digg

Facebook Connect Join Digg About

Linux iptables Will Fix Comcast's BitTorrent Connection Killing

redhatcat.blogspot.com If you are tired of Sandvine screwing with your BitTorrent and a user of GNU/Linux, then this is for you. I will tell you how to take your bandwidth back. If you are using a Red Hat Linux derivative, such as Fedora Core or CentOS, then you will want to edit /etc/sysconfig/iptables.

Who dugg this? Made popular Sep 6, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

100 Comments

show profanity settings
expand all
  • inactive, on 10/10/2007, -5/+33This is pretty ingenious. Basically, they've noticed that Comcast is sending RST packets to close the connections, and this configures the firewall to drop them. For those who notice that it allows ICMP in still, I believe the author's intention was to only remedy the Comcast issue, but keep normal function, and for those who don't run a firwall at all, ICMP can get in. If you know what you're looking at when you read the code and want ICMP blocked, remove that line - it won't break the fix.
  • qwuinc, on 10/15/2007, -5/+29This looks really fishy... it seems to accept loopback & icmp packets, drop the RST packets (some people commented on digg and /. that it will NOT help, quite the contrary), accept new tcp/udp connections, and rejects rest of the packets - the hell? There isn't even any reference to related/established packets...

    So, what was the author smoking?
  • shakajumbo, on 10/10/2007, -2/+22*AArrghh* Must resist.... ***** joke........
  • alricsca, on 10/10/2007, -0/+18I still do not understand why no one is suing Sandvine and Comcast for creating fraudulent packets. The drop connection request that Sandvine is using impersonates another ISPs and networks packets exactly. How is this legal, it would be like writing mail in another company's name or calling and pretending to represent one company when you belong to another. This is hacking, very black hat.
  • baalzebub, on 10/10/2007, -3/+20i agree, i wont compromise my firewall just for bittorrent which works fine behind my iptables firewall, my provider does not filter anything, i would change providers first...

    comcast has been crap for years...
  • opusagogo, on 10/10/2007, -2/+15won't this just queue up a bunch of unclosed connections until the program runs out of file descriptors and panics? and create huge memory leak? can somebody post a tcpdump of the RST packet thanks
  • CrAkaRJax, on 10/10/2007, -2/+14how do you tell if your bandwidth is shaped? That would be a diggable article.
  • funchords, on 10/10/2007, -10/+22Concast's forged RST is sent both ways -- not just to the Comcast customer. Nothing that you do to your local firewall will keep your distant peer from receiving the forged RST and tearing down the connection on that end.

    Buried: This article is inaccurate.
  • CamZak, on 10/10/2007, -2/+11Most people I know who torrent are behind routers...when you're on your own LAN you don't quite have to worry so much about setting up a firewall on each and every PC.
  • thecubic, on 10/10/2007, -3/+12Don't do this. When you DROP RST packets, that means that EVERY TCP connection hangs open until a very very long timeout, turning BitTorrent into a user-initiated DoS attack on your machine. Yeah, this _will_ stop Comcast's behavior, but you're screwed.

    Also, you wouldn't need any reference to related/established packets - as when a RST comes it only applies to a related/established connection. (see: Connection Reset by Peer)

    // Linux systems administrator
  • Tobark, on 10/10/2007, -3/+10Not really.
    i have no alternatives .DSL..too far. T1....yea right. No fios yet. Dialup? LOL
  • luchid, on 10/10/2007, -1/+8Tor was NOT meant to be used for P2P and by using it for such activities you are bogging down the service for everyone with a legitimate use for it.
  • Vektuz, on 10/10/2007, -1/+8Tor would stop functioning completely if people used it for P2P traffic.
  • j0kerz, on 10/10/2007, -4/+10Can someone verify this actually works?
  • Canumbler, on 10/10/2007, -0/+6Azureus is quite a ways above the TCP layer, it has no exposure to this sort of thing.
    Layer 3 (I think I remember that right) can only be screwed with by the OS, hence linux iptables.
    I don't know what the equivalent would be with windows, but considering the general state of their network stack I imagine it wouldn't be worth it.

    That said, other posters are correct, as the RST packets are sent to both ends it's not really going to help much unless every client starts doing it.
  • DontSayFanboy, on 10/10/2007, -0/+6pssst! on'tday alktaay aboutaay usenetay
  • clearzen, on 10/10/2007, -4/+9by who?
  • dleifelohcs, on 10/10/2007, -2/+7Linux torrents were never gone. Comcast doesn't BLOCK torrents, they just limit them. And they limit them ALL. Comcast has always limited and shaped traffic. That's why you get 8MBit DOWN, and 768kbps (or whatever) UP. They never wanted you to run webservers that would stress their system out, and just the same they don't want you to run torrent servers that will do the same.

