Forgot your password?
typodupeerror
Networking Software The Internet Linux Your Rights Online

Beating Comcast's Sandvine On Linux With Iptables 361

Posted by timothy
from the and-then-I'd-be-all-like-pow-and-reconfigure-iptables dept.
HiroDeckard writes "Multiple sites reported a while ago that Comcast was using Sandvine to do TCP packet resets to throttle BitTorrent connections of their users. This practice may be a thing of the past as it's been found a simple rule in the Linux firewall, iptables, can simply just block their reset packets, returning your BitTorrent back to normal speeds and allowing you to once again connect to all your seeds and peer. If blocking the TCP packet resets becomes a common practice, on and off of Linux, it'll be interesting to see the next move in the cat-and-mouse game between customers and service providers, and who controls that bandwidth."
This discussion has been archived. No new comments can be posted.

Beating Comcast's Sandvine On Linux With Iptables

Comments Filter:
  • by Anonymous Coward on Monday June 30, 2008 @12:22AM (#23996505)

    It'll bust their trace buster buster.

    • Re: (Score:2, Insightful)

      by Bohabo (1273432)
      Legal questions aside, is there some technical merit to using Sandvine instead of just blocking the packets? Is it less expensive to the ISP or something? I don't understand why they're doing it.
      • by Tubal-Cain (1289912) on Monday June 30, 2008 @01:46AM (#23996957) Journal

        Straight-up blocking it is probably more clearly illegal than throttling.

      • by ciscoguy01 (635963) on Monday June 30, 2008 @01:54AM (#23996989)
        Technical merit? I think not.
        They can't block the packets, they sold their users "unlimited" internet. If certain packets are just blocked that's not really unlimited, is it?
        They sure didn't tell anyone they were secretly installing Sandvine boxes that nobody had heard of specifically to screw up certain kinds of traffic. They did it in secret. It was subterfuge. A dirty trick. Mischief.
        Now that they are found out their story is they are just "managing bandwidth".
        But what they are really doing is trying to stop 2% of their customers from using 98% of the bandwidth, bandwidth they have to pay for. Remember, though they are selling "unlimited" internet access at some level *all* bandwidth is measured. Theirs is certainly measured by their upstream provider. There is really no "unlimited" bandwidth.
        • But what they are really doing is trying to stop 2% of their customers from using 98% of the bandwidth, bandwidth they have to pay for. Remember, though they are selling "unlimited" internet access at some level *all* bandwidth is measured. Theirs is certainly measured by their upstream provider. There is really no "unlimited" bandwidth.

          Their own damn fault for selling something they don't have!

          • by Crayon Kid (700279) on Monday June 30, 2008 @06:00AM (#23998029)

            Their own damn fault for selling something they don't have!

            They always have. ISP's, especially those on the last mile, have historically sold 10 to 20 times the actual bandwidth to their customers. Except a while back the last mile was not a hot zone. There weren't so many things you can use huge amounts of bandwidth on.

            Today there are lots. Desktop apps move to the web, there's streaming, online gaming, all kinds of legal, semi-legal and illegal things to download, malware and the list goes on and on.

            The ISP's are caught in the middle of all this. They've entered this time period with pricing policies that belong in gentler times, and their infrastructure is also outdated and getting more so every day.

            On top of everything, everybody seems to think it's their job to carry the Internet on its back and figure it out somehow. The end customer likes to have huge amounts of bandwidth for pennies. The websites and online apps have bulk deals for bandwidth with providers that have efficient distribution infrastructures all over the world. And the last mile ISP is left to fight a dog eat dog fight with other similar local ISP or with a bigger area ISP, both of which will drive it out of business eventually.

            Not to mention the crazy politics involved, where they are required to act as copyright cops and other idiocies.

            So they're desperate. They're trying anything to "fix things". There are a couple of sane solutions but not without problems. The obvious move would be to rethink their pricing and start selling capped amounts of bandwidth. Filtering will always be passed somehow but a hard cap upstream is a hard cap. And nobody will be able to protest they're not getting what they're paying for.

            But this isn't easy either, because of the fierce competition. You do hard caps, you piss of customers. If they have a choice, they'll run to that new ISP that popped up in the neighborhood a week ago. Sure, that ISP will experience the same problems a while from now, but in the meantime you're short some income.

