Sandvine and Comcast and p2p

Discussion in 'Tomato Firmware' started by ng12345, Dec 3, 2007.

  1. ng12345

    ng12345 LI Guru Member

    I am surprised this has not found its way to these forums yet -- but I wondering if this is the correct implementation of the workaround that is been floating on the web for some while.

    I added the following script to my firewall script:
    iptables -A INPUT -p tcp --dport 12789 --tcp-flags RST RST -j DROP
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    I know the second source has some other code to specifically accept new packets on the bittorrent port -- but I don't think the tomato firmware uses an all deny firewall ...
  2. szfong

    szfong Network Guru Member

    This "workaround" actually won't work well. Both sides must do it and even that it is not advised. Use forced encryption. Also Comcast can simply limit your bandwidth entirely if they flag you. They've received a bit of bad press and these rst injection seems to have slowed somewhat. If it's private all around, try a vpn tunneling. You can have it on the router for convenience or on a computer for speed.
  3. Maggard

    Maggard LI Guru Member

    Just ‘cause Concast breaks the ‘net doesn’t make doing so right, legitimate, or even useful.

    The fact is Comcast is responding to a real problem they have, albeit one of their own making, both technical and marketing. That they can’t/won’t/don’t understand the need to come clean on their network limitations and network management strategies speaks to their ethics, their business practices, and specifically how they regard their customers.

    However, responding in kind is equally obnoxious, and in this case breaks far more things then it fixes. Indeed violating TCP/IP standards in the way you’re advocating makes your activities actively abusive and harms others sharing the medium.

    For some insight into Comcast’s motivation Geourge Ou at ZDnet had an excellent column. For how to respond, don’t settle for petty equally-disruptive technical hacks. Instead hit ‘em where it hurts: Their license to operate in your community.

    Comcast had to negotiate it’s service contract to operate in your community. This comes up for renegotiation every few years. Throw some sand into the wheels Comcast so carefully greases and file a complaint with whatever agency is responsible for their oversight. Make Comcast answer for their actions by publicly acknowledging them and then attempting to justify such.

    In short, shine the light on Comcast and make them squirm in public.

    Comcast's strategy is one of carefully scripted denials, so take that away from them. Go into a boring meeting with the evidence of Comcast’s perfidy and demand justification, point out that this amounts to not actually providing standards-complaint TCP/IP service.

    Yes, this requires more of you then inane hacks on routers (ones that will likely, and justifiably, simply get you booted from Comcast’s network.) Instead it means going out into the real world, interacting with your local government, then at some date in the future actually showing up and holding Comcast accountable. It’s not quite the quick faux-subversive rush of imagining you’ve somehow beaten ‘the man’ by typing in a few lines of code, but on the other hand it actually does something substantive.
  4. rcordorica

    rcordorica Network Guru Member

    I've considered using that script too, and while it should work, you have to consider that you will also be dropping legitimate RST packets, and thus all your connections will stay open until their timeout occurs. You should be able to lower the timeout however in the Conntrack settings.
  5. ng12345

    ng12345 LI Guru Member

    I enjoyed reading this -- it was motivating. Unfortunately, as a student in a place for only a year I have neither the will nor the incentive to publicly protest against Comcast -- maybe once I have ties to the community that would be more appealing. But then again, I don't really prioritize nor place a lot of value on my connection for p2p purposes -- if i can make it faster "yay" -- if not "big whoop." While this is exactly playing into Comcast's hands -- there is no added utility from me putting effort into protesting against Comcast for something so trivial (to me).

    As long as they can get me to the internet at what I deem is a reasonable speed and a reasonable price, I am satisfied.

    But in doing more research and reading your post, I understand your point about the code, and it no longer exists on my router. I did not see any gains from using it anyway.
  6. plugh

    plugh Network Guru Member

    I am not an iptables guru, but I believe those lines are incorrect in that you want to be focused on the FORWARD rules, not the INPUT rules, for your router. (if you were doing this on your host, then INPUT rules would be applicable).

    You probably already have a forwarding rule in place for your torrent port; locate it in your tables and 'I'nsert one before it to drop the resets. For example,

    iptables -I FORWARD 7 -p tcp --dport 43333 --tcp-flags RST RST -j DROP

    where '7' is the postion you are inserting your rule, and '43333' is your bittorent port.

    Of course THIS IS ONLY HALF THE BATTLE, in *TWO* respects.

    1) This only addresses INCOMING connections; if you client makes an outgoing connection to a peer then your 'bittorrent port' won't be the one listed in the rule (however some clients DO allow you to ALSO specify the ports used for OUTgoing connections, so you could add rules for those ports as well).

    2) Both side of the connection need to impliment this (just like both sides need to impliment encryption) for it to be useful. Some people state this fact as a reason not to impliment this hack, but like encryption, its usefulness will be determined by the breadth of adoption.

    Please note I am not advocating this hack, just pointing out some technical issues...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice