dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
304217
share rss forum feed


espaeth
Digital Plumber
Premium,MVM
join:2001-04-21
Minneapolis, MN
kudos:2

1 edit
reply to kcblack

Re: Comcast is using Sandvine to manage P2P Connections

said by kcblack:

There's a big difference between spoofing packets to facilitate communication and spoofing packets to hinder communication which is the gist of the ECPA violation in my opinion...
Spoofing is either fraud or it's not, you can't have it both ways. "Spoofing is fraud, except when I benefit from it" is not a valid legal argument.

said by kcblack:

again, if they were not making any profit and the business was being run into the ground by their network being saturated with P2P traffic then I'd be on their side...if fact most of their models are based on you not using your share of the node and when you do by watching videos or downloading linux distros or watching joost or any other legitmate use of the bandwidth you pay for, you are now the bad guy. There are things that they can do to mitigate the load by storing popular content within their network to cut down on traffic going outside their network...
I honestly think if you were limited to bandwidth you could consume while your butt was planted in a chair in front of the computer the scales would be a lot more even. It's not a matter of fair use, it's a problem of people using 1000+% more than what the average consumer does. That they have to keep churning out DMCA notices probably isn't helping things. It doesn't take long before someone at the top takes notice and starts asking why they even allow that traffic to begin with.

Bringing content into the network is a great idea; too bad that concept doesn't work with P2P or in particular the content being fetched. I'm sure people would love it if Comcast would host Telesync screeners, DVDs, and warez though.

said by kcblack:

I imagine that their will be legal action and class action law suits. I hope the customers win and comcast has to provide the service that they advertise. They are doing it to make MORE profit by not having to invest in the infrastructure to support what they sell.
The consumer never wins in class action law suits. The company loses, the consumer gets meager compensation (I didn't even claim my $0.55 from the Micron lawsuit), and the lawyers make a killing. Assuming the impossible happens and a class action lawsuit is won, Comcast still has the problem of oversubscription and will be forced to cut service or raise prices, punishing the entire customer base for the actions of a few.

-Eric
Edit: just fixing a spelling error I saw


espaeth
Digital Plumber
Premium,MVM
join:2001-04-21
Minneapolis, MN
kudos:2
reply to ztmike

said by ztmike:

"There's only a few possible actions to take in dealing with the growing burden of P2P traffic:

1) Reduce access speeds
2) Publish and enforce low usage caps
3) Raise prices to grow the network / reduce oversubscription
4) Deploy mitigation techniques to control "problem" traffic, leaving 95% of your consumer base completely unaffected."

And Comcast does every single one of those. besides publish the cap rate.
I just updated my Comcast review from 2004 and went back to look at the bills. I'm paying the same price now as I did in 2003/2004, I went from 4/384 to 8/768, and I get powerboost where I regularly see 20+mbit on downloads. If you factor in inflation that means you are really paying less while provisioned bandwidth went up.

I agree reality doesn't help you make your argument though.

-Eric


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
·Pacific Bell - SBC
reply to kcblack

said by kcblack:

Its sort of like an all you can eat food place. You either are or you aren't. If you advertise as all you can eat, then you have to make sure you live up to that advertising and provide the service you promise without all the asterisks and fine print.
You can cite case law that no asterisks and fine print are allowed?
I imagine that their will be legal action and class action law suits. I hope the customers win and comcast has to provide the service that they advertise.
Or maybe they will advertise the service that they provide?
They are doing it to make MORE profit by not having to invest in the infrastructure to support what they sell.
They are selling a fast connection to the Internet. They are not selling "all you can download" Internet. They aren't even advertising it, that I can tell.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


ztmike
Mark for moderation
Premium
join:2001-08-02
Michigan City, IN
reply to espaeth

Ok..well look at the price of the Blast tier, then come back to me.


rody_44
Premium
join:2004-02-20
Quakertown, PA
reply to funchords

i just wanted to chime in and say good job comcast. i dont want p2p users slowing my connection.



jig

join:2001-01-05
Hacienda Heights, CA

but if you don't use p2p, then all you need is dialup, right?

(oh, forgot, windows updates)



hobgoblin
Sortof Agoblin
Premium
join:2001-11-25
Orchard Park, NY
kudos:11

said by jig:

but if you don't use p2p, then all you need is dialup, right?

(oh, forgot, windows updates)
Fortunately the world does NOT revolve around p2p. There are many uses for a high speed connection that do not revolve around downloading and uploading other peoples work.