            Another solution is a world-wide effort to update infrastructure (better throughput, either hardware or software). But who's gonna pay for that? The last mile ISP's can't and won't and granted, it's not fair they should pay all of it. But the other interested parties like the status quo and won't pay either, but will bitch just as readily about filtering and caps and whatnot. In the end, the ISP's will probably turn to insightful investors like Google's dark fiber and become their prisoners and people won't like that either, but will conveniently forget they're the ones that pushed the ISP's into that corner.

            It's not just the ISP's fault, it's everybody's. The Internet has become an ecosystem, you gotta work together on all parts of it to see proper overall change.

            • by CyberDog3K (959117) on Monday June 30, 2008 @07:54AM (#23998467)
              I might be less critical of them if they actually spent some of their abusively high rates on upgrading said failing infrastructure instead of god knows what [gizmodo.com].
            • by growse (928427) on Monday June 30, 2008 @08:00AM (#23998511) Homepage

              On top of everything, everybody seems to think it's their job to carry the Internet on its back and figure it out somehow.

              This seems to me to be *exactly* what an ISP's job is. If they don't like doing this, they should get on out of the business.

            • by tinkerghost (944862) on Monday June 30, 2008 @08:21AM (#23998635) Homepage

              Another solution is a world-wide effort to update infrastructure (better throughput, either hardware or software). But who's gonna pay for that? The last mile ISP's can't and won't and granted, it's not fair they should pay all of it.

              Um, in the US, we're already paying for it. We have since the late 90's when congress passed huge tax breaks on to telcos to develop our 40Mbps connections - you have one of those don't you? The telco's promised us one years ago, I'm sure mine is just around the corner.

            • by phorm (591458) on Monday June 30, 2008 @09:49AM (#23999519) Journal
              On top of everything, everybody seems to think it's their job to carry the Internet on its back and figure it out somehow. The end customer likes to have huge amounts of bandwidth for pennies.

              Damn, those lousy cellular customers are making a lot of calls on our unlimited rates plan. Let's just cut off their calls or make the service so distorted that they hang up themselves.

              Damn, those idiotic customers are all watching hi-dev TV on their cable. Maybe we should switch the output signal to low-def.

              Stupid drivers, since the population of the city has grown this roadway has been plugged. Let's give them a lesson by dropping speed limits and closing lanes.

              Darnit, people are actually using our long-distance plan to call relatives in the other side of the country more... let's just block their calls randomly with a busy signal.

              Too many nerds are visiting slashdot these days, it's getting bogged down. We're tired of upgrading servers, so let's just leave them with these Pentium III's and delete the account of anyone who posts too often.

              We don't put up with this shit in other marketplaces, why should we put up with it in regards to the internet? Part of a company's planning procedures should be to map out weak areas in infrastructure, predict where/when capacity increases need to be made, and make improvements where necessary.
            • by PieceofLavalamp (1244192) on Monday June 30, 2008 @10:47AM (#24000557)
              You've used "fierce competition" to describe the ISP market place. So i must assume you are being sarcastic. You really shouldn't bury sarcasm like that in between rather insightful points, you'll confuse people who aren't familiar with the issue... New ISPs haha funny.
        • by AftanGustur (7715) on Monday June 30, 2008 @02:47AM (#23997193) Homepage
          Fitness centers operate similarly, they have numbers on how many times each member comes per week, and based on that (and other parameters) they price access to the center.

          Now, imagine you buy a year membership card.

          Then you start showing up each morning, and again in the evening.

          Then the fitness center comes to you and says: "You can come here, but we are going to lock all the doors when you show up, because you are using up to much resources and thus denying them to our other members.

          Do you think there would be any outrage ?

          • by Nathonix (843449) <nathonix@gmail.com> on Monday June 30, 2008 @03:17AM (#23997307)
            yes, very much so. a year pass is a year pass, unless the contract stipulates how many times a week one can show up, it would be false advertising to sell a year pass with undisclosed limits.
          • by Maxo-Texas (864189) on Monday June 30, 2008 @04:03AM (#23997531)

            Say that you found out a way to earn or safe a lot of money by staying on the fitness machines 16 hours a day.