    I ditched Comcast because it was too pricey. $80/mo for Cable Internet and Basic Cable TV was too much. Verizon sucks just as much, with my 768kbps/128kbps connection being quite slow, but at $30/mo or so including a landline, it's at least more reasonably priced.
  • baalzebub, on 10/10/2007, -1/+6i would too, why pay 80 bucks a month for unused (unusable) bandwidth...
  • trunkster, on 10/10/2007, -1/+6Comcast is stopping seeding, at least in Washington State. My upload drops and if I try creating a torrent and then seeding it... uploads for a few seconds and stops. This even happens with Comcast users now.
  • Ebacherville, on 10/15/2007, -1/+6Wish this were true , P2P would make Linux the #1 OS of choice :)

    TIme to find P2P safe ISP's.. Really p2P doesnt make you a pirate.. you can downlaod terabytes of free open stuff on p2p and be totally legal..

    Thats like banning cars because you can kill people with them. Do you part ban the p2p blocking ISP's from your money.. boycot them and tell all your freinds to not use them because they filter you connection, they will fall out of use quickly.
  • Tenoq, on 10/10/2007, -0/+4Those running Linksys WRT54G/GL routers can use a custom firmware to timeout TCP connections earlier than normal. This should prevent holding too many open and killing your net connection. Lot of effort though. Changing provider is a better choice, if you can. If you don't, complaining to your local government representative would be a good step. Moving would be next. I'm buying soon, and I will be considering broadband access as a key criteria for property purchase.
  • MxxCon, on 10/10/2007, -1/+5here it is http://torrentfreak.com/images/comcast-rst1.txt
  • paradexes, on 10/10/2007, -0/+4It was the same way in the AOHELL (AOL) hay day. They did well and then got pwned cause their customer service sucked so bad. Part of it is due to corporate friendly government. Hopefully the next incoming government does a better job of handling this mess. They can regulate the crap out of them.

    This hack wont really work.
  • Phatt138, on 10/10/2007, -1/+5If you're using Bittorrent and seeing many hundreds of peers that you never connect to, have the connection entirely drop out once in a while, suffer severe slowdowns in all network functions while actively downloading a torrent, or see plenty of peers but never get above ~30kb/s, then you're suffering from this problem.

    Suffice to say that if you've used bittorrent -before- the new shaping measures and after, you'll be able to tell the difference.
  • Enuratique, on 10/10/2007, -2/+6Yes, it is. Both parties need to ignore the RST packet in order to keep the connection live. Read the TCP/IP protocol if you like [http://www.night-ray.com/TCPIP_State_Transition_Diagram.pdf]. If the other party properly handles the RST flag (because a firewall didn't block the packet), then it will enter the passive listen for new connection state while the other party continues to send information. Those data packets aren't acknowledged, eventually timeout, and then the connection itself times out.
  • benplaut, on 10/10/2007, -2/+5OK FOLKS!!

    I just tried this on my virtual machine (debian). It seemed to do "something," and it half worked, but the connection was unbelievably slow.
  • thecubic, on 10/10/2007, -3/+6Don't do this. When you DROP RST packets, that means that EVERY TCP connection hangs open until a very very long timeout, turning BitTorrent into a user-initiated DoS attack on your machine. Yeah, this _will_ stop Comcast's behavior, but you're screwed.


    Also, you wouldn't need any reference to related/established packets - as when a RST comes it only applies to a related/established connection. (see: Connection Reset by Peer)

    // Linux systems administrator
  • luchid, on 10/10/2007, -1/+4Why is he getting dugg down? It was a perfectly valid question and request and would be useful for anyone with a router capable of iptables filtering...
  • clearzen, on 10/10/2007, -2/+5that doesn't work duuude.....it's called deep packet inspection.
  • jzp-digg, on 10/10/2007, -1/+4Read your customer service agreement.
  • rootstyle, on 10/10/2007, -0/+3There are some test suites out there to detect the presence of QoS shaping, as its been a problem with carrier to carrier, GRE and MPLS style connections.. however its not a simple task, nor very definitive and something an end user really can't do. I can't think of the name of the one I had used before, but if I do I will post it in the thread.
  • rootstyle, on 10/10/2007, -0/+3Do you understand what deep packet inspection is? They dont decrypt the traffic, they look for traffic patterns. I.E. heuristic analysis. The product is called P-Cube, its a company CIsco bought. Don't flame when you are just being ignorant.

    Some ISPs have already put it into place, and encryption doesn't fix it (although it may help throw it off a bit). These are just cost saving measures, thats the unfortunate bottom line.
  • yamyogurt, on 10/10/2007, -1/+3I have the same problem and I'm using Cox.
  • sloppychris, on 10/10/2007, -1/+3Would this harm my system if I tried it? Not really sure if this is the right place to ask, but it's worth a shot.
  • DigDugDigger, on 10/10/2007, -1/+3I haven't tried this, but try torrenting a linux distribution or something else you'd expect to get very high speeds with.
  • redhatcat, on 10/10/2007, -0/+2It may not be in your area...yet. In Colorado and many other places, they are. You can use tcpdump to verify that you are receiving illegitimate RSTs.
  • AMadeUpName, on 10/10/2007, -1/+3DON'T DO THIS!!!! When a peer actually sends an RST packet you will not get it, leaving the connection open till it times out. So if you are doing bunch of transfers you are effectively DOSing yourself.

