Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Beating Comcast's Sandvine On Linux With Iptables

timothy posted more than 6 years ago | from the and-then-I'd-be-all-like-pow-and-reconfigure-iptables dept.

Networking 361

HiroDeckard writes "Multiple sites reported a while ago that Comcast was using Sandvine to do TCP packet resets to throttle BitTorrent connections of their users. This practice may be a thing of the past as it's been found a simple rule in the Linux firewall, iptables, can simply just block their reset packets, returning your BitTorrent back to normal speeds and allowing you to once again connect to all your seeds and peer. If blocking the TCP packet resets becomes a common practice, on and off of Linux, it'll be interesting to see the next move in the cat-and-mouse game between customers and service providers, and who controls that bandwidth."

cancel ×

361 comments

Sorry! There are no comments related to the filter you selected.

It's a trace buster buster buster (5, Funny)

Anonymous Coward | more than 6 years ago | (#23996505)

It'll bust their trace buster buster.

Re:It's a trace buster buster buster (2, Insightful)

Bohabo (1273432) | more than 6 years ago | (#23996865)

Legal questions aside, is there some technical merit to using Sandvine instead of just blocking the packets? Is it less expensive to the ISP or something? I don't understand why they're doing it.

Re:It's a trace buster buster buster (5, Insightful)

Tubal-Cain (1289912) | more than 6 years ago | (#23996957)

Straight-up blocking it is probably more clearly illegal than throttling.

They are doing it because they are crooks...... (5, Interesting)

ciscoguy01 (635963) | more than 6 years ago | (#23996989)

Technical merit? I think not.
They can't block the packets, they sold their users "unlimited" internet. If certain packets are just blocked that's not really unlimited, is it?
They sure didn't tell anyone they were secretly installing Sandvine boxes that nobody had heard of specifically to screw up certain kinds of traffic. They did it in secret. It was subterfuge. A dirty trick. Mischief.
Now that they are found out their story is they are just "managing bandwidth".
But what they are really doing is trying to stop 2% of their customers from using 98% of the bandwidth, bandwidth they have to pay for. Remember, though they are selling "unlimited" internet access at some level *all* bandwidth is measured. Theirs is certainly measured by their upstream provider. There is really no "unlimited" bandwidth.

Re:It's a trace buster buster buster (5, Interesting)

Kadin2048 (468275) | more than 6 years ago | (#23997057)

Last time this came up for discussion, some people suggested that RST-injection was computationally easier than packet blocking, because it works on the connection level rather than the packet level.

It still seems to me like you'd have to do quite a bit of DPI to determine which connections are being used for Bittorrent, but maybe you can identify a connection, send a forged RST packet, and then ignore the packets in that connection for a while (saving you load on the DPI box) for a while, maybe just until it closes.

I'm not entirely clear how these Sandvine boxes work, but it seems like it would be easier to identify "okay, this connection is being used for x," "this connection is being used for Y," and then not have to pay more attention to them, than it would be to examine every single packet. That's where you get your cost reduction, I suspect.

Sandvine has a few patents out there that probably describe in greater detail how their QoS tool works (and which I haven't read yet); apparently the QoS RST-forging are part of their "Stateful Policy Management" product.

Re:It's a trace buster buster buster (1)

SolidAltar (1268608) | more than 6 years ago | (#23996971)

Idea for a product:

Make a small network device - maybe only 2 megs of RAM and a 100mz processor and load linux+iptables to do this for non-technical users.

Something like the DSD-150 Internet Security Adapter. http://www.dlink.com/products/?sec=1&pid=486 [dlink.com] It's just a few inches square.

Then Sandvine would be...useless.

Re:It's a trace buster buster buster (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#23997067)

Rap - Black Attack - "Bitch I love you" Code Monkeys ....

Chorus:
Bitch, He Loves You
Bitch, He Loves You

Dave:
Bitch, I love you

Stars Above you

Shine like wine

Girl you be fine

Now its time to suck my dick

You better not spit out our love

Wendy:
What the fuck are you doing Dave, it is 3 in the morning

Dave:
We never shored up the time of our date

Wendy:
I am calling the cops

Dave:
Don't call the cops

Wendy:
You are so creepy Dave!

Black Steve:
Can't you se ehe loves you, bitch?

Chorus:
I love you bitch, I love you bitch

When comments become articles (4, Informative)

Anonymous Coward | more than 6 years ago | (#23996511)

Wasn't this solution posted in the first few comments when this was first reported as happening.