            Suddenly, the 28 fitness machines they expected to service 5,000 people are being used from opening until closing by the same 28 people.

            Do you think the fitness companies and their customers would say "ah well... they've got us because of our advertising unlimited service."

            No- the next time your contract came up, it would have a clause that allowed them to force people to share the machines or something to protect them.

            You are being unreasonable. The cable companies are trying a weaselly scummy way to get out of the situation instead of just doing what they should do up front.

            1) Determine the real usage of their desired customer (say 20gb a month).
            2) Advertise 24gb a month for one "low rate" with a "reasonable $1 per gb"

            And eventually they will. Even if you have you current company in an iron clad contract, if it is losing money the situation *will* fix it self.

            ---

            The current isp situation in america is a complete joke and anti-capitalistic. We basically have duopolies in 99% of cities between AT&T and a cable company. That needs to stop and be broken up. The internet wires, like the roads, should put be put by the government.

            • by Culture20 (968837) on Monday June 30, 2008 @08:33AM (#23998737)
              This makes sense with telephone switching, but packet switching? It's more like 28 people using the machines, taking breaks occasionally, then getting back on when other people are done (using a FCFS scheduling algorithm). The worst the fitness company could complain about is that these 28 people are causing "undue stress" to the machines (which is ridiculous anyway).
        • by grimwell (141031) on Monday June 30, 2008 @07:17AM (#23998307)

          But what they are really doing is trying to stop 2% of their customers from using 98% of the bandwidth, bandwidth they have to pay for. Remember, though they are selling "unlimited" internet access at some level *all* bandwidth is measured. Theirs is certainly measured by their upstream provider. There is really no "unlimited" bandwidth.

          Pisshaw. Large regional and national ISPs don't have "upstream" providers. They have a presence in a NAP(s) and peering agreements with other networks. The only costs they have is for the infrastructure; physical cables, equipment, power and people. They don't pay for bandwidth on a "meter". Their bandwidth is limited by equipment; available technology and costs.

          They are "managing bandwidth" to control last mile congestion. It is cheaper to mangle traffic than to upgrade the last mile. Plain and simple.

      • Last time this came up for discussion, some people suggested that RST-injection was computationally easier than packet blocking, because it works on the connection level rather than the packet level.

        It still seems to me like you'd have to do quite a bit of DPI to determine which connections are being used for Bittorrent, but maybe you can identify a connection, send a forged RST packet, and then ignore the packets in that connection for a while (saving you load on the DPI box) for a while, maybe just until it closes.

        I'm not entirely clear how these Sandvine boxes work, but it seems like it would be easier to identify "okay, this connection is being used for x," "this connection is being used for Y," and then not have to pay more attention to them, than it would be to examine every single packet. That's where you get your cost reduction, I suspect.

        Sandvine has a few patents out there that probably describe in greater detail how their QoS tool works (and which I haven't read yet); apparently the QoS RST-forging are part of their "Stateful Policy Management" product.

        • Re: (Score:3, Informative)

          by kilocomp (234607)

          The reason for RST-Injection vs. packet blocking is simple.

          For packet blocking, the appliance has to know instantly whether to block a packet or allow it.

          For RST-Injection, the appliance can monitor a flow and spend some computing time deciding whether or not to inject a reset.

          The time an appliance has to decide whether to throttle changes from microseconds to milliseconds or possibly even seconds.

  • by Anonymous Coward on Monday June 30, 2008 @12:23AM (#23996511)
    Wasn't this solution posted in the first few comments when this was first reported as happening.
  • Tag: !news (Score:5, Insightful)

    by Mr2001 (90979) on Monday June 30, 2008 @12:23AM (#23996513) Homepage Journal

    This trick has been around for a while, hasn't it?

    The problem is, you can only filter out the RST packets on your end of the connection. But Sandvine also sends RSTs to the other end of the connection. That means it isn't enough for you to be running this iptables rule - all the peers you connect to have to be running it too.

    • Re:Tag: !news (Score:5, Informative)

      by Jeffrey Baker (6191) on Monday June 30, 2008 @12:35AM (#23996591)
      Not just that, but it filters out RST packets that may in fact have been sent by the peer. So this trick can leave you with sockets hanging open in a bad state.
      • Exactly. (Score:5, Informative)

        by plasmacutter (901737) on Monday June 30, 2008 @12:45AM (#23996663)

        I noticed my WoW connection suddenly became unstable at the beginning of the month.

