Slashdot Mirror
Beating Comcast's Sandvine On Linux With Iptables
HiroDeckard writes "Multiple sites reported a while ago that Comcast was using Sandvine to do TCP packet resets to throttle BitTorrent connections of their users. This practice may be a thing of the past as it's been found a simple rule in the Linux firewall, iptables, can simply just block their reset packets, returning your BitTorrent back to normal speeds and allowing you to once again connect to all your seeds and peer. If blocking the TCP packet resets becomes a common practice, on and off of Linux, it'll be interesting to see the next move in the cat-and-mouse game between customers and service providers, and who controls that bandwidth."
Wasn't this solution posted in the first few comments when this was first reported as happening.
Here's a link to Google's cache of the article.
Not just that, but it filters out RST packets that may in fact have been sent by the peer. So this trick can leave you with sockets hanging open in a bad state.
Well if you are doing something illegal (like downloading music from bands under the RIAA), not that I condone it, but Usenet would be the best choice.
First of all your provider probably doesn't throttle downloads. Second of all your IP doesn't get sent out to everyone and their mother, the only people that know it are your ISP and Usenet provider.
tl;dr: Usenet binary groups FTW
Related link here.
I want to be retired when I grow up.
I noticed my WoW connection suddenly became unstable at the beginning of the month.
I implemented similar firewall rules on my mac and the instability was cut in half.
Guess the other half is being forged to the blizzard servers.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
I've had this command in my WRT54GL running DD-WRT for a while: iptables -A INPUT -p tcp --dport 39984 --tcp-flags RST RST -j DROP just replace 39984 with whatever post you use for bittorrent
I blame geof's speakers.
As my subject says. This is why you only put the filter on the specific port you are using for P2P traffic. For instance, my rule is as follows:
iptables -I FORWARD 3 -p tcp --dport 36745 --tcp-flags RST RST -j DROP;
The above does what it says, drop TCP RST packets on port 36745. That is all you need to do to keep it from affecting your other network applications which may be getting legit reset packets.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
Shouldn't you be using port 587 for that?
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
If the MAFIAA suits are banking on IP == identity, and the ISP is forging packets with an IP that doesn't belong to any computer they own, isn't that a fairly serious form of forgery?
Yet another reason why anyone who knows anything about computers and networks have been saying the **AA's methods of identification are a complete joke and don't amount to anything that could be considered evidence.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
All _decent_ mail servers allow for the submission of email on TCP port 587. So you could send your work emails that way.
Or VPN into work and send emails that way.
Or even use your ISP's mail server to send the emails (though you might be hit an obstacle like SPF).
I believe this is it
http://www.networkmirror.com/rdDEvxh7svNGl9W1/tuxtraining.com/2008/06/21/beating-sandvine-on-linux-with-iptables/index.html
I believe that this rule should work for macos X ipfw :
sudo ipfw add 100 drop tcp from any to any 6881 tcpflags rst
change 100 for the rule number that fits in your list
change 6881 for your bittorrent port number
feel free to correct me !
but why pay for warez?
Because they're better/more usable than the real thing?
Because encryption CAN'T encrypt the packet headers, or every box on the net would have to decrypt it to find out who it's for. Only the data itself is encrypted.
This is also how classic traffic analysis works, as in WW II radio traffic -- the to and from addresses are not encrypted, otherwise every listening radio would have to decrypt every single message to see which ones are fo it, and that is way too much work in those pre-computer days.
Encryption only obfuscates the files you are downloading/uploading, it doesn't hide what protocol you are using... (I think) In any case, it DID work for a while, but I guess Comcrap caught on to the protocol, and now my torrents (all legal BTW) are crapped out...
Your linux iptables based firewall needs to sit between the Comcast modem and the rest of your PC's...
--- Users are like bacteria -> Each one causing a thousand tiny crises until the host finally gives up and dies.
The law in my state (Utah) includes the following:
(4) A person who intentionally or knowingly and without authorization, interferes with or interrupts computer services to another authorized to receive the services is guilty of a class A misdemeanor.
