Slashdot Mirror
Beating Comcast's Sandvine On Linux With Iptables
HiroDeckard writes "Multiple sites reported a while ago that Comcast was using Sandvine to do TCP packet resets to throttle BitTorrent connections of their users. This practice may be a thing of the past as it's been found a simple rule in the Linux firewall, iptables, can simply just block their reset packets, returning your BitTorrent back to normal speeds and allowing you to once again connect to all your seeds and peer. If blocking the TCP packet resets becomes a common practice, on and off of Linux, it'll be interesting to see the next move in the cat-and-mouse game between customers and service providers, and who controls that bandwidth."
It'll bust their trace buster buster.
Wasn't this solution posted in the first few comments when this was first reported as happening.
This trick has been around for a while, hasn't it?
The problem is, you can only filter out the RST packets on your end of the connection. But Sandvine also sends RSTs to the other end of the connection. That means it isn't enough for you to be running this iptables rule - all the peers you connect to have to be running it too.
Visual IRC: Fast. Powerful. Free.
I heard it through the sandvine.
Disconnect and self-destruct, one bullet at a time.
While it is good that it is easy to ignore reset packets that were created by the ISP, the question still remains:
Why should we have to block forged packets made by the ISP? If the MAFIAA suits are banking on IP == identity, and the ISP is forging packets with an IP that doesn't belong to any computer they own, isn't that a fairly serious form of forgery?
And, wow that site went down fast.
If I have nothing to hide, don't search me
Here's a link to Google's cache of the article.
Now he needs to add a rule to iptables to save the webserver from the Slashdot effect.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Well if you are doing something illegal (like downloading music from bands under the RIAA), not that I condone it, but Usenet would be the best choice.
First of all your provider probably doesn't throttle downloads. Second of all your IP doesn't get sent out to everyone and their mother, the only people that know it are your ISP and Usenet provider.
tl;dr: Usenet binary groups FTW
I wonder if they will just say that blocking their RST Packets is a violation of TOS and disconnect you.
Easy.
Get a real ISP.
There is no more good reasons and not any easier for the ISP's to block or rate limit our web-use than it is to centrally control spam. People are different, and have different needs plain and square.
Who should have priority, and how to determine it? I can guarantee that if it is a packet flag, then spammers, virus writers, and even bit torrent users will find a way to use it. And regardless, consider the following:
- Which priority should online Live football have from site X? Should it have over the one from site Y, and Z, and the 1000+ others with different commentators and different languages?
- What if you rather wanted live games? Or Live online music concerts? What should have higher priority?
- What about your live online video rentals - stream from Netflix over one from Blockbuster or should maybe your own ISP be allowed to rate limit all the competition to sell their own?
- What about my VoIP from Skype over Vonage, Gizmo, Provider X,Y,Z?
- What about Online games from Xbox 360 above Playstation 3?
Who are to set the priorities? How on earth should the ISP know what my priorities are? How on earth should the football channel know they should not send with highest priority flags?
And there is also a much easier way that leaves the internet neutral:
As with e-mail spam filtering - let the settings be neutral from the ISP side, then let us set up our own profile or custom rules for the downstream traffic.
As a Comcast customer, I've never had my torrents completely stop, they just go around 300k... I did notice a speed increase when I chose to encrypt the traffic (uTorrent has it under Speed Guide).
Comcast is evil and I want them to DIAF, but my torrents, which are legal, haven't been that impacted.
When I want fast, I use the Comcast sponsored newsgroups through Giganews.
I noticed my WoW connection suddenly became unstable at the beginning of the month.
I implemented similar firewall rules on my mac and the instability was cut in half.
Guess the other half is being forged to the blizzard servers.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
Of course, they could have just kicked you for using bittorrent in the first place, if they wanted to.
But they want your money.
They were hoping they could slow down bittorrent enough to not cause anyone to leave, but still get an under the table payoff from the *AA groups. I'm sure they'll keep tweaking and keep watching their subscription numbers.
By the way - While onto it - if they are to ratelimit live sports events and do on, they MUST prioritize the version for hearing impaired which have a square with a commentator speaking in sign language in the corner ABOVE the one for the rest. This simply because it is illegal to discriminate against hearing impaired and everyone is able to see the screen even though a part of it might not be of such interest to most of us. Of course - if the hearing impaired could set these option themselves, then we don't need to degrade the performance for those not hearing impaired neither.
And not just IP! When I'm done stealing IP I'll steal BGP and ICMP!
The internet will be mine, mine! Mwa ha ha ha ha ha ha!
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
I've had this command in my WRT54GL running DD-WRT for a while: iptables -A INPUT -p tcp --dport 39984 --tcp-flags RST RST -j DROP just replace 39984 with whatever post you use for bittorrent
I blame geof's speakers.
As my subject says. This is why you only put the filter on the specific port you are using for P2P traffic. For instance, my rule is as follows:
iptables -I FORWARD 3 -p tcp --dport 36745 --tcp-flags RST RST -j DROP;
The above does what it says, drop TCP RST packets on port 36745. That is all you need to do to keep it from affecting your other network applications which may be getting legit reset packets.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
I believe this is it
http://www.networkmirror.com/rdDEvxh7svNGl9W1/tuxtraining.com/2008/06/21/beating-sandvine-on-linux-with-iptables/index.html
It's when I see a comment on Slashdot, that seems to have no relation to the comment above it. Then I discover that the real parent post has been hidden by Slashdot's new comment system, and the child post linked to the grandparent.