Here;s an idea: Stop fucking stealing shit !! (-1, Troll)

Anonymous Coward | more than 6 years ago | (#23996755)

Here;s an idea: Stop fucking stealing shit !! If you don't steal you won't care if your stealing facilitation enablers get a fucking RST or not. So do yourself and the non-assholes of the world a favor and you won't keep getting your ass fucked and you can all stop your fuckiing whining you sorry saps!!

Re:Here;s an idea: Stop fucking stealing shit !! (-1, Troll)

ThePeices (635180) | more than 6 years ago | (#23996785)

yeah right, as if there is no legitimate use of BT, you fucking lowlife piece of shit.

You know what I hate? (5, Insightful)

deek (22697) | more than 6 years ago | (#23996871)

It's when I see a comment on Slashdot, that seems to have no relation to the comment above it. Then I discover that the real parent post has been hidden by Slashdot's new comment system, and the child post linked to the grandparent.

It's damn annoying! Slashdot, please, at least link the child to the "hidden comments" link. That way, I won't get head spins when someone appears to viscously lash out at an interesting post.

sigh ... I'm my own spelling nazi (4, Funny)

deek (22697) | more than 6 years ago | (#23996883)

viciously, not viscously. I'll have to learn to read my previews more closely.

Tag: !news (5, Insightful)

Mr2001 (90979) | more than 6 years ago | (#23996513)

This trick has been around for a while, hasn't it?

The problem is, you can only filter out the RST packets on your end of the connection. But Sandvine also sends RSTs to the other end of the connection. That means it isn't enough for you to be running this iptables rule - all the peers you connect to have to be running it too.

Re:Tag: !news (0)

Anonymous Coward | more than 6 years ago | (#23996521)

seconded

not only is this not news, it doesn't fucking work

Re:Tag: !news (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#23996643)

not only is this not news, it doesn't fucking work

Blaspheme!!!11!!1
It's teh Linux. It hast to wrk!!!!!!111!

Re:Tag: !news (4, Informative)

Jeffrey Baker (6191) | more than 6 years ago | (#23996591)

Not just that, but it filters out RST packets that may in fact have been sent by the peer. So this trick can leave you with sockets hanging open in a bad state.

Exactly. (5, Informative)

plasmacutter (901737) | more than 6 years ago | (#23996663)

I noticed my WoW connection suddenly became unstable at the beginning of the month.

I implemented similar firewall rules on my mac and the instability was cut in half.

Guess the other half is being forged to the blizzard servers.

Re:Exactly. (2, Interesting)

Anonymous Coward | more than 6 years ago | (#23996717)

I implemented similar firewall rules on my mac and the instability was cut in half.

Maybe you should ignore RST only on specific port ranges...

Just a thought.

Re:Exactly. (4, Informative)

plasmacutter (901737) | more than 6 years ago | (#23996799)

I did. I did some digging, found which ports the WoW client uses, and set ignore rules on only those ports.

Re:Exactly. (0)

Anonymous Coward | more than 6 years ago | (#23996933)

Forged you say? Alert Prince Verity at once!

This is why you select a specific port.... (5, Informative)

Fallen Kell (165468) | more than 6 years ago | (#23996815)

As my subject says. This is why you only put the filter on the specific port you are using for P2P traffic. For instance, my rule is as follows:

iptables -I FORWARD 3 -p tcp --dport 36745 --tcp-flags RST RST -j DROP;

The above does what it says, drop TCP RST packets on port 36745. That is all you need to do to keep it from affecting your other network applications which may be getting legit reset packets.

Re:This is why you select a specific port.... (4, Informative)

Jeffrey Baker (6191) | more than 6 years ago | (#23996941)

Your comment seems to imply that no bittorrent peer will ever need to RST the connection, which is not generally true.

Re:This is why you select a specific port.... (5, Interesting)

darkonc (47285) | more than 6 years ago | (#23997041)

Well, if you're getting bitten by ComCast (or other e.g. Canadian) ISPs that are resetting connections, then it's probably better to leave connections open that shouldn't be than to close connections that should stay open.

It's a response to a violation of the TCP protocol to begin with, so it's not surprising that it has some negative side effects.

Probably the best thing to do would be to build a filter that registers the presence of the RST packet and waits to see if you get more data from the site that supposedly sent it.
* If the site that the RST packet supposedly came from continues to act like it's got an open session, then you can ignore the RST as a forgery.
* If you have no more non-closure packets after the RST, then you can apply an aggressive timeout and then deliver the RST after 2-3 seconds of silence.