        I implemented similar firewall rules on my mac and the instability was cut in half.

        Guess the other half is being forged to the blizzard servers.

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          I implemented similar firewall rules on my mac and the instability was cut in half.

          Maybe you should ignore RST only on specific port ranges...

          Just a thought.

      • by Fallen Kell (165468) on Monday June 30, 2008 @01:15AM (#23996815)
        As my subject says. This is why you only put the filter on the specific port you are using for P2P traffic. For instance, my rule is as follows:

        iptables -I FORWARD 3 -p tcp --dport 36745 --tcp-flags RST RST -j DROP;

        The above does what it says, drop TCP RST packets on port 36745. That is all you need to do to keep it from affecting your other network applications which may be getting legit reset packets.
        • by Jeffrey Baker (6191) on Monday June 30, 2008 @01:41AM (#23996941)
          Your comment seems to imply that no bittorrent peer will ever need to RST the connection, which is not generally true.
          • Well, if you're getting bitten by ComCast (or other e.g. Canadian) ISPs that are resetting connections, then it's probably better to leave connections open that shouldn't be than to close connections that should stay open.

            It's a response to a violation of the TCP protocol to begin with, so it's not surprising that it has some negative side effects.

            Probably the best thing to do would be to build a filter that registers the presence of the RST packet and waits to see if you get more data from the site that supposedly sent it.
            * If the site that the RST packet supposedly came from continues to act like it's got an open session, then you can ignore the RST as a forgery.
            * If you have no more non-closure packets after the RST, then you can apply an aggressive timeout and then deliver the RST after 2-3 seconds of silence.

            • by emc (19333) on Monday June 30, 2008 @02:36AM (#23997167)

              Although, I've never had this issue and am not a Comcast customer...

              I'd assume that the RST coming from Comcast would probably have a different TTL than a legitimate RST.. As a matter of fact, all the RST coming from Comcast would probably have the same TTL.

              Anyone looked into this?

              • Re: (Score:3, Interesting)

                by dfn_deux (535506)
                An interesting question to be sure, but then again once you've settled on TTL as a mode of detection then what is to stop comcast from obfuscating that information with a cooked tcp stack? They control all the packets which come to you, by introducing a jitter to some "innocuous packet encapsulation data" they could both come out on top in the cat/mouse game and if challenged by a court might be cutting close enough to the line between what part of the transmission is required to be carried by a common carr
              • by sega01 (937364) on Monday June 30, 2008 @06:27AM (#23998103) Homepage
                That it is a great idea. Combined with only dropping RST packets for your torrent port you could have it match a specific TTL as well. Try this: iptables -I FORWARD 3 -p tcp --dport 36745 --tcp-flags RST RST -ttl-eq $EVILISPTTL -j DROP
              • by kilocomp (234607) on Monday June 30, 2008 @12:02PM (#24002063)

                This was an initial way researchers detected forged resets. And it still works for some appliances (think snort), but most appliances ISPs use forge TTL now.

                The appliance is seeing everything including TTL, so it is rather trivial for these devices to forge it on top of everything else it forges.

                One idea being played around with is looking at the arrival time of the reset. A much harder analysis, but a much harder thing for the appliance to control.

          • Re: (Score:3, Insightful)

            by baeksu (715271)

            No good medicine comes without side effects.

            It is my understanding that these false resets cause much more serious disruption than leaving connections open, so you are still coming out ahead.

      • Re: (Score:2, Interesting)

        by GNUALMAFUERTE (697061)

        I think it shouldn't be hard to only drop RST packets forget by comcast. It's not hard to identify a fingerprint of the packet, either by the TTL, sequence, or something, on the RST packets that's uniq to comcast forged packets.

    • Re:Tag: !news (Score:5, Interesting)

      by Easy2RememberNick (179395) on Monday June 30, 2008 @01:19AM (#23996833)

      'Sandvine also sends RSTs to the other end of the connection. That means it isn't enough for you to be running this iptables rule - all the peers you connect to have to be running it too.'

