux using CBQ. Please understand that comcast (most companies ) hires smart people and not dumps. Any way sandvine is also a BSD with a good firewall with more capabilities on it with a mgmt interface.
On what grounds?
First of all their packets are fake. They do not originate from the IP contained in their header. if anyone has grounds for complaint it is the user.
Second the user gets whatever information is presented, but is under no obligation to route it or process it in any specific way. The ISP cannot expect the user to do anything with a packet in a predefined way.
Of course these are just arguments this argument is not rational, not that they won't try it :-)
Can we somehow use iptables scripts in windows? Failing that, could someone make a quick and dirty filter implementing this functionality for windows?
Take it easy Prince. You get so worked up every time you have dinner at Metalica's house.
> isn't available anywhere in MA except the rich white suburbs- Boston's
> completely "dark"
Ok... no white people in Boston... we get it.
Comment removed based on user account deletion
I just set my input policy in DROP mode that should start dropping everything includes RST or evil nasty bastards where they come from. that is very simple :D
What country do you live in? In the US, the FCC requires all TVs and receivers (cable or satellite) to support closed captioning, and depending on content (but clearly for all new content, which includes news and sports) requires programmers (ie networks/stations) to provide closed captioning in their broadcasts.
http://www.fcc.gov/cgb/consumerfacts/closedcaption.html
If you aren't in the US, I'd be really surprised your country's broadcasting/disability laws are so far behind the US (where these have existed for almost 15 years), as from what I have seen the FCC almost always picks the worst broadcast standards of those available (or makes up a new one when there aren't any existing ones that are bad enough). If you are in the US (and your TV is less than 15 years old), check again, I'm sure you can get CC. NBC/ABC/CBS have no reason to violate FCC rules.
Well, I remember ten years ago or so when I had a 4 mbit/sec symmetric connection from @Home. It was awesome (okay all you people in Japan or Korea or wherever with 100 mbit connections can just shut up.) Then @Home folded, and AT&T took 'em over and overnight I had 1.5 mbit down and 25 kbit up. Millions of voices suddenly cried out in terror ... and were slowed to a crawl.
AT&T magnanimously decreed that there wouldn't be any cost increases, of course that didn't last. The service royally sucked compared to what I had before. Then AT&T Broadband was sold to Comcast and the service went totally into the toilet.
So, basically I've to wait almost a decade to get service that still doesn't match what I had from @Home and costs almost twice as much.
That's progress for you.
The higher the technology, the sharper that two-edged sword.
Hong Kong. No captioning required here.
Guys I found a site that has a fix for RST for Windows.
http://wakarimasu.googlepages.com/windows
Enjoy!
They could alter the Ts & Cs to make it a violation of service to block those packets....and then cut you off if you do it.
Only boring people are ever bored.
Windows 2k/XP Sandvine Fix
Just goto Google and search for "Windows 2k/XP Sandvine Fix" since Slashdot loves to delete my original post with the link associated.
After typing this for the 10th time, seems like this site is broken as it can't save anything. /. originally deleted my comment which included the fix.
Anyways, goto google and type in the title above in the search bar. This will supply you with an IPFW for Windows.
Enjoy!
Goto google, type in the title and you will see an IPFW for Windows. this is a great solution for those who use Windows.
Good info... Will be implementing this later tonight. I think others would like this info.
*Headline News* censorship shuts down the Internet! More at 6PM!
I want everyone who has read ANYWHERE that using Linux or Mac IP Tables to drop the forged packets with with the rst flag set won't help solve your peering problems to IGNORE what all the negative nellies are telling you!! I was a windows user on Comcast's network and until yesterday, my seeding capacity was ZERO...period...no seeding unless it was during the initial download. Yesterday I installed Ubuntu, dropped those bad, bad rst packets with the proper command and VOILA! I was seeding like crazy. So, if you wanna stick it to Comcast and everyone else using Sandvine - SWITCH TO LINUX OR MAC AND USE YOUR IP TABLES TO DROP THE FORGED RST PACKETS!!! It will fix your problem because now EVERYONE ELSE IS DROPPING THEIR PACKETS TOO!! So the packets get dropped from both sides and no rst is performed. JUST DO IT!! You'll be glad you did. I'll be happy to send you screen shots of two machines, side by side, one on windows and one on Linux...with the windows machine seeding to no one and the linux machine seeding like crazy. It really works! BELIEVE IT!