Re:Tag: !news (2, Interesting)

GNUALMAFUERTE (697061) | more than 6 years ago | (#23996975)

I think it shouldn't be hard to only drop RST packets forget by comcast. It's not hard to identify a fingerprint of the packet, either by the TTL, sequence, or something, on the RST packets that's uniq to comcast forged packets.

IPFW version or macosx (1, Interesting)

Anonymous Coward | more than 6 years ago | (#23996601)

Is there a version of this what works for IPFW or other way to do it on mac osx

Encryption (0)

Anonymous Coward | more than 6 years ago | (#23996683)

THe article says that encrypted bit torrent does not help.

Now why is this. If they can't tell what is in the packet how do they know if they should block it.

Is it some port ID. You can set bit torrent to use something besides 50,000. But perhaps there are specific ports that are also used that can't be changed?

Or are there some behavioural markers they are using?

Or perhaps bit torrent encodes, don't actually wrap the whole packet, but instead just wrap the data portion and not the bit torrent headers?

Re:Encryption (1)

profplump (309017) | more than 6 years ago | (#23996859)

My guess is they match the tracker exchanges to flag your IP, as most trackers are not encrypted even if the transfer traffic itself is. Then they send resets for any connection to/from your IP that they can't identify at "allowed" for the next 15 minutes or so. If I'm right it's not quite as bad as just resetting streams willy-nilly, but it's pretty close, particular if you run non-standard network applications.

Re:Tag: !news (4, Interesting)

Easy2RememberNick (179395) | more than 6 years ago | (#23996833)

'Sandvine also sends RSTs to the other end of the connection. That means it isn't enough for you to be running this iptables rule - all the peers you connect to have to be running it too.'

  Isn't that your ISP committing fraud? Altering a private communication with the intent of disrupting it, or the very least it's the 'ISP' impersonating you and also the other party.

Re:Tag: !news (1)

JDizzy (85499) | more than 6 years ago | (#23996925)

interesting.

So then, it seems that p2p firewall rules may come to be. I mean synchronized rules between nodes.

Re:Tag: !news (5, Insightful)

cryptoluddite (658517) | more than 6 years ago | (#23997101)

The problem is, you can only filter out the RST packets on your end of the connection.

That's only a temporary problem. The real problem -- for the ISPs -- is that the same software is running on each end of a p2p, so all of their efforts are guaranteed to fail eventually.

For instance, p2p programs can start using UDP spread spectrum... pass packets on random ports. The receiver then basically implements a quick and dirty tcp-like connection over this (ie much worse for an ISP than actual TCP). Add encryption and random length so it's harder to filter out. Or there can be a shared random number seed for the shared ports. Just for example...

There's probably some computer science or information theory law stating this, but they can't ultimately reduce the targeted traffic by more than the loss from encoding it as 'normal' traffic. For instance, if they limit torrents to 100k/s and the loss is 33% from 'base64' encoding the data as some kind of an html-ish doc then if normal web pages get more than 133k/s then torrents would be faster encoding them as 'normal' traffic.

... then they have to try to figure out what are real web pages/servers and what are really some other protocol pretending.

Already slashdotted... (1)

AllIGotWasThisNick (1309495) | more than 6 years ago | (#23996519)

Not even a first post.

Re:Already slashdotted... (5, Informative)

MadTinfoilHatter (940931) | more than 6 years ago | (#23996573)

Here's a link to Google's cache [209.85.135.104] of the article.

Sandvine? (4, Funny)

cbrocious (764766) | more than 6 years ago | (#23996523)

I heard it through the sandvine.

Re:Sandvine? (5, Funny)

Anonymous Coward | more than 6 years ago | (#23996987)

I'll bet you're wondering how I knew,
Why my packets never made it through,
With some other peer I was sharin' files,
Between the two of us Comcast was runnin' wild,
Reset me by surprise (reset by surprise), I'm afraid,
From the R-I-Double-A,
Don'tcha know,

I heard it through the sandvine.



Not much bandwidth's gonna be mine.
Oh, I heard it through the sandvine...
Oh, I'm just about to lose my mind,
Honey, honey, yeah...

I know a geek ain't supposed to cry,
But these fears I can't hold inside,
Losin' the 'net and it's neutrality,
Yeah, it means that much to me,
You coulda told me (you coulda told) yourself,
That you're forgin' packets for someone else,

Instead I heard it through the sandvine...
Not much bandwidth's gonna be mine.
Oh, I heard it through the sandvine...
Oh, I'm just about to lose my mind,
Honey, honey, yeah...