        Isn't that your ISP committing fraud? Altering a private communication with the intent of disrupting it, or the very least it's the 'ISP' impersonating you and also the other party.

    • by JDizzy (85499)

      interesting.

      So then, it seems that p2p firewall rules may come to be. I mean synchronized rules between nodes.

    • Re:Tag: !news (Score:5, Insightful)

      by cryptoluddite (658517) on Monday June 30, 2008 @02:23AM (#23997101)

      The problem is, you can only filter out the RST packets on your end of the connection.

      That's only a temporary problem. The real problem -- for the ISPs -- is that the same software is running on each end of a p2p, so all of their efforts are guaranteed to fail eventually.

      For instance, p2p programs can start using UDP spread spectrum... pass packets on random ports. The receiver then basically implements a quick and dirty tcp-like connection over this (ie much worse for an ISP than actual TCP). Add encryption and random length so it's harder to filter out. Or there can be a shared random number seed for the shared ports. Just for example...

      There's probably some computer science or information theory law stating this, but they can't ultimately reduce the targeted traffic by more than the loss from encoding it as 'normal' traffic. For instance, if they limit torrents to 100k/s and the loss is 33% from 'base64' encoding the data as some kind of an html-ish doc then if normal web pages get more than 133k/s then torrents would be faster encoding them as 'normal' traffic.

      ... then they have to try to figure out what are real web pages/servers and what are really some other protocol pretending.

      • Re: (Score:3, Insightful)

        by bytesex (112972)

        In short, it's an arms race; both parties are equally equipped and both parties care none for the collateral. And the first rule of arms races is that whoever started it, lost.

        • Re: (Score:3, Insightful)

          by Anonymous Coward

          This is not entirely true; both parties are not equally equipped. The ISP has to do a whole lot of filtering with a minimum of resources, because resources (CPU, memory) are expensive, while the users they are up against have a lot of idle CPU time and free memory to use.

          (posting as AC because I already moderated)

    • by thermian (1267986)

      well then what we will most likely see is support for blocking these packets becoming a standard feature of bittorrent clients

  • Sandvine? (Score:5, Funny)

    by cbrocious (764766) on Monday June 30, 2008 @12:24AM (#23996523) Homepage
    I heard it through the sandvine.
    • by Anonymous Coward on Monday June 30, 2008 @01:53AM (#23996987)
      I'll bet you're wondering how I knew,
      Why my packets never made it through,
      With some other peer I was sharin' files,
      Between the two of us Comcast was runnin' wild,
      Reset me by surprise (reset by surprise), I'm afraid,
      From the R-I-Double-A,
      Don'tcha know,

      I heard it through the sandvine.



      Not much bandwidth's gonna be mine.
      Oh, I heard it through the sandvine...
      Oh, I'm just about to lose my mind,
      Honey, honey, yeah...

      I know a geek ain't supposed to cry,
      But these fears I can't hold inside,
      Losin' the 'net and it's neutrality,
      Yeah, it means that much to me,
      You coulda told me (you coulda told) yourself,
      That you're forgin' packets for someone else,

      Instead I heard it through the sandvine...
      Not much bandwidth's gonna be mine.
      Oh, I heard it through the sandvine...
      Oh, I'm just about to lose my mind,
      Honey, honey, yeah...

      People say "Believe half of what you see,
      Son, and none of what you hear",
      But my router's mighty confused,
      So if it's true, please tell me dear,
      Do you want (do you want) to make me go,
      Back to the ISP (and USENET feed) I used before,

      Or should I drop packets from your sandvine...
      Plenty bandwidth's gonna be mine.
      Oh, I don't listen to your sandvine...
      MPAA's 'bout to lose its mind,
      Honey, honey, yeah...

      - Original work, composed under the influence of Slashdot and beer. Lyrics in public domain. Someone with vocal talent, feel free to improve, record, and youtube it as a parody under the fair use exemptions.

  • by corsec67 (627446) on Monday June 30, 2008 @12:26AM (#23996531) Homepage Journal

    While it is good that it is easy to ignore reset packets that were created by the ISP, the question still remains:

    Why should we have to block forged packets made by the ISP? If the MAFIAA suits are banking on IP == identity, and the ISP is forging packets with an IP that doesn't belong to any computer they own, isn't that a fairly serious form of forgery?

