Beating Comcast's Sandvine On Linux With Iptables

HiroDeckard writes "Multiple sites reported a while ago that Comcast was using Sandvine to do TCP packet resets to throttle BitTorrent connections of their users. This practice may be a thing of the past as it's been found a simple rule in the Linux firewall, iptables, can simply just block their reset packets, returning your BitTorrent back to normal speeds and allowing you to once again connect to all your seeds and peer. If blocking the TCP packet resets becomes a common practice, on and off of Linux, it'll be interesting to see the next move in the cat-and-mouse game between customers and service providers, and who controls that bandwidth."

When comments become articles

[Anonymous Coward]

Wasn't this solution posted in the first few comments when this was first reported as happening.

Re:Already slashdotted...

[MadTinfoilHatter]

Here's a link to Google's cache [209.85.135.104] of the article.

Re:Tag: !news

[Jeffrey Baker]

Not just that, but it filters out RST packets that may in fact have been sent by the peer. So this trick can leave you with sockets hanging open in a bad state.

Usenet

[Anonymous Coward]

Well if you are doing something illegal (like downloading music from bands under the RIAA), not that I condone it, but Usenet would be the best choice.

First of all your provider probably doesn't throttle downloads. Second of all your IP doesn't get sent out to everyone and their mother, the only people that know it are your ISP and Usenet provider.

tl;dr: Usenet binary groups FTW

Article \.'ed

[poormanjoe]

Related link [tweak3d.net] here.

Exactly.

[plasmacutter]

I noticed my WoW connection suddenly became unstable at the beginning of the month.

I implemented similar firewall rules on my mac and the instability was cut in half.

Guess the other half is being forged to the blizzard servers.

Re:Which rule?

[Anonymous Coward]

If you are tired of Sandvine (the application used by Comcast to throttle Bit Torrent with fake TCP packet resets) screwing with your BitTorrent and a user of GNU/Linux, then this is for you. I will tell you how to take your bandwidth back.

If you are using a Red Hat Linux derivative, such as Fedora Core or CentOS, then you will want to edit /etc/sysconfig/iptables. First, make a backup of this file. Next, open this file in your favorite text editor. Replace the current contents with this, substituting 6883 with your BitTorrent port number:

*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
#Comcast BitTorrent seeding block workaround
-A INPUT -p tcp -dport 6883 -tcp-flags RST RST -j DROP
-A INPUT -m state -state ESTABLISHED,RELATED -j ACCEPT
#BitTorrent
-A INPUT -m state -state NEW -m tcp -p tcp -dport 6883 -j ACCEPT
-A INPUT -m state -state NEW -m udp -p udp -dport 6883 -j ACCEPT
-A INPUT -j REJECT -reject-with icmp-host-prohibited
COMMIT

Reload your iptables firewall with service iptables restart. You should now see a great improvement in your seeding.

If you are using Ubuntu or another non-Red Hat Linux derivative, then place the following in a file and execute that file as root.

#!/bin/sh
#Replace 6883 with you BT port
BT_PORT=6883

#Flush the filters
iptables -F

#Apply new filters
iptables -A INPUT -i lo -j ACCEPT
#Comcast BitTorrent seeding block workaround
iptables -A INPUT -p tcp -dport $BT_PORT -tcp-flags RST RST -j DROP
iptables -A INPUT -m state -state ESTABLISHED,RELATED -j ACCEPT
#BitTorrent
iptables -A INPUT -m state -state NEW -m tcp -p tcp -dport $BT_PORT -j ACCEPT
iptables -A INPUT -m state -state NEW -m udp -p udp -dport $BT_PORT -j ACCEPT
iptables -A INPUT -j REJECT -reject-with icmp-host-prohibited

Your firewall is now configured and you should have great upload speed now. You will have to run this script every boot, by the way. One easy way is to call the script at the end of /etc/rc.local.

Re:Which rule?

[spoop]

I've had this command in my WRT54GL running DD-WRT for a while: iptables -A INPUT -p tcp --dport 39984 --tcp-flags RST RST -j DROP just replace 39984 with whatever post you use for bittorrent

Re:Exactly.

[plasmacutter]

I did. I did some digging, found which ports the WoW client uses, and set ignore rules on only those ports.