People say "Believe half of what you see,
Son, and none of what you hear",
But my router's mighty confused,
So if it's true, please tell me dear,
Do you want (do you want) to make me go,
Back to the ISP (and USENET feed) I used before,

Or should I drop packets from your sandvine...
Plenty bandwidth's gonna be mine.
Oh, I don't listen to your sandvine...
MPAA's 'bout to lose its mind,
Honey, honey, yeah...

- Original work, composed under the influence of Slashdot and beer. Lyrics in public domain. Someone with vocal talent, feel free to improve, record, and youtube it as a parody under the fair use exemptions.

Re:Sandvine? (4, Funny)

KGIII (973947) | more than 6 years ago | (#23997035)

My wife has me drinking boxed wine. *shivers but drinks it anyhow* Now, someone mod this one up, a billion times, as +6 Funny +10 Funny While Drinking.

1st post (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#23996529)

wicked put it too them!!!!!

Good, but shouldn't be necessary (5, Interesting)

corsec67 (627446) | more than 6 years ago | (#23996531)

While it is good that it is easy to ignore reset packets that were created by the ISP, the question still remains:

Why should we have to block forged packets made by the ISP? If the MAFIAA suits are banking on IP == identity, and the ISP is forging packets with an IP that doesn't belong to any computer they own, isn't that a fairly serious form of forgery?

And, wow that site went down fast.

Re:Good, but shouldn't be necessary (3, Funny)

Macman408 (1308925) | more than 6 years ago | (#23996699)

And, wow that site went down fast.

Nah, your ISP just sent a RST to both ends as soon as the connection was established.

Re:Good, but shouldn't be necessary (3, Informative)

Fallen Kell (165468) | more than 6 years ago | (#23996845)

If the MAFIAA suits are banking on IP == identity, and the ISP is forging packets with an IP that doesn't belong to any computer they own, isn't that a fairly serious form of forgery?



Yet another reason why anyone who knows anything about computers and networks have been saying the **AA's methods of identification are a complete joke and don't amount to anything that could be considered evidence.

Better Than Torrents (0)

Anonymous Coward | more than 6 years ago | (#23996537)

Usenet FTW

Usenet is over (1)

Wesley Felter (138342) | more than 6 years ago | (#23996795)

Maybe you missed the recent news that several large ISPs are shutting down Usenet service. You can always pay for Usenet, but why pay for warez?

Re:Usenet is over (0)

Anonymous Coward | more than 6 years ago | (#23996825)

I've always payed for Usenet. The free ones suck. It's not that much, maybe $15 a month at most. If you work you can easily afford that.

Re:Usenet is over (1, Informative)

Anonymous Coward | more than 6 years ago | (#23997007)

but why pay for warez?

Because they're better/more usable than the real thing?

no way (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#23996541)

first comment

It doesn't matter. (2, Interesting)

Anonymous Coward | more than 6 years ago | (#23996549)

It doesn't matter what it is, it'll be worse, more draconian, and will still be subverted quickly.
ISPs (and many other certain groups) need to realize that they have already lost, and will lose, ad infinitum. The fight will only cause hemorrhaging of even more customers.

I tried it. (0)

Anonymous Coward | more than 6 years ago | (#23996551)

I tried it and it worked fine...like 3 months ago. I guess the days of this working are now numbered in the dozens.

First (0)

Anonymous Coward | more than 6 years ago | (#23996557)

First. 1001512098

Piracy is wrong - plain and simple (-1, Troll)

Anonymous Coward | more than 6 years ago | (#23996559)

It's theft! Stop doing it! Stop Justifying it!
You are no better than a petty thief. Stop stealing other people's IP.

Re:Piracy is wrong - plain and simple (0)

Anonymous Coward | more than 6 years ago | (#23996637)

Because you know, all of bittorrent is used for ilegal stuff

Re:Piracy is wrong - plain and simple (0)

Anonymous Coward | more than 6 years ago | (#23996653)

cool.. keep your 'awesome' ideas locked away and no one will steal them from you. Maybe you IP whores should try building bridges to new places instead of troll-guarding common sense.

Re:Piracy is wrong - plain and simple (-1, Troll)

lewp (95638) | more than 6 years ago | (#23996725)

I'm sorry, it's just that these thieves make me so damn mad.

You know who you are.

THIEVES!

Re: Re:Piracy is wrong - plain and simple (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#23996775)

How can there be a "Re:Piracy is wrong - plain and simple" when there was no "Piracy is wrong - plain and simple" ??

Re:Piracy is wrong - plain and simple (4, Funny)

Jesus_666 (702802) | more than 6 years ago | (#23996767)

And not just IP! When I'm done stealing IP I'll steal BGP and ICMP!