    Now I am not saying what they are doing is not shady and evil and full of crap but I worked for an ISP a while back, and the reason Comcast is trying to screw with bittorrent is this. This is an over simplification, but lets say your ISP has a 100Mbit connection to the back bone, and they plan on selling 1Mbit connections to customers. This means that they can have 100 people on their network using full bandwidth. Now you may be thinking that this is the number of people they should have on their network then, but you would be wrong because most people do not use the internet at full speed 24/7. They will probably sell it out to 3000+ customers. This is (in their minds) good for you as it keeps your connection cost lower and good for them as it keeps their profit margins higher (quite high). Along comes bittorrent and other P2P software programs. Slowly more and more of their users start using programs 100% of their connections. Suddenly they need to get a bigger backbone to cover their customer base. Lowering their profit margins because they know damn well they cannot raise their high rates or they will loose customers. So they try and find ways to throttle bandwidth.
  • TheZorch, on 10/10/2007, -6/+8Even if this so-called "fix" works or not (which apparently it doesn't), an ISP who deliberately blocks a free service from working is an ISP that nobody who visits Digg.com should be paying out to. Nothing speaks louder to these "too big for their own good" corporations like lost profits. Just means DSL and up-start cellular ISPs will be getting their business. Considering how inept Comcast's support staff are and how unstable their network (myself and several others had unresolved connection problems for several months before we switched to DSL) has been the past year and a half I'm surprised they still have customers at all.
  • guinnessstout, on 10/10/2007, -0/+2TCPDUMP while using torrent to capture the IP Comcast is sending RST's from then adding that IP to my firewall to block all traffic works fine. I use a PIX515 for my border firewall and it does the trick well. I guess I could also add an ACL that would block RST's from any comcast host, still a little dangerous if you download from a comcast torrent. Just my two cents.
  • redhatcat, on 10/10/2007, -0/+2"When you DROP RST packets, that means that EVERY TCP connection hangs open until a very very long timeout, turning BitTorrent into a user-initiated DoS attack on your machine."
    Legitimate BitTorrent connections are closed with FIN. If RSTs are being used by legitimate clients, the timeouts are not long in my experience.

    "you wouldn't need any reference to related/established packets"
    Actually, you do. I made a mistake stripping down my config for this post. The trick is to drop RSTs before accepting established connections.
  • Vektuz, on 10/10/2007, -0/+2Zorch: That would be a great if people had an option. A lot of comcast customers have two choices: Comcast or 56k.

    The ISPs have a hidden natural monopoly, which they are working very hard to hide
  • antdude, on 10/10/2007, -3/+5What if you can't get any other broadband services? Dial-up? Move? Satellite?
  • trunkster, on 10/10/2007, -0/+2Usenet does not have everything... especially older material plus you have to pay extra service fee for a good newsgroup server.
  • signal15, on 10/10/2007, -0/+2It also won't matter if you have a firewall and the firewall sees the RST first. Your bittorrent client wouldn't have any control over the firewall closing the connection. You could always get around this by just using one of the cheap PPTP vpn services out there.
  • lead2thehead, on 10/10/2007, -1/+3"You will have to run this script every boot, by the way."

    Not if you add this line:
    iptables-save > /etc/sysconfig/iptables
  • MxxCon, on 10/10/2007, -2/+3yes it is. sandvine send spoofed RST packets both way.
  • unrealmp3, on 01/30/2008, -0/+1Easy to say when Comcast is the ONLY ISP in the area.
  • redhatcat, on 10/10/2007, -0/+1"There isn't even any reference to related/established packets..."
    Oops. Sorry about that. I made this in a rush and I stripped more from my config than I meant to. Thanks for pointing that out. I've fixed it.

  • Kooroo, on 10/10/2007, -1/+2looks like a suspect solution to me. It relies on being relatively widespread, regardless of either end's ISP and only functions by futzing with the normal operation of TCP communications. There's potential that you'll fly through file descriptors and run out (bad thing ... but kind inherent in BT anyways) and, in the end, if your ISP can identify you as suspect to even determine it needs to send an RST, you're pretty much flubbed as there's other things they can do.

    It seems to me the trick would be for BT clients to establish connections to random DST ports for ever peer pair and have those all funnelled into a single port via a local DNAT or REDIRECT in iptables. add encryption on top and I imagine meaningful deep packet inspection becomes very difficult for the ISP -- defeating the detection vs defeating the policy.

    Just my 2 cents.
  • Fetching more discussions...
    Show 51 - 100 of 101 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.