    And, wow that site went down fast.

    • Re: (Score:3, Funny)

      by Macman408 (1308925)

      And, wow that site went down fast.

      Nah, your ISP just sent a RST to both ends as soon as the connection was established.

    • by Fallen Kell (165468) on Monday June 30, 2008 @01:21AM (#23996845)

      If the MAFIAA suits are banking on IP == identity, and the ISP is forging packets with an IP that doesn't belong to any computer they own, isn't that a fairly serious form of forgery?



      Yet another reason why anyone who knows anything about computers and networks have been saying the **AA's methods of identification are a complete joke and don't amount to anything that could be considered evidence.

    • Re: (Score:3, Informative)

      by Repossessed (1117929)

      The law in my state (Utah) includes the following:

      (4) A person who intentionally or knowingly and without authorization, interferes with or interrupts computer services to another authorized to receive the services is guilty of a class A misdemeanor.

      (Misdemeanors for the same offense stack until they become felonies in Utah, not sure what it works out to for class As though)

      (3) Any person is guilty of a second degree felony who:
      (a) knowingly and unlawfully possesses an in

  • It doesn't matter. (Score:2, Interesting)

    by Anonymous Coward

    It doesn't matter what it is, it'll be worse, more draconian, and will still be subverted quickly.
    ISPs (and many other certain groups) need to realize that they have already lost, and will lose, ad infinitum. The fight will only cause hemorrhaging of even more customers.

  • Port 25 (Score:2, Interesting)

    by bwave (871010)
    Now if we could just find away to get around them blocking port 25! Pretty inconvienent for those who need to send work email from home.
    • Re: (Score:3, Insightful)

      by PIBM (588930)

      Easy.

      Get a real ISP.

    • by whoever57 (658626)

      Now if we could just find away to get around them blocking port 25!

      Try using port 587 or better still, 465 (with SSL/TLS)

    • Re: (Score:2, Informative)

      by Mr. Slippery (47854)

      Shouldn't you be using port 587 [ietf.org] for that?

    • Re: (Score:2, Informative)

      by awdau (1108639)

      All _decent_ mail servers allow for the submission of email on TCP port 587. So you could send your work emails that way.
      Or VPN into work and send emails that way.
      Or even use your ISP's mail server to send the emails (though you might be hit an obstacle like SPF).

    • Re:Port 25 (Score:5, Informative)

      by EdIII (1114411) * on Monday June 30, 2008 @04:22AM (#23997621)

      Not sure what you mean by sending work email from home.

      If you mean your ability to establish a connection with a corporate mail server not located on your ISP's network, then port 25 is unnecessary. You should use port 465 with SSL instead. Problem solved since no ISP ever blocks port 465 in any direction. At least not that I am aware of.

      If you mean your ability to run a mail server at your house, then your shit out of luck period. There are a large number of mail servers now that use policy block lists. Every ISP publishes their policy block lists which includes your IP address range. The moment your mail server tries to establish a connection to another mail server using this block list your packets could be dropped right at the router, or your connection terminated by the mail server itself.

      Now as upsetting as that might be, it really is for the greater good. The vast majority of all the SPAM being sent every day comes from compromised windows machines on dynamic IP address ranges. Using the policy block list is very effective at immediately stopping those communications from ever reaching the mail server.

      If you are absolutely determined to run your own mail server from home I would suggest getting a static IP address. Not only will port 25 not be blocked, but you will have a MUCH BETTER chance of your packets not being dropped by routers servicing the mail servers you will be sending email to.

      Another option, depending on the amount of money you want to spend, is to retain the services of an email services provider. There are more than a few out there. You can use your own domain and they will host it for you. They can also provide a fair amount of security and usually are more reliable in getting the email to the destination.

      Additionally, you could always get a virtual server someplace and run your own mail server software on it. They have linux and microsoft systems available pretty cheaply. Then you would be operating on IP address ranges used by big ISPs and data centers.

      • Re: (Score:3, Informative)

        by houghi (78078)

        Problem solved since no ISP ever blocks port 465 in any direction. At least not that I am aware of.

        In Belgium at least 1 provider (Telenet) blocks everything below port 1024 for standard customers.