The internet will be mine, mine! Mwa ha ha ha ha ha ha!

Re:Piracy is wrong - plain and simple (2, Insightful)

Anonymous Coward | more than 6 years ago | (#23997083)

Flamebait/troll...

But just to make sure you understand: File sharing is NOT theft! - There is no loss involved as the subject is copied, not transferred.

I myself download some movies as a way of sampling them before either deleting them or buying the DVD/Blu-ray. I don't keep the downloaded copy around - it's always deleted, either right away (because the movie is crap) or when I buy the DVD. So my copies doesn't cost anybody anything; no loss and thus no theft.

Port 25 (2, Interesting)

bwave (871010) | more than 6 years ago | (#23996567)

Now if we could just find away to get around them blocking port 25! Pretty inconvienent for those who need to send work email from home.

Re:Port 25 (3, Insightful)

PIBM (588930) | more than 6 years ago | (#23996615)

Easy.

Get a real ISP.

Re:Port 25 (1)

bwave (871010) | more than 6 years ago | (#23996851)

My only two choices are Comcast and Verizon Wireless. (not dsl) Both are $60 a month, but Comcast is 8mbps/2mbps vs. 144kbps max.

Re:Port 25 (1)

whoever57 (658626) | more than 6 years ago | (#23996837)

Now if we could just find away to get around them blocking port 25!

Try using port 587 or better still, 465 (with SSL/TLS)

Re:Port 25 (1)

bwave (871010) | more than 6 years ago | (#23996927)

Ok, but SMTP is a standard. Why purposedly block part of the Internet? What's next, block port 587? How about we block traffic from 00:00 to 08:00 everyday? Sure, I can use webmail or remote login another machine to send mail, but why should I have to?

Re:Port 25 (1)

SolidAltar (1268608) | more than 6 years ago | (#23996993)

>Ok, but SMTP is a standard. Why purposedly block part of the Internet?

Correct me if I'm wrong but dont viruses that infect consumer PCs use them as spam relays? Blocking port 25 on consumer IP ranges helps solve this problem, right?

Blocking port 25 is an entirely responsible measure by an ISP and I fully support it. AS LONG as there is a way to OPT-OUT of the blocking. If not they are just dicking around with my connection.

Re:Port 25 (1)

socsoc (1116769) | more than 6 years ago | (#23997121)

I agree. Block it on consumer ranges and let people ask for access (and give it to them). I'd think that most people who want access also know the possible repercussions. It's the spammy virus from grandma clicking on spyware that they are wanting to block and kudos to them for doing so.

This is why most corporate networks block port 25, except from the mail server. Seems to be along similar lines...

Re:Port 25 (2, Informative)

Mr. Slippery (47854) | more than 6 years ago | (#23996843)

Shouldn't you be using port 587 [ietf.org] for that?

Re:Port 25 (2, Informative)

awdau (1108639) | more than 6 years ago | (#23996847)

All _decent_ mail servers allow for the submission of email on TCP port 587. So you could send your work emails that way.
Or VPN into work and send emails that way.
Or even use your ISP's mail server to send the emails (though you might be hit an obstacle like SPF).

This Account Has Exceeded Its CPU Quota (3, Funny)

Alsee (515537) | more than 6 years ago | (#23996589)

Now he needs to add a rule to iptables to save the webserver from the Slashdot effect.

-

Usenet (3, Informative)

Anonymous Coward | more than 6 years ago | (#23996593)

Well if you are doing something illegal (like downloading music from bands under the RIAA), not that I condone it, but Usenet would be the best choice.

First of all your provider probably doesn't throttle downloads. Second of all your IP doesn't get sent out to everyone and their mother, the only people that know it are your ISP and Usenet provider.

tl;dr: Usenet binary groups FTW

Re:Usenet (5, Funny)

BiggerIsBetter (682164) | more than 6 years ago | (#23997113)

The first rule of Usenet is, you do not talk about usenet.
The second rule of Usenet it, YOU DO NOT TALK ABOUT USENET.

Fscking n00bs.

I wonder if they will simply start disconnecting. (4, Insightful)

Zombie Ryushu (803103) | more than 6 years ago | (#23996605)

I wonder if they will just say that blocking their RST Packets is a violation of TOS and disconnect you.

Re:I wonder if they will simply start disconnectin (3, Insightful)

Anonymous Coward | more than 6 years ago | (#23996669)

Of course, they could have just kicked you for using bittorrent in the first place, if they wanted to.

But they want your money.

