Comcast Blocks Web Browsing 502
An anonymous reader writes "A team of researchers have found that Comcast has quietly rolled out a new traffic-shaping method, which is interfering with web browsers in addition to p2p traffic. The smoking gun that documents this behavior are network traces collected from Comcast subscribers Internet connections. This evidence shows Comcast is forging packets and blocking connection attempts from web browsers. One has to hope this isn't the congestion management system they are touting as no longer targeting BitTorrent, which they are deploying in reaction to the recent FCC investigations."
UK ISPs do this all the time (Score:5, Informative)
so nothing new in this here in the UK
Read the featured article (Score:5, Informative)
2. They are using firefox.
3. The Slashdot headline is not completely accurate.
The
Reading the article I got the idea that is not exactly the case...
Re:Throttling (Score:5, Informative)
Indeed. If we were talking about throttling.
Which we're not.
If the article didn't make that clear, this wiki link [wikipedia.org] might help.
Never noticed (Score:2, Informative)
I'd be impressed if the loudest complainers weren't some sort of thieving pirate.
Re:Are you serious? (Score:5, Informative)
Comcast, in many locations, is not just a de-facto monopoly, they are a de-jure monopoly. Comcast negotiates with municipalities to be the sole cable provider to community. The best situation in many of these cases is a duopoly between Comcast and the local Baby Bell. Often, for many regions, Comcast is the sole broadband provider, since the residents are too far away from the CO for DSL.
Re:Throttling (Score:3, Informative)
Re:Let me be the first to say (Score:2, Informative)
comcast charges for opting out (Score:5, Informative)
Last month I called comcast to tell them I did not want to be called, mailed, or emailed by them or any of their 'partners'. I called in response to a mailing from comcast that provided a phone number for opting out. FWIW, I have been receiving junk mail (post and electronic) from comcast encouraging me to get internet service from them, despite the fact that I have been a comcast internet customer since it was RCN.
Yesterday I received my monthly comcast bill, and on the bill was a $1.99 charge for "change of service". I called comcast, since I recalled making no changes to my service in the past decade. The telephone operator said "that charge is for when you called to opt-out of the comcast and partner mailings". She quickly followed with "we can remove that charge with a credit to your next statement".
Sigh.
$1.99 is not much, and almost not worth the time calling about it. But the attitudes and practices behind the fee are what get my goat.
Re:It's not interfering with my browser or bittorr (Score:2, Informative)
Re:Are you serious? (Score:5, Informative)
Re:FIOS availability (Score:2, Informative)
Re:Are you serious? (Score:5, Informative)
Their service is terrible and unreliable and they treat their customers like shit. This makes them a slightly better option than the local phone company.
No. They are part of a government enforced duopoly. In most locations in the US only three companies have the legal right to use the right of ways that allow them to connect a line to your house. These companies are given an exclusive contract in most cases. They are:
In short, internet access options in most of the US sucks. We've already paid more per person in tax subsidies to the network providers than many other countries. Sweden, for example has slightly less population density and had a huge embezzling scandal in their national internet drive. They paid half as much per person as people in the US, have on average ten times faster connections, better uptime, and pay about half as much per month as US citizens.
The phone companies and the cable companies have lobbyists who legally bribe our politicians with campaign contributions. As a result, the good of the people isn't even considered. It is just a battle of whether a given law will give money to the cable company or the phone company. Either way citizens get the shaft.
There are numerous ones making their slow progress through the courts, usually to end in a private settlement. One might actually go through sometime this decade, but the politicians has also been working on passing laws to grant retroactive immunity to network operators for malicious, illegal abuses under the guise of national security. There is little hope.
The antitrust regulators are appointed by the executive branch. Both candidate's parties in the last two elections received huge donations from hundreds of private companies and for some reason antitrust regulators i the US show little or no interest in prosecuting even blatant antitrust abuses. (In the case of Microsoft, they had already been convicted and the new appointees, changed the punishment from being broken up, to a small fine and a pat on the back.)
Local routers defend agaist DOS attack (Score:5, Informative)
We synthetically generated TCP SYN packets at a rate of 100 SYN packets per second using the hping utility ... The IP Time to Live (TTL) field for these forged TCP RST packets is consistently set to 255
So, when new connection requests are issued at the rate of 100 per second, the first router is resetting some of those requests.
The application is issuing new connection requests at a prodigious rate. The router determines that this is beyond the capacity for the router, or perhaps beyond some limit imposed on that router by the internal network. Or, perhaps, it is beyond a rate parameter that is used to detect DOS attacks.
When such a limit is exceeded, there are a few reasonable responses for the router to choose from: It can drop random packets; It can drop random SYN packets; it can drop packets from the attacking host; or it can NAK/RST some of those SYN packets. All of those are legitimate router responses. The reset packets are not "forged". They are legitimate responses in the protocol. The primitive operation is called a "provider disconnect indication".
I don't see any problem in the protocol here. And, I don't see any problem in the router behavior. The router is just protecting itself and the network from overload conditions. By selecting to disconnect calls from a host that is using far more resource than other hosts, it is just protecting the other hosts from a DOS attack by that first host.
The title of the summary should be "Local routers defend agaist DOS attack".
Re:FIOS availability (Score:3, Informative)
How to truly beat comcast. (Score:5, Informative)
We sued comcast. What? How? Eh?!?
Check your EULA that you signed when first getting service. If you are a business customer this REALLY affects you. Their "shaping" technology actually caused a shitload of false positives on a bunch of alarms. Our sent packets to security equipment wasn't always returned so we started to get a lot of "failure to connect". Well... a lot of what we manage are fall back systems that when they come online take over for other sites.