Hob
--
"A foolish consistency is the hobgoblin of little minds."
- Ralph Waldo Emerson


funchords
Hello
Premium,MVM
join:2001-03-11
Yarmouth Port, MA
kudos:6
reply to espaeth

said by espaeth:

Perhaps, but not more than the premise of the argument. Inserting reset packets to restrict "abusive" traffic is no less dishonest than a NAT gateway performing packet manipulation to create the appearance of an entire network originating from a single IP.
No, no, no. These are two different things, entirely.

NAT is described by nearly a dozen RFCs. Changing a private IP address to a Public IP is THE ACCEPTED STANDARD by which private and public internet traffic meet. Network Address Translation and Application Layer Gateways/Relays are described in major RFCs such as RFC 1918 and 1631.

In hundreds of messages on this subject, I've seen less that 5 that think a man-in-the-middle attack using forged/injected RST flag is the appropriate way for a carrier to behave. In other words, it is NOT STANDARD and NOT ACCEPTED.
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon USA
Are you affected by Comcast's RST forging? How to test it! -or- Read my original report.


Roundboy
Premium
join:2000-10-04
Drexel Hill, PA

I came from RCN, and while they had attempts at stoppin bittorrent traffic, they took a much more balanced approach..

While you were downloading, you had 100% of your upload speed available..

If you were not pulling down anything on bittorrent ports, your upload was throttled to a percentage of your total upload FOR BITTORRENT only. I forget the number, lets just say 50%

You took longer to meet ratios, but it freed bandwidth. Much better solution then forging packets.



espaeth
Digital Plumber
Premium,MVM
join:2001-04-21
Minneapolis, MN
kudos:2
reply to funchords

said by funchords:

No, no, no. These are two different things, entirely.
I wasn't trying to equate them in a technical sense. Most people didn't care about NAT until they figured out they could skirt the "one computer" policy that was previously common with broadband providers. Cable customers played with packet manipulation (albeit a very different form) to their advantage before, now the cable companies are leveraging stupid TCP tricks to serve their agenda.

said by funchords:

In hundreds of messages on this subject, I've seen less that 5 that think a man-in-the-middle attack using forged/injected RST flag is the appropriate way for a carrier to behave. In other words, it is NOT STANDARD and NOT ACCEPTED.
It's adhering to RFC793 which set out the definition of TCP in 1981; you see a RST you have to shut down the connection.

I would agree that it's not the way for a carrier to behave, but I suspect when it comes to Comcast that's where you and I will disagree. Comcast is a residential broadband provider and not a full fledged carrier; the governance of operations is completely different. They're packaging a connection that isn't what you would get from a true carrier; it's a private network that has upstream Internet carrier connectivity. The oversubscription is higher, the ToS/AUP isn't as flexible, but in return you also pay significantly less than you would for a real carrier circuit.

Reset injection is not something all that flashy and new; our 8E6 content filters have been doing this for a couple years now. The key benefits from a network infrastructure standpoint are huge: less devices in-path and simpler firewall rules. While I agree that filtering is a cleaner solution, it's not always the most practical to implement. With the 8E6 filters I can have a simple Checkpoint firewall cluster sitting behind an Internet router with a very simple/easy-to-manage ruleset. Not having to worry about the complexity of a full content filtering ruleset makes life much easier for ongoing firewall management, not to mention the 8E6 can be have signatures updated throughout the day without incurring some of the nasty issues that can result during firewall rule updates. For client traffic filtering I just setup a span session from the Internet router to the 8e6 and it watches for URLs and sends resets on inappropriate content fetches. It stops the connection and I don't have to have another point of failure in my connection path.

Since we're back to talking technical details -- what do you propose for a better solution? Most of the filtering that Comcast does today happens at the cable modem, so the port 137-139 blocks, and the port 25 block if they put it in place happens well before things get upstream. With the dynamic ports used by BitTorrent clearly that isn't a solution.

Even throttling is tricky in that you'd need to identify the traffic so it can be queued appropriately. That means that some device in path would need to be able to recognize P2P traffic and mark the packets appropriately so that the packets could be filtered into the correct throttled queue. That means they can try to make this happen on their existing routing platforms if thats even possible, or they can introduce another box in-line to do the classification and inject another point of failure into the system. Even if they do this they'd have to deal with a significantly more complex queue structure than they have now.

I think if there were easy answers to this problem we wouldn't be 20+ pages into this thread.

-Eric


koitsu
Premium,MVM
join:2002-07-16
Mountain View, CA
kudos:23

1 edit

said by espaeth:

Even throttling is tricky in that you'd need to identify the traffic so it can be queued appropriately. That means that some device in path would need to be able to recognize P2P traffic and mark the packets appropriately so that the packets could be filtered into the correct throttled queue.
This is specifically one of the things Sandvine does -- deep packet inspection. The issue described here happens no matter what source or destination TCP port # is used (on either end).