It's damn annoying! Slashdot, please, at least link the child to the "hidden comments" link. That way, I won't get head spins when someone appears to viscously lash out at an interesting post.
viciously, not viscously. I'll have to learn to read my previews more closely.
They recently bumped up service to a full megabit upload speed, mostly because of Verizon FiOS service (which still isn't available anywhere in MA except the rich white suburbs- Boston's completely "dark", yet surrounded by towns and cities which have it.) However, if you use it past the old limit (384kbit), after a few minutes, latency skyrockets.
It takes anywhere from a minute to several minutes to kick in, but when it does, ping times to google jumped from 20-30ms to over 300ms. Sometimes I found ping times would be *seconds* long, and ssh became almost completely unresponsive. Curiously, none of the packets would actually be dropped- they'd just very, very badly delayed.
Seems very clearly designed to a)look the same as Verizon "on paper", 2)Satisfy people who want to email photos of the kids to grandma and grandpa (I will admit, it's insanely nice to be able to upload at four times the speed, when it works).
Please help metamoderate.
Technical merit? I think not.
They can't block the packets, they sold their users "unlimited" internet. If certain packets are just blocked that's not really unlimited, is it?
They sure didn't tell anyone they were secretly installing Sandvine boxes that nobody had heard of specifically to screw up certain kinds of traffic. They did it in secret. It was subterfuge. A dirty trick. Mischief.
Now that they are found out their story is they are just "managing bandwidth".
But what they are really doing is trying to stop 2% of their customers from using 98% of the bandwidth, bandwidth they have to pay for. Remember, though they are selling "unlimited" internet access at some level *all* bandwidth is measured. Theirs is certainly measured by their upstream provider. There is really no "unlimited" bandwidth.
.
Now, imagine you buy a year membership card.
Then you start showing up each morning, and again in the evening.
Then the fitness center comes to you and says: "You can come here, but we are going to lock all the doors when you show up, because you are using up to much resources and thus denying them to our other members.
Do you think there would be any outrage ?
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
I expect we'll see development of protocols more robust than TCP to a MITM attack (this is ultimately a MITM denial of service).
Encryption only obfuscates the files you are downloading/uploading, it doesn't hide what protocol you are using... (I think) In any case, it DID work for a while, but I guess Comcrap caught on to the protocol, and now my torrents (all legal BTW) are crapped out...
First they came for the game crackers,
and I did not speak up because I did not play games
Then they came for the pornographers,
and I did not speak up because I did not view porn
Then they came first for the spammers,
and I did not speak up because I was not a spammer
First they came for the music pirates
and I did not speak up because I was not a pirate
Then they came for me,
and by that time there was no fair-use left.
Your linux iptables based firewall needs to sit between the Comcast modem and the rest of your PC's...
--- Users are like bacteria -> Each one causing a thousand tiny crises until the host finally gives up and dies.
"Here;s an idea: Stop fucking stealing shit !! If you don't steal you won't care if your stealing facilitation enablers get a fucking RST or not. "
rst hurts anyone trying to keep long lived tcp connections, regardless of how much or what traffic they are sending.
Not sure what you mean by sending work email from home.
If you mean your ability to establish a connection with a corporate mail server not located on your ISP's network, then port 25 is unnecessary. You should use port 465 with SSL instead. Problem solved since no ISP ever blocks port 465 in any direction. At least not that I am aware of.
If you mean your ability to run a mail server at your house, then your shit out of luck period. There are a large number of mail servers now that use policy block lists. Every ISP publishes their policy block lists which includes your IP address range. The moment your mail server tries to establish a connection to another mail server using this block list your packets could be dropped right at the router, or your connection terminated by the mail server itself.
Now as upsetting as that might be, it really is for the greater good. The vast majority of all the SPAM being sent every day comes from compromised windows machines on dynamic IP address ranges. Using the policy block list is very effective at immediately stopping those communications from ever reaching the mail server.
If you are absolutely determined to run your own mail server from home I would suggest getting a static IP address. Not only will port 25 not be blocked, but you will have a MUCH BETTER chance of your packets not being dropped by routers servicing the mail servers you will be sending email to.
Another option, depending on the amount of money you want to spend, is to retain the services of an email services provider. There are more than a few out there. You can use your own domain and they will host it for you. They can also provide a fair amount of security and usually are more reliable in getting the email to the destination.
Additionally, you could always get a virtual server someplace and run your own mail server software on it. They have linux and microsoft systems available pretty cheaply. Then you would be operating on IP address ranges used by big ISPs and data centers.
On top of everything, everybody seems to think it's their job to carry the Internet on its back and figure it out somehow. The end customer likes to have huge amounts of bandwidth for pennies.
Damn, those lousy cellular customers are making a lot of calls on our unlimited rates plan. Let's just cut off their calls or make the service so distorted that they hang up themselves.
Damn, those idiotic customers are all watching hi-dev TV on their cable. Maybe we should switch the output signal to low-def.
Stupid drivers, since the population of the city has grown this roadway has been plugged. Let's give them a lesson by dropping speed limits and closing lanes.
Darnit, people are actually using our long-distance plan to call relatives in the other side of the country more... let's just block their calls randomly with a busy signal.
Too many nerds are visiting slashdot these days, it's getting bogged down. We're tired of upgrading servers, so let's just leave them with these Pentium III's and delete the account of anyone who posts too often.
We don't put up with this shit in other marketplaces, why should we put up with it in regards to the internet? Part of a company's planning procedures should be to map out weak areas in infrastructure, predict where/when capacity increases need to be made, and make improvements where necessary.