(Misdemeanors for the same offense stack until they become felonies in Utah, not sure what it works out to for class As though)
(3) Any person is guilty of a second degree felony who:
(a) knowingly and unlawfully possesses an instrument capable of intercepting electronic serial number and mobile identification number combinations under circumstances evidencing an intent to clone;
(definition of electronic serial number is sketchy here, cloning is the electronic kind, interestingly, this also makes my router quite illegal (though as a misdemeanor, as I do not have intent to use), since it supports mac address cloning)
(1) A person is guilty of a class B misdemeanor if, in the course of business, he:
(c) sells, offers, or exposes for sale adulterated or mislabeled commodities.
(2) (a) "Adulterated" means varying from the standard of composition or quality prescribed, or pursuant to any statute providing criminal penalties for a variance, or set by established commercial usage.
(b) "Mislabeled" means varying from the standard of truth or disclosure in labeling prescribed by or pursuant to any statute providing criminal penalties for a variance, or set by established commercial usage.
IANAL, or a paralegal, the state code may not reflect case law, and the judge may not care what the law is at all, your state will likely have something completely different. I also point out that I long since lost track of the number of felonies and misdemeanors I've racked up in my state's legal code. (which is annoying, since I need to add owning my router to it)
Liberte, Egalite, Fraternite (TM)
"Here;s an idea: Stop fucking stealing shit !! If you don't steal you won't care if your stealing facilitation enablers get a fucking RST or not. "
rst hurts anyone trying to keep long lived tcp connections, regardless of how much or what traffic they are sending.
Not sure what you mean by sending work email from home.
If you mean your ability to establish a connection with a corporate mail server not located on your ISP's network, then port 25 is unnecessary. You should use port 465 with SSL instead. Problem solved since no ISP ever blocks port 465 in any direction. At least not that I am aware of.
If you mean your ability to run a mail server at your house, then your shit out of luck period. There are a large number of mail servers now that use policy block lists. Every ISP publishes their policy block lists which includes your IP address range. The moment your mail server tries to establish a connection to another mail server using this block list your packets could be dropped right at the router, or your connection terminated by the mail server itself.
Now as upsetting as that might be, it really is for the greater good. The vast majority of all the SPAM being sent every day comes from compromised windows machines on dynamic IP address ranges. Using the policy block list is very effective at immediately stopping those communications from ever reaching the mail server.
If you are absolutely determined to run your own mail server from home I would suggest getting a static IP address. Not only will port 25 not be blocked, but you will have a MUCH BETTER chance of your packets not being dropped by routers servicing the mail servers you will be sending email to.
Another option, depending on the amount of money you want to spend, is to retain the services of an email services provider. There are more than a few out there. You can use your own domain and they will host it for you. They can also provide a fair amount of security and usually are more reliable in getting the email to the destination.
Additionally, you could always get a virtual server someplace and run your own mail server software on it. They have linux and microsoft systems available pretty cheaply. Then you would be operating on IP address ranges used by big ISPs and data centers.
In Belgium at least 1 provider (Telenet) blocks everything below port 1024 for standard customers.
Don't fight for your country, if your country does not fight for you.
Um, in the US, we're already paying for it. We have since the late 90's when congress passed huge tax breaks on to telcos to develop our 40Mbps connections - you have one of those don't you? The telco's promised us one years ago, I'm sure mine is just around the corner.
I have no problem with an data cap on broadband. Lets just do what Japan is doing; 25Mbits/sec for $25USD/month with a 30GB upload cap per *day* and no cap on download.
Actually, a lot of fitness center have rules about using their equipment and memberships are subject to those rules. In general, most fitness centers clearly specify that if there is nobody waiting, then you can use their treadmill or other devices as much as you want. Otherwise, it's only for a limited time and then you MUST let someone else use it. The last one I went was 30 minutes for treadmills and about 10 minutes for weight equipment.
The reason for RST-Injection vs. packet blocking is simple.
For packet blocking, the appliance has to know instantly whether to block a packet or allow it.
For RST-Injection, the appliance can monitor a flow and spend some computing time deciding whether or not to inject a reset.
The time an appliance has to decide whether to throttle changes from microseconds to milliseconds or possibly even seconds.
For some places, notably the US, I can see why you'd think I was being sarcastic. But the European ISP market is much more dynamic. I was being serious when I called competition over there fierce.
i ate crayons when i was a kid and now i have two braincells and the blue ones taste nicer