  • by Alsee (515537) on Monday June 30, 2008 @12:35AM (#23996589) Homepage

    Now he needs to add a rule to iptables to save the webserver from the Slashdot effect.

    -

  • Usenet (Score:3, Informative)

    by Anonymous Coward on Monday June 30, 2008 @12:36AM (#23996593)

    Well if you are doing something illegal (like downloading music from bands under the RIAA), not that I condone it, but Usenet would be the best choice.

    First of all your provider probably doesn't throttle downloads. Second of all your IP doesn't get sent out to everyone and their mother, the only people that know it are your ISP and Usenet provider.

    tl;dr: Usenet binary groups FTW

  • by Zombie Ryushu (803103) on Monday June 30, 2008 @12:36AM (#23996605)

    I wonder if they will just say that blocking their RST Packets is a violation of TOS and disconnect you.

    • by Anonymous Coward

      Of course, they could have just kicked you for using bittorrent in the first place, if they wanted to.

      But they want your money.

      They were hoping they could slow down bittorrent enough to not cause anyone to leave, but still get an under the table payoff from the *AA groups. I'm sure they'll keep tweaking and keep watching their subscription numbers.

  • I'd like to know which rule does the magic. Can some one please paste one here....thanks.
  • by kandresen (712861) on Monday June 30, 2008 @12:44AM (#23996649)

    There is no more good reasons and not any easier for the ISP's to block or rate limit our web-use than it is to centrally control spam. People are different, and have different needs plain and square.

    Who should have priority, and how to determine it? I can guarantee that if it is a packet flag, then spammers, virus writers, and even bit torrent users will find a way to use it. And regardless, consider the following:

    - Which priority should online Live football have from site X? Should it have over the one from site Y, and Z, and the 1000+ others with different commentators and different languages?
    - What if you rather wanted live games? Or Live online music concerts? What should have higher priority?
    - What about your live online video rentals - stream from Netflix over one from Blockbuster or should maybe your own ISP be allowed to rate limit all the competition to sell their own?
    - What about my VoIP from Skype over Vonage, Gizmo, Provider X,Y,Z?
    - What about Online games from Xbox 360 above Playstation 3?

    Who are to set the priorities? How on earth should the ISP know what my priorities are? How on earth should the football channel know they should not send with highest priority flags?

    And there is also a much easier way that leaves the internet neutral:
    As with e-mail spam filtering - let the settings be neutral from the ISP side, then let us set up our own profile or custom rules for the downstream traffic.

    • by kandresen (712861) on Monday June 30, 2008 @01:03AM (#23996747)

      By the way - While onto it - if they are to ratelimit live sports events and do on, they MUST prioritize the version for hearing impaired which have a square with a commentator speaking in sign language in the corner ABOVE the one for the rest. This simply because it is illegal to discriminate against hearing impaired and everyone is able to see the screen even though a part of it might not be of such interest to most of us. Of course - if the hearing impaired could set these option themselves, then we don't need to degrade the performance for those not hearing impaired neither.

      • by ross.w (87751)
        Wouldn't subtitles be easier? like they do on DVD/s
        • by 1u3hr (530656)
          Wouldn't subtitles be easier? like they do on DVD

          If they could get someone who could transcribe them in real time. Possible, I guess, stenographers need to be able to do something like that.

  • encryption (Score:5, Interesting)

    by socsoc (1116769) on Monday June 30, 2008 @12:45AM (#23996659)
    As a Comcast customer, I've never had my torrents completely stop, they just go around 300k... I did notice a speed increase when I chose to encrypt the traffic (uTorrent has it under Speed Guide).

    Comcast is evil and I want them to DIAF, but my torrents, which are legal, haven't been that impacted.

    When I want fast, I use the Comcast sponsored newsgroups through Giganews.
    • by imunfair (877689)

      I can verify that at a certain point torrents stopped working completely for me on Comcast, but then I checked the box to encrypt connections and they started working again. (I first noticed it trying to bittorrent a linux distro)

      Also, another weird and possibly related phenomenon - BT clients used to freeze up my computer. It was random and didn't matter if I had the rates throttled (though it seemed worse if I didn't throttle). Any client would do it. Since turning on encrypted connections BT has not f

  • Back a few years ago I did a lot of BT downloading. More recently, my only experience was in downloading a copy of Fedora 9. Surprisingly, Comcast was even hitting me with this RST garbage on that download. Pretty tiresome. If they're going to filter BT at least they could provide us some way to identify our transfers as "legitimate."