Well... these different locations of hardware were not able to communicate correctly because they were identified as P2P. We use encrypted packets of random data to doubly ensure that it's authentic communication.
This set off a chain of events as the shaping got worse and worse. Originally we thought it was our network code. We couldn't reproduce it and noticed our satellite connection didn't have this issue.
Our amazing network engineers took 2 months to track down the issue and it was their shaping technology blocking or resetting our connections at almost a 90% success ratio. Now while we preferred having 24/7 connections to our equipment this was no longer possible unless we altered our code significantly.
So we looked at our EULA and sure enough there was no mention of interception of data and packet shaping. In fact, our contract said they wouldn't do anything without notifying and getting our approval first.
We sued. We won. Now we're waiting judgment for lost revenue, breaking of contract etc.
I STRONGLY recommend every business out there who has remote equipment that does more than "ping" for responses and are having trouble to check your Agreement. Screw cancelling your subscription. Sue the pants off of them.
Drop all packets with TTL 254. Duh. (Score:3, Informative)
Re:FIOS availability (Score:5, Informative)
See the mash-ups menu for some FIOS info.
Re:Are you serious? (Score:3, Informative)
The franchise setup is not considered a monopoly by the government because:
a) it was accepted by the local government (and supposedly by the people). The down side is many of these contracts are long term and were originally with smaller companies that comcast has now purchased.
b) There are other cable providers in the business and the government does not consider internet access a regulated industry, so satellite and OTA are considered competitors to comcast.
c) The 1996 telecommunications act allows any one cable company to serve up to 30 of the US without being anti-competitive (which BTW comcast is lobbying to up that percentage)
The problem is that as comcast is not regulated the way the phone companies are, they don't have to play nice with anyone else or guarantee any level of service. And if the government steps in they will probably have to regulate all cable media, meaning federal taxes, maintenance charges, etc in excess of what comcast is now stealing from their customers.
IP2Location (Score:3, Informative)
The company IP2Location [ip2location.com] will determine not only the geographic location of your visitors, but also their ISP.
Re:Comcast: we hate our customers (Score:2, Informative)
We should have kept ICMP Source Quench (Score:5, Informative)
In the early days of the Internet (by which I mean 1981-1983, not 1997) there were ICMP Source Quench messages. This provided a way for routers to say to an end node "Slow Down." Back when I was working on congestion control, I had our TCP implementation (a modified 3COM UNET; this was before Berkeley got into TCP) set to cut down the size of the congestion window when a Source Quench was received. I took the position that Source Quench messages should be sent before the packet-drop point was reached, so that a well-behaved TCP should never have a packet dropped for congestion reasons.
This didn't catch on, though. There was concern that sending Source Quench messages would choke the network, since as the network congests, routers need to send more Source Quench messages. That sort of behavior creates an unstable condition. And coming up with a generally applicable Source Quench policy was hard. Eventually, ICMP Source Quench was deprecated.
Without Source Quench, there's not much a router can say to an end node about congestion. A router can still send ICMP Destination Unreachable messages, though. What Comcast ought to be doing if they want to reject a connection is to send back ICMP Destination Unreachable, Code 13 (communication administratively prohibited). That's a legitimate action by a router, and it makes it clear who's complaining. Some firewalls will send such messages, so they're not unheard of; however, some NAT boxes don't translate them properly, so they may not reach home clients.
But faking a TCP RST, or worse, sending an ACK for something that didn't reply at all, is just wrong.
Re:FIOS availability (Score:3, Informative)
The only problem with your assumption is that FIOS is Verizon, not AT&T.
Now, AT&T is deploying FTTP and FTTN, but it's not branded as "FIOS". Now if only Qwest would get their act together.
Re:Comcast: we hate our customers (Score:5, Informative)
Re:Local routers defend agaist DOS attack (Score:2, Informative)
- Pass the packet, decreasing its TTL,
- or drop the packet.
If there's congestion, the router is allowed to:- Set the Congestion experienced ECN flag (if ECN is supported on the connection)
- and/or send an ICMP source-quench (although this seems to be deprecated).
Forging a RST is definitely in no RFC. It's bad.Re:Local routers defend agaist DOS attack (Score:3, Informative)
Re:They are still forging packets (Score:2, Informative)
I wonder if using a UDP based VPN instead would I have had similar problems. If I were the betting type I would say probably not based on what I am reading here. It sounds like they were only filtering TCP traffic to certain destinations...
That's really unacceptable. I need to find the number for customer complaints in my neighborhood.
If anything, they should just implement RFC 2386 and if your traffic isn't classified properly, it's your fault.
Re:Surprise! (Score:2, Informative)
Re:Throttling (Score:3, Informative)
Megabit/sec
1 93.7 Japan
2 43.3 Korea
3 11.8 Australia
4 9.1 European Union
5 8.7 United States
6 6.9 Canada
7 1.6 Mexico
8 1.4 Turkey
They're not just sending RSTs (Score:3, Informative)
Re:Drop all packets with TTL 254. Duh. (Score:3, Informative)
Re:Throttling (Score:3, Informative)
Other interesting quotes from the article: "The U.S. range for a monthly subscription was between $14.99 for lower speeds and $199.99 for the top level of service. Only four of the 30 OECD countries had a lower low-end price."
"In South Korea, the range was $30.56 to $50.93 for the highest speed of service, and in Japan, the range was $21.22 to $131.57."
TFA now shows this apology (Score:3, Informative)