They were hoping they could slow down bittorrent enough to not cause anyone to leave, but still get an under the table payoff from the *AA groups. I'm sure they'll keep tweaking and keep watching their subscription numbers.

Re:I wonder if they will simply start disconnectin (0)

Anonymous Coward | more than 6 years ago | (#23996801)

I think that would make my day, actually. I've already got a DSL line, so I won't even feel it. They will though, when I cancel my cable television service which costs me considerably more than my cable internet each month. We've finally got fiber service here, too. Teeheehee.

Article \.'ed (2, Informative)

poormanjoe (889634) | more than 6 years ago | (#23996619)

Related link [tweak3d.net] here.

Which rule? (1)

bogaboga (793279) | more than 6 years ago | (#23996635)

I'd like to know which rule does the magic. Can some one please paste one here....thanks.

Re:Which rule? (2, Funny)

Hawthorne01 (575586) | more than 6 years ago | (#23996651)

Rule #6.

Re:Which rule? (1, Informative)

Anonymous Coward | more than 6 years ago | (#23996743)

If you are tired of Sandvine (the application used by Comcast to throttle Bit Torrent with fake TCP packet resets) screwing with your BitTorrent and a user of GNU/Linux, then this is for you. I will tell you how to take your bandwidth back.

If you are using a Red Hat Linux derivative, such as Fedora Core or CentOS, then you will want to edit /etc/sysconfig/iptables. First, make a backup of this file. Next, open this file in your favorite text editor. Replace the current contents with this, substituting 6883 with your BitTorrent port number:

*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
#Comcast BitTorrent seeding block workaround
-A INPUT -p tcp -dport 6883 -tcp-flags RST RST -j DROP
-A INPUT -m state -state ESTABLISHED,RELATED -j ACCEPT
#BitTorrent
-A INPUT -m state -state NEW -m tcp -p tcp -dport 6883 -j ACCEPT
-A INPUT -m state -state NEW -m udp -p udp -dport 6883 -j ACCEPT
-A INPUT -j REJECT -reject-with icmp-host-prohibited
COMMIT

Reload your iptables firewall with service iptables restart. You should now see a great improvement in your seeding.

If you are using Ubuntu or another non-Red Hat Linux derivative, then place the following in a file and execute that file as root.

#!/bin/sh
#Replace 6883 with you BT port
BT_PORT=6883

#Flush the filters
iptables -F

#Apply new filters
iptables -A INPUT -i lo -j ACCEPT
#Comcast BitTorrent seeding block workaround
iptables -A INPUT -p tcp -dport $BT_PORT -tcp-flags RST RST -j DROP
iptables -A INPUT -m state -state ESTABLISHED,RELATED -j ACCEPT
#BitTorrent
iptables -A INPUT -m state -state NEW -m tcp -p tcp -dport $BT_PORT -j ACCEPT
iptables -A INPUT -m state -state NEW -m udp -p udp -dport $BT_PORT -j ACCEPT
iptables -A INPUT -j REJECT -reject-with icmp-host-prohibited

Your firewall is now configured and you should have great upload speed now. You will have to run this script every boot, by the way. One easy way is to call the script at the end of /etc/rc.local.

Re:Which rule? (4, Informative)

spoop (952477) | more than 6 years ago | (#23996773)

I've had this command in my WRT54GL running DD-WRT for a while: iptables -A INPUT -p tcp --dport 39984 --tcp-flags RST RST -j DROP just replace 39984 with whatever post you use for bittorrent

Re:Which rule? (0)

Anonymous Coward | more than 6 years ago | (#23997059)

post/port

Re:Which rule? (2, Funny)

madsenj37 (612413) | more than 6 years ago | (#23997043)

Rule 34 [encycloped...matica.com]

First it was email and spam, then it was content.. (4, Insightful)

kandresen (712861) | more than 6 years ago | (#23996649)

There is no more good reasons and not any easier for the ISP's to block or rate limit our web-use than it is to centrally control spam. People are different, and have different needs plain and square.

Who should have priority, and how to determine it? I can guarantee that if it is a packet flag, then spammers, virus writers, and even bit torrent users will find a way to use it. And regardless, consider the following:

- Which priority should online Live football have from site X? Should it have over the one from site Y, and Z, and the 1000+ others with different commentators and different languages?
- What if you rather wanted live games? Or Live online music concerts? What should have higher priority?
- What about your live online video rentals - stream from Netflix over one from Blockbuster or should maybe your own ISP be allowed to rate limit all the competition to sell their own?
- What about my VoIP from Skype over Vonage, Gizmo, Provider X,Y,Z?
- What about Online games from Xbox 360 above Playstation 3?