It looks as if Sandvine is analysing established TCP sessions, looking for specific signature bytes (you touched base on this, re: your 8E6). I'm also under the impression that they look for signature bytes in the response packet. Upon matches in both cases (since the inspector is now aware of the TCP state on both ends), injects RST both directions (to the peer/client and the seed/server). That's been confirmed by funchords See Profile.

So, based on the methodology they're using for packet analysis, I would say that throttling/rate-limiting would be quite possible. But instead they opted for man-in-the-middle packet injection, which of course, really pisses me off.

Edit: Clarification on port #s


espaeth
Digital Plumber
Premium,MVM
join:2001-04-21
Minneapolis, MN
kudos:2

1 recommendation

said by koitsu:

So, based on the methodology they're using for packet analysis, I would say that throttling/rate-limiting would be quite possible. But instead they opted for man-in-the-middle packet injection, which of course, really pisses me off.
Sure it's possible, but only if the Sandvine box is directly in-line of the conversation path so that it can touch/mark the packets. By doing the reset injection the Sandvine box doesn't have to physically reside in the middle of the communication path, it just needs a span session directed to it so it can see copies of what traffic is flowing through the router and it can issue the resets completely out of band. If the Sandvine box kacks it won't take out the network, only P2P throttling will be broken.

-Eric


koitsu
Premium,MVM
join:2002-07-16
Mountain View, CA
kudos:23

That's very true, and something I didn't consider. You're quite right -- rate-limiting would require the Sandvine unit to be sitting in the middle of the network path.



koma3504
Advocate
Premium
join:2004-06-22
North Richland Hills, TX

1 edit
reply to funchords

Hmm Glad i ran accros this thread it goes right along what i have noticed and posted over here.

»netmeeting



NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
·Pacific Bell - SBC
reply to jig

said by jig:

but if you don't use p2p, then all you need is dialup, right?
High Speed Internet is useful for a number of activities other than P2P. I was using HSI for two, or three years before I found BitTorrent fansub anime downloads; and I was a latecomer to the HSI party.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


pflog
Bueller? Bueller?
Premium,MVM
join:2001-09-01
El Dorado Hills, CA
kudos:3
reply to funchords

Interesting, I am not on Comcast, but I believe I just inadvertently found evidence of this Sandvine behavior. I was debugging my firewall rules and I saw this packet get dropped:

44. 715536 rule 11/0(match): block in on em0: 69.252.A.B.36881 > 71.162.C.D.6900: R 1765380375:1765380375(0) win 0

This is during an active torrent download, and I've verified with sockstat that I have an established connection with this host. Note the R there. My firewall dropped this packet, I guess somehow pf knows this RST packet was not part of the existing established connection. I'm a bit rusty on TCP/IP, but doesn't the RST packet need to honor the existing TCP sequence numbers? If not, it appears as though Sandvine is just sending an RST without a valid TCP sequence number. So smart firewalls should ignore these. If more people ran firewalls that were "smart", it would minimize the effect on you Comcast folks I think.
--
"The Dude abides."


dfxmatt

join:2007-08-21
Evanston, IL
reply to hobgoblin

there are also legitimate uses to P2P
at colleges for example people share things with eachother, this can be scientific data or legitimate classwork that is shared via torrent. Are you going to say the "some torrents can be used badly, therefore all torrents are bad" argument?

The world does revolve around P2P in one form or another. Bittorrent, limewire, kazaa, bearshare, these are just false excuses to label the network bad. What about the artists that wish to distribute free music over said networks? Should they be equally burdened with the "torrents can be used badly, all torrents are bad" argument as well?


dfxmatt

join:2007-08-21
Evanston, IL

1 edit
reply to Roundboy

re: RCN 50% upload

this I would actually find wholly acceptable, in fact I'd actually appreciate it (it would save me from having to do QOS/bandwith limiting myself)



espaeth
Digital Plumber
Premium,MVM
join:2001-04-21
Minneapolis, MN
kudos:2

2 edits
reply to pflog

Double post.



espaeth
Digital Plumber
Premium,MVM
join:2001-04-21
Minneapolis, MN
kudos:2

Nevermind. Misread and responded incorrectly.



