Beating Comcast's Sandvine On Linux With Iptables 361
HiroDeckard writes "Multiple sites reported a while ago that Comcast was using Sandvine to do TCP packet resets to throttle BitTorrent connections of their users. This practice may be a thing of the past as it's been found a simple rule in the Linux firewall, iptables, can simply just block their reset packets, returning your BitTorrent back to normal speeds and allowing you to once again connect to all your seeds and peer. If blocking the TCP packet resets becomes a common practice, on and off of Linux, it'll be interesting to see the next move in the cat-and-mouse game between customers and service providers, and who controls that bandwidth."
When comments become articles (Score:4, Informative)
Re:Already slashdotted... (Score:5, Informative)
Re:Tag: !news (Score:5, Informative)
Usenet (Score:3, Informative)
Well if you are doing something illegal (like downloading music from bands under the RIAA), not that I condone it, but Usenet would be the best choice.
First of all your provider probably doesn't throttle downloads. Second of all your IP doesn't get sent out to everyone and their mother, the only people that know it are your ISP and Usenet provider.
tl;dr: Usenet binary groups FTW
Article \.'ed (Score:1, Informative)
Exactly. (Score:5, Informative)
I noticed my WoW connection suddenly became unstable at the beginning of the month.
I implemented similar firewall rules on my mac and the instability was cut in half.
Guess the other half is being forged to the blizzard servers.
Re:Which rule? (Score:1, Informative)
Re:Which rule? (Score:4, Informative)
Re:Exactly. (Score:5, Informative)
I did. I did some digging, found which ports the WoW client uses, and set ignore rules on only those ports.
This is why you select a specific port.... (Score:5, Informative)
iptables -I FORWARD 3 -p tcp --dport 36745 --tcp-flags RST RST -j DROP;
The above does what it says, drop TCP RST packets on port 36745. That is all you need to do to keep it from affecting your other network applications which may be getting legit reset packets.
Re:Port 25 (Score:2, Informative)
Shouldn't you be using port 587 [ietf.org] for that?
Re:Good, but shouldn't be necessary (Score:4, Informative)
If the MAFIAA suits are banking on IP == identity, and the ISP is forging packets with an IP that doesn't belong to any computer they own, isn't that a fairly serious form of forgery?
Yet another reason why anyone who knows anything about computers and networks have been saying the **AA's methods of identification are a complete joke and don't amount to anything that could be considered evidence.
Re:Port 25 (Score:2, Informative)
All _decent_ mail servers allow for the submission of email on TCP port 587. So you could send your work emails that way.
Or VPN into work and send emails that way.
Or even use your ISP's mail server to send the emails (though you might be hit an obstacle like SPF).
Mirror (Score:4, Informative)
I believe this is it
http://www.networkmirror.com/rdDEvxh7svNGl9W1/tuxtraining.com/2008/06/21/beating-sandvine-on-linux-with-iptables/index.html
Re:This is why you select a specific port.... (Score:5, Informative)
IPFW rule (Score:2, Informative)
sudo ipfw add 100 drop tcp from any to any 6881 tcpflags rst
change 100 for the rule number that fits in your list
change 6881 for your bittorrent port number
feel free to correct me !
Re:Usenet is over (Score:1, Informative)
but why pay for warez?
Because they're better/more usable than the real thing?
Re:IPFW rule (Score:3, Informative)
sudo ipfw add 100 drop tcp from any to ${eth0} 6881 tcpflags rst
(I can't remember the exact syntax, right now)... The point is that you want to allow yourself to send RSTs outbound, but ignore them inbound on your internet-facing port.
Re:IPFW rule (Score:2, Informative)
something like that
sudo ipfw add 100 drop tcp from any to any 6881 in tcpflags rst
Re:Encryption (Score:2, Informative)
Because encryption CAN'T encrypt the packet headers, or every box on the net would have to decrypt it to find out who it's for. Only the data itself is encrypted.
This is also how classic traffic analysis works, as in WW II radio traffic -- the to and from addresses are not encrypted, otherwise every listening radio would have to decrypt every single message to see which ones are fo it, and that is way too much work in those pre-computer days.
Re:Hmm ... (Score:3, Informative)
Re:Do you need to be connected to the cable modem? (Score:4, Informative)
Your linux iptables based firewall needs to sit between the Comcast modem and the rest of your PC's...
Re:Good, but shouldn't be necessary (Score:3, Informative)
The law in my state (Utah) includes the following:
(4) A person who intentionally or knowingly and without authorization, interferes with or interrupts computer services to another authorized to receive the services is guilty of a class A misdemeanor.
(Misdemeanors for the same offense stack until they become felonies in Utah, not sure what it works out to for class As though)
(3) Any person is guilty of a second degree felony who:
(a) knowingly and unlawfully possesses an instrument capable of intercepting electronic serial number and mobile identification number combinations under circumstances evidencing an intent to clone;
(definition of electronic serial number is sketchy here, cloning is the electronic kind, interestingly, this also makes my router quite illegal (though as a misdemeanor, as I do not have intent to use), since it supports mac address cloning)
(1) A person is guilty of a class B misdemeanor if, in the course of business, he:
(c) sells, offers, or exposes for sale adulterated or mislabeled commodities.
(2) (a) "Adulterated" means varying from the standard of composition or quality prescribed, or pursuant to any statute providing criminal penalties for a variance, or set by established commercial usage.
(b) "Mislabeled" means varying from the standard of truth or disclosure in labeling prescribed by or pursuant to any statute providing criminal penalties for a variance, or set by established commercial usage.
IANAL, or a paralegal, the state code may not reflect case law, and the judge may not care what the law is at all, your state will likely have something completely different. I also point out that I long since lost track of the number of felonies and misdemeanors I've racked up in my state's legal code. (which is annoying, since I need to add owning my router to it)
Re:When comments become articles (Score:5, Informative)
I posted the kludge last time this got mentioned, I'm rather amused that this actually got posted again
http://tech.slashdot.org/comments.pl?sid=591167&cid=23888479 [slashdot.org]
Re:Here;s an idea: Stop fucking stealing shit !! (Score:5, Informative)
"Here;s an idea: Stop fucking stealing shit !! If you don't steal you won't care if your stealing facilitation enablers get a fucking RST or not. "
rst hurts anyone trying to keep long lived tcp connections, regardless of how much or what traffic they are sending.
Re:Port 25 (Score:5, Informative)
Not sure what you mean by sending work email from home.
If you mean your ability to establish a connection with a corporate mail server not located on your ISP's network, then port 25 is unnecessary. You should use port 465 with SSL instead. Problem solved since no ISP ever blocks port 465 in any direction. At least not that I am aware of.
If you mean your ability to run a mail server at your house, then your shit out of luck period. There are a large number of mail servers now that use policy block lists. Every ISP publishes their policy block lists which includes your IP address range. The moment your mail server tries to establish a connection to another mail server using this block list your packets could be dropped right at the router, or your connection terminated by the mail server itself.
Now as upsetting as that might be, it really is for the greater good. The vast majority of all the SPAM being sent every day comes from compromised windows machines on dynamic IP address ranges. Using the policy block list is very effective at immediately stopping those communications from ever reaching the mail server.
If you are absolutely determined to run your own mail server from home I would suggest getting a static IP address. Not only will port 25 not be blocked, but you will have a MUCH BETTER chance of your packets not being dropped by routers servicing the mail servers you will be sending email to.
Another option, depending on the amount of money you want to spend, is to retain the services of an email services provider. There are more than a few out there. You can use your own domain and they will host it for you. They can also provide a fair amount of security and usually are more reliable in getting the email to the destination.
Additionally, you could always get a virtual server someplace and run your own mail server software on it. They have linux and microsoft systems available pretty cheaply. Then you would be operating on IP address ranges used by big ISPs and data centers.
Comment removed (Score:3, Informative)
Re:They are doing it because they are crooks...... (Score:5, Informative)
Um, in the US, we're already paying for it. We have since the late 90's when congress passed huge tax breaks on to telcos to develop our 40Mbps connections - you have one of those don't you? The telco's promised us one years ago, I'm sure mine is just around the corner.
Re:A Fitness center analogy.. (Score:2, Informative)
Re:A Fitness center analogy.. (Score:1, Informative)
Actually, a lot of fitness center have rules about using their equipment and memberships are subject to those rules. In general, most fitness centers clearly specify that if there is nobody waiting, then you can use their treadmill or other devices as much as you want. Otherwise, it's only for a limited time and then you MUST let someone else use it. The last one I went was 30 minutes for treadmills and about 10 minutes for weight equipment.
Re:It's a trace buster buster buster (Score:3, Informative)
The reason for RST-Injection vs. packet blocking is simple.
For packet blocking, the appliance has to know instantly whether to block a packet or allow it.
For RST-Injection, the appliance can monitor a flow and spend some computing time deciding whether or not to inject a reset.
The time an appliance has to decide whether to throttle changes from microseconds to milliseconds or possibly even seconds.
Re:They are doing it because they are crooks...... (Score:4, Informative)
For some places, notably the US, I can see why you'd think I was being sarcastic. But the European ISP market is much more dynamic. I was being serious when I called competition over there fierce.