Who are to set the priorities? How on earth should the ISP know what my priorities are? How on earth should the football channel know they should not send with highest priority flags?

And there is also a much easier way that leaves the internet neutral:
As with e-mail spam filtering - let the settings be neutral from the ISP side, then let us set up our own profile or custom rules for the downstream traffic.

Re:First it was email and spam, then it was conten (3, Interesting)

kandresen (712861) | more than 6 years ago | (#23996747)

By the way - While onto it - if they are to ratelimit live sports events and do on, they MUST prioritize the version for hearing impaired which have a square with a commentator speaking in sign language in the corner ABOVE the one for the rest. This simply because it is illegal to discriminate against hearing impaired and everyone is able to see the screen even though a part of it might not be of such interest to most of us. Of course - if the hearing impaired could set these option themselves, then we don't need to degrade the performance for those not hearing impaired neither.

Re:First it was email and spam, then it was conten (1)

ross.w (87751) | more than 6 years ago | (#23996905)

Wouldn't subtitles be easier? like they do on DVD/s

Re:First it was email and spam, then it was conten (1)

1u3hr (530656) | more than 6 years ago | (#23997081)

Wouldn't subtitles be easier? like they do on DVD

If they could get someone who could transcribe them in real time. Possible, I guess, stenographers need to be able to do something like that.

Re:First it was email and spam, then it was conten (0)

Anonymous Coward | more than 6 years ago | (#23997025)

so that makes it right or legal to discriminate against the people who are not hearing impaired?
hmm seems like another lawsuit...

Re:First it was email and spam, then it was conten (0)

Anonymous Coward | more than 6 years ago | (#23996913)

Yes, but you use the term 'priority' with careless abandon. Its like 'Joe should have to wait for Fred' is an assumption automatically made. Give your head a shake (big shake). In 2000 and the years just before and after, a lot (A LOT!!) of fiber went into the ground. Much of it is still dark. At the same time, compression algorithms made the amount of data (lossless data) that you could send increased dramatically. Neither group was expecting the other. What resulted was enough bandwidth to increase data traffic by several million times. Now that people are actually starting to use some (not all yet) of that bandwidth, noise is being made. The real issue is business wanting to put meters on everything. Greed is the issue. ISP's are selling web TV and don't want P2P. Same traffic amount. One is free, and one you pay for. (Actually with webtv you pay twice, with p2p you pay once only). Thats the issue. Net neutrality is about giving people what they paid for. Any nonsense about 'bandwidth' is rubbish.

encryption (5, Interesting)

socsoc (1116769) | more than 6 years ago | (#23996659)

As a Comcast customer, I've never had my torrents completely stop, they just go around 300k... I did notice a speed increase when I chose to encrypt the traffic (uTorrent has it under Speed Guide).

Comcast is evil and I want them to DIAF, but my torrents, which are legal, haven't been that impacted.

When I want fast, I use the Comcast sponsored newsgroups through Giganews.

Re:encryption (1)

Uther_Dark (1314195) | more than 6 years ago | (#23996807)

Unfortunately, Comcrap is all that's available in my area, we won't see them (or other ISP's) using this practice cut it back till there is more competition...and in my area, we won't get any for a long time. Makes me yearn for the days of the BBS...

Non-issue (0)

Anonymous Coward | more than 6 years ago | (#23996749)

It doesn't matter because we all use bit-torrent for legal purposes, and 99.9% of those provide HTTP downloads, too, amirite?

Re:Non-issue (1)

destruk (1136357) | more than 6 years ago | (#23996771)

Yeah, I downloaded Fedora Linux in about 3 hours - 4 cdr's, with bit torrent. And that old Diablo game demo was on bit torrent too - free/shareware variety. It seems they didn't mess with the bandwidth for those at all.

The ISP is a hacker! (1)

suck_burners_rice (1258684) | more than 6 years ago | (#23996769)

In any kind of digital dialogue between computers over the Internet, a third party may send packets that are either malformed or are valid but are not part of the conversation. This is done to cause a number of effects that are not desired by the communicating parties. A common example is an attempt to break in to a system. Another example is the classic man-in-the-middle attack. Yet another example is the denial of service attack, which can take many forms.

Perhaps by shifting our thinking a bit, we'll find that these reset packets sent by ISPs to throttle certain types of connections represent the latter form of third party communication, designed to achieve denial of service! The ISP, then, is a "hacker" (for the mass media and Joe Luser definition of "hacker").