    Not to mention the fact that, seeing as I do very little BT, why did they target me so quickly?

    • You are assuming that they are slowing down BT because they want to stop you breaching someone else's (not their) copyrights. They are slowing it down because BT can use a a lot of bandwidth, which costs them money.
  • Mirror (Score:4, Informative)

    by Easy2RememberNick (179395) on Monday June 30, 2008 @01:27AM (#23996863)

    I believe this is it

    http://www.networkmirror.com/rdDEvxh7svNGl9W1/tuxtraining.com/2008/06/21/beating-sandvine-on-linux-with-iptables/index.html

  • If only they could have found a way to block packets from Slashdotters on their webserver . . .

  • by LM741N (258038) on Monday June 30, 2008 @01:36AM (#23996911)

    It appears I have control over ICMP packets with my AVG firewall. What exactly should I be doing, ie which packets need to be blocked as they have numbers and no description? Thanks

  • by SuperBanana (662181) on Monday June 30, 2008 @01:37AM (#23996915)

    They recently bumped up service to a full megabit upload speed, mostly because of Verizon FiOS service (which still isn't available anywhere in MA except the rich white suburbs- Boston's completely "dark", yet surrounded by towns and cities which have it.) However, if you use it past the old limit (384kbit), after a few minutes, latency skyrockets.

    It takes anywhere from a minute to several minutes to kick in, but when it does, ping times to google jumped from 20-30ms to over 300ms. Sometimes I found ping times would be *seconds* long, and ssh became almost completely unresponsive. Curiously, none of the packets would actually be dropped- they'd just very, very badly delayed.

    Seems very clearly designed to a)look the same as Verizon "on paper", 2)Satisfy people who want to email photos of the kids to grandma and grandpa (I will admit, it's insanely nice to be able to upload at four times the speed, when it works).

  • IPFW rule (Score:2, Informative)

    by Spaham (634471)
    I believe that this rule should work for macos X ipfw :
    sudo ipfw add 100 drop tcp from any to any 6881 tcpflags rst

    change 100 for the rule number that fits in your list
    change 6881 for your bittorrent port number

    feel free to correct me !
    • Re: (Score:3, Informative)

      by darkonc (47285)
      That should probably be

      sudo ipfw add 100 drop tcp from any to ${eth0} 6881 tcpflags rst

      (I can't remember the exact syntax, right now)... The point is that you want to allow yourself to send RSTs outbound, but ignore them inbound on your internet-facing port.

      • Re: (Score:2, Informative)

        by Spaham (634471)
        or just add "in" then ?
        something like that :

        sudo ipfw add 100 drop tcp from any to any 6881 in tcpflags rst
  • by elronxenu (117773) on Monday June 30, 2008 @03:01AM (#23997253) Homepage

    I expect we'll see development of protocols more robust than TCP to a MITM attack (this is ultimately a MITM denial of service).

  • First They Came (Score:5, Insightful)

    by Carcass666 (539381) on Monday June 30, 2008 @03:13AM (#23997299)

    First they came for the game crackers,
    and I did not speak up because I did not play games

    Then they came for the pornographers,
    and I did not speak up because I did not view porn

    Then they came first for the spammers,
    and I did not speak up because I was not a spammer

    First they came for the music pirates
    and I did not speak up because I was not a pirate

    Then they came for me,
    and by that time there was no fair-use left.

  • by dkleinsc (563838) on Monday June 30, 2008 @08:31AM (#23998723) Homepage

    "Obviously, due to these techniques being available, the tool known as iptables must be made illegal. The ability to change how we're sending packets through our networks allows users to engage in piracy, terrorism, and cyber-warfare, and this cannot be allowed to continue in the name of national security."

    (Yes, I think that's a load of crap, but I suspect they can get 60 senators with that and a few campaign donations.)

"A mind is a terrible thing to have leaking out your ears." -- The League of Sadistic Telepaths

Working...