This is why you select a specific port....

[Fallen Kell]

As my subject says. This is why you only put the filter on the specific port you are using for P2P traffic. For instance, my rule is as follows:

iptables -I FORWARD 3 -p tcp --dport 36745 --tcp-flags RST RST -j DROP;

The above does what it says, drop TCP RST packets on port 36745. That is all you need to do to keep it from affecting your other network applications which may be getting legit reset packets.

Re:Port 25

[Mr. Slippery]

Shouldn't you be using port 587 [ietf.org] for that?

Re:Good, but shouldn't be necessary

[Fallen Kell]

If the MAFIAA suits are banking on IP == identity, and the ISP is forging packets with an IP that doesn't belong to any computer they own, isn't that a fairly serious form of forgery?

Yet another reason why anyone who knows anything about computers and networks have been saying the **AA's methods of identification are a complete joke and don't amount to anything that could be considered evidence.

Re:Port 25

[awdau]

All _decent_ mail servers allow for the submission of email on TCP port 587. So you could send your work emails that way.
Or VPN into work and send emails that way.
Or even use your ISP's mail server to send the emails (though you might be hit an obstacle like SPF).

Mirror

[Easy2RememberNick]

I believe this is it

http://www.networkmirror.com/rdDEvxh7svNGl9W1/tuxtraining.com/2008/06/21/beating-sandvine-on-linux-with-iptables/index.html

Re:This is why you select a specific port....

[Jeffrey Baker]

Your comment seems to imply that no bittorrent peer will ever need to RST the connection, which is not generally true.

IPFW rule

[Spaham]

I believe that this rule should work for macos X ipfw :
sudo ipfw add 100 drop tcp from any to any 6881 tcpflags rst

change 100 for the rule number that fits in your list
change 6881 for your bittorrent port number

feel free to correct me !

Re:Usenet is over

[Anonymous Coward]

but why pay for warez?

Because they're better/more usable than the real thing?

Re:IPFW rule

[darkonc]

That should probably be

sudo ipfw add 100 drop tcp from any to ${eth0} 6881 tcpflags rst

(I can't remember the exact syntax, right now)... The point is that you want to allow yourself to send RSTs outbound, but ignore them inbound on your internet-facing port.

Re:IPFW rule

[Spaham]

or just add "in" then ?
something like that :

sudo ipfw add 100 drop tcp from any to any 6881 in tcpflags rst

Re:Encryption

[Anonymous Coward]

Because encryption CAN'T encrypt the packet headers, or every box on the net would have to decrypt it to find out who it's for. Only the data itself is encrypted.

This is also how classic traffic analysis works, as in WW II radio traffic -- the to and from addresses are not encrypted, otherwise every listening radio would have to decrypt every single message to see which ones are fo it, and that is way too much work in those pre-computer days.

Re:Hmm ...

[Uther_Dark]

Encryption only obfuscates the files you are downloading/uploading, it doesn't hide what protocol you are using... (I think) In any case, it DID work for a while, but I guess Comcrap caught on to the protocol, and now my torrents (all legal BTW) are crapped out...

Re:Do you need to be connected to the cable modem?

[Arimus]

Your linux iptables based firewall needs to sit between the Comcast modem and the rest of your PC's...

Re:Good, but shouldn't be necessary

[Repossessed]

The law in my state (Utah) includes the following:

(4) A person who intentionally or knowingly and without authorization, interferes with or interrupts computer services to another authorized to receive the services is guilty of a class A misdemeanor.

(Misdemeanors for the same offense stack until they become felonies in Utah, not sure what it works out to for class As though)

(3) Any person is guilty of a second degree felony who:
          (a) knowingly and unlawfully possesses an instrument capable of intercepting electronic serial number and mobile identification number combinations under circumstances evidencing an intent to clone;

(definition of electronic serial number is sketchy here, cloning is the electronic kind, interestingly, this also makes my router quite illegal (though as a misdemeanor, as I do not have intent to use), since it supports mac address cloning)

(1) A person is guilty of a class B misdemeanor if, in the course of business, he:
      (c) sells, offers, or exposes for sale adulterated or mislabeled commodities.
(2) (a) "Adulterated" means varying from the standard of composition or quality prescribed, or pursuant to any statute providing criminal penalties for a variance, or set by established commercial usage.
      (b) "Mislabeled" means varying from the standard of truth or disclosure in labeling prescribed by or pursuant to any statute providing criminal penalties for a variance, or set by established commercial usage.