My experience (1)

jimmyhat3939 (931746) | more than 6 years ago | (#23996793)

Back a few years ago I did a lot of BT downloading. More recently, my only experience was in downloading a copy of Fedora 9. Surprisingly, Comcast was even hitting me with this RST garbage on that download. Pretty tiresome. If they're going to filter BT at least they could provide us some way to identify our transfers as "legitimate."

Not to mention the fact that, seeing as I do very little BT, why did they target me so quickly?

Re:My experience (0)

Anonymous Coward | more than 6 years ago | (#23996981)

If they're going to filter BT at least they could provide us some way to identify our transfers as "legitimate."


hahahahahahhahahahaha

bwahahahahahah

hahahahahahahaha

Re:My experience (0)

Anonymous Coward | more than 6 years ago | (#23997045)

COMCAST does not care if your torrent are legit or pirate wares. they care that bittorrent is extremely aggressive when left at default settings. no matter of the content at all.

Mirror (3, Informative)

Easy2RememberNick (179395) | more than 6 years ago | (#23996863)

I believe this is it

http://www.networkmirror.com/rdDEvxh7svNGl9W1/tuxtraining.com/2008/06/21/beating-sandvine-on-linux-with-iptables/index.html

The Slashdott Effect strikes again . . . (1)

Cyberllama (113628) | more than 6 years ago | (#23996903)

If only they could have found a way to block packets from Slashdotters on their webserver . . .

What about Windows AVG suite? (2, Interesting)

LM741N (258038) | more than 6 years ago | (#23996911)

It appears I have control over ICMP packets with my AVG firewall. What exactly should I be doing, ie which packets need to be blocked as they have numbers and no description? Thanks

Re:What about Windows AVG suite? (0)

Anonymous Coward | more than 6 years ago | (#23997103)

TCP reset packets aren't ICMP packets. They're TCP packets. And there's no way to tell the forged ones from the real ones, so the only thing you can do is filter them all, which breaks TCP. And it doesn't help either, because they send one to the other guy too and he's not filtering them so the connection is closed anyway.

Comcast has moved on; now they're delaying packets (5, Interesting)

SuperBanana (662181) | more than 6 years ago | (#23996915)

They recently bumped up service to a full megabit upload speed, mostly because of Verizon FiOS service (which still isn't available anywhere in MA except the rich white suburbs- Boston's completely "dark", yet surrounded by towns and cities which have it.) However, if you use it past the old limit (384kbit), after a few minutes, latency skyrockets.

It takes anywhere from a minute to several minutes to kick in, but when it does, ping times to google jumped from 20-30ms to over 300ms. Sometimes I found ping times would be *seconds* long, and ssh became almost completely unresponsive. Curiously, none of the packets would actually be dropped- they'd just very, very badly delayed.

Seems very clearly designed to a)look the same as Verizon "on paper", 2)Satisfy people who want to email photos of the kids to grandma and grandpa (I will admit, it's insanely nice to be able to upload at four times the speed, when it works).

Verizon is coming to Southeast MA... (0, Offtopic)

Doug52392 (1094585) | more than 6 years ago | (#23997097)

This is off topic, but southeastern MA is going to be getting FiOS soon. My relatives, who live in Braintree, had Verizon people working for a month to get everything set up in that city, now they're moving to southeastern MA. So I should have Verizon aviable soon :)

IPFW rule (2, Informative)

Spaham (634471) | more than 6 years ago | (#23997003)

I believe that this rule should work for macos X ipfw :
sudo ipfw add 100 drop tcp from any to any 6881 tcpflags rst

change 100 for the rule number that fits in your list
change 6881 for your bittorrent port number

feel free to correct me !

Re:IPFW rule (2, Informative)

darkonc (47285) | more than 6 years ago | (#23997099)

That should probably be

sudo ipfw add 100 drop tcp from any to ${eth0} 6881 tcpflags rst

(I can't remember the exact syntax, right now)... The point is that you want to allow yourself to send RSTs outbound, but ignore them inbound on your internet-facing port.

Hmm ... (0)

Anonymous Coward | more than 6 years ago | (#23997065)

gg comcast?

in all seriousness, encryption is a bitch for companies who want to spy on us and limit our freedoms on the internet. as another user pointed out, utorrent has a feature for encryption -- you should use it.

Do you need to be connected to the cable modem? (1)

Doug52392 (1094585) | more than 6 years ago | (#23997107)

Just a question, do you need to have your Linux PC connected directly to Comcast's cable modem for this to work? It sounds to me like you do, but my PC is in my room, and we have a wireless router connecting everything.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>