Roundboy
Premium
join:2000-10-04
Drexel Hill, PA
reply to dfxmatt

it worked out pretty well for me... it didn't take long to seed a good ratio at all...


dfxmatt

join:2007-08-21
Evanston, IL

yes but were they comcast members?

how many were dropped about 15secs after connection?



funchords
Hello
Premium,MVM
join:2001-03-11
Yarmouth Port, MA
kudos:6
reply to espaeth

said by espaeth:

Reset injection is not something all that flashy and new; our 8E6 content filters have been doing this for a couple years now.
Then you're a bad player, stop doing that! -- There are solutions. Read this informative RFC:

RFC 3360: Inappropriate TCP Resets Considered Harmful

RST abuse is relatively new. The author of that RFC was talking about this:

said by »list.nfr.com/pipermail/firewall-···672.html :
Of 24,000 or so web servers that we tested as part of the TBIT project, only 300 or so were behind firewalls that send TCP resets in this case, so clearly most of the world seems to be maintaining reasonably adequate security without sending TCP Resets in this case.
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon USA
Are you affected by Comcast's RST forging? How to test it! -or- Read my original report.


funchords
Hello
Premium,MVM
join:2001-03-11
Yarmouth Port, MA
kudos:6
reply to espaeth

said by espaeth:

Since we're back to talking technical details -- what do you propose for a better solution?
Well, let's get one thing perfectly straight: the RST forgery/injection is wrong and must be stopped -- even if there is no other solution to replace it.

But there are solutions:

- Be public about the problem, and enlist the customers' assistance in solving it. "This is a shared service and heavy uploading by one or two customers impacts the entire neighborhood." That's not hard to say -- Wireless ISPs and Satellite ISPs make this fact very clear to their customers. The reason they're not being public about the problem is because they have to compete with DSL and FIOS, which balances a lot more bandwidth across a much larger field of customers. As a result, DSL/FIOS can tolerate a larger percentage of heavy uploaders before their other customers begin to be affected.

- Those that do not cooperatively manage their usage can be put in a penalty box, like the port 25 issue is handled on Comcast. If the account is uploading at a sustained rate over 60%-80% of his tier for two hours, then limit the account to an upload of 128 kbps and send an e-mail to account holder. The account holder gets a Computer-Based Training lesson about about "fair use" of a "shared connection," clicks a link, and he is restored to full service by noon the next day.
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon USA
Are you affected by Comcast's RST forging? How to test it! -or- Read my original report.


hobgoblin
Sortof Agoblin
Premium
join:2001-11-25
Orchard Park, NY
kudos:11

"Those that do not cooperatively manage their usage can be put in a penalty box, like the port 25 issue is handled on Comcast. If the account is uploading at a sustained rate over 60%-80% of his tier for two hours, then limit the account to an upload of 128 kbps and send an e-mail to account holder. The account holder gets a Computer-Based Training lesson about about "fair use" of a "shared connection," clicks a link, and he is restored to full service by noon the next day."

Then we can have a 20 page thread about that eh?
Hob
--
"A foolish consistency is the hobgoblin of little minds."
- Ralph Waldo Emerson



funchords
Hello
Premium,MVM
join:2001-03-11
Yarmouth Port, MA
kudos:6
reply to pflog

said by pflog:

44. 715536 rule 11/0(match): block in on em0: 69.252.A.B.36881 > 71.162.C.D.6900: R 1765380375:1765380375(0) win 0

This is during an active torrent download, and I've verified with sockstat that I have an established connection with this host. Note the R there. My firewall dropped this packet, I guess somehow pf knows this RST packet was not part of the existing established connection. I'm a bit rusty on TCP/IP, but doesn't the RST packet need to honor the existing TCP sequence numbers? If not, it appears as though Sandvine is just sending an RST without a valid TCP sequence number.
Sandvine determines and then forges in the correct sequence number, so that wasn't Sandvine. Stateful firewalls often generate a lot of unnecessary RST responses to the closing of a previous connection. (They RST the last FIN,ACK of a 3-way handshake, for example.) We would have to see more about that packet in the context of a conversation before we could say for sure why it happened.
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon USA
Are you affected by Comcast's RST forging? How to test it! -or- Read my original report.


funchords
Hello
Premium,MVM
join:2001-03-11
Yarmouth Port, MA
kudos:6

1 edit
reply to hobgoblin

said by hobgoblin:

Then we can have a 20 page thread about that eh?
Yeah, exactly! This one, probably: »Comcast Bandwidth Abuse/Limits - Discuss here only


pflog
Bueller? Bueller?
Premium,MVM
join:2001-09-01
El Dorado Hills, CA
kudos:3
reply to funchords

Understood, but in watching the traffic for a good half hour on a busy torrent, that was the only RST packet I saw destined for the port I was running