IANAL, or a paralegal, the state code may not reflect case law, and the judge may not care what the law is at all, your state will likely have something completely different. I also point out that I long since lost track of the number of felonies and misdemeanors I've racked up in my state's legal code. (which is annoying, since I need to add owning my router to it)

Re:When comments become articles

[Misanthrope]

I posted the kludge last time this got mentioned, I'm rather amused that this actually got posted again
http://tech.slashdot.org/comments.pl?sid=591167&cid=23888479 [slashdot.org]

Re:Here;s an idea: Stop fucking stealing shit !!

[LordMyren]

"Here;s an idea: Stop fucking stealing shit !! If you don't steal you won't care if your stealing facilitation enablers get a fucking RST or not. "

rst hurts anyone trying to keep long lived tcp connections, regardless of how much or what traffic they are sending.

Re:Port 25

[EdIII]

Not sure what you mean by sending work email from home.

If you mean your ability to establish a connection with a corporate mail server not located on your ISP's network, then port 25 is unnecessary. You should use port 465 with SSL instead. Problem solved since no ISP ever blocks port 465 in any direction. At least not that I am aware of.

If you mean your ability to run a mail server at your house, then your shit out of luck period. There are a large number of mail servers now that use policy block lists. Every ISP publishes their policy block lists which includes your IP address range. The moment your mail server tries to establish a connection to another mail server using this block list your packets could be dropped right at the router, or your connection terminated by the mail server itself.

Now as upsetting as that might be, it really is for the greater good. The vast majority of all the SPAM being sent every day comes from compromised windows machines on dynamic IP address ranges. Using the policy block list is very effective at immediately stopping those communications from ever reaching the mail server.

If you are absolutely determined to run your own mail server from home I would suggest getting a static IP address. Not only will port 25 not be blocked, but you will have a MUCH BETTER chance of your packets not being dropped by routers servicing the mail servers you will be sending email to.

Another option, depending on the amount of money you want to spend, is to retain the services of an email services provider. There are more than a few out there. You can use your own domain and they will host it for you. They can also provide a fair amount of security and usually are more reliable in getting the email to the destination.

Additionally, you could always get a virtual server someplace and run your own mail server software on it. They have linux and microsoft systems available pretty cheaply. Then you would be operating on IP address ranges used by big ISPs and data centers.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:They are doing it because they are crooks......

[tinkerghost]

Another solution is a world-wide effort to update infrastructure (better throughput, either hardware or software). But who's gonna pay for that? The last mile ISP's can't and won't and granted, it's not fair they should pay all of it.

Um, in the US, we're already paying for it. We have since the late 90's when congress passed huge tax breaks on to telcos to develop our 40Mbps connections - you have one of those don't you? The telco's promised us one years ago, I'm sure mine is just around the corner.

Re:A Fitness center analogy..

[Bengie]

I have no problem with an data cap on broadband. Lets just do what Japan is doing; 25Mbits/sec for $25USD/month with a 30GB upload cap per *day* and no cap on download.

Re:A Fitness center analogy..

[Anonymous Coward]

Actually, a lot of fitness center have rules about using their equipment and memberships are subject to those rules. In general, most fitness centers clearly specify that if there is nobody waiting, then you can use their treadmill or other devices as much as you want. Otherwise, it's only for a limited time and then you MUST let someone else use it. The last one I went was 30 minutes for treadmills and about 10 minutes for weight equipment.

Re:It's a trace buster buster buster

[kilocomp]

The reason for RST-Injection vs. packet blocking is simple.

For packet blocking, the appliance has to know instantly whether to block a packet or allow it.

For RST-Injection, the appliance can monitor a flow and spend some computing time deciding whether or not to inject a reset.

The time an appliance has to decide whether to throttle changes from microseconds to milliseconds or possibly even seconds.

Re:They are doing it because they are crooks......

[Crayon Kid]

For some places, notably the US, I can see why you'd think I was being sarcastic. But the European ISP market is much more dynamic. I was being serious when I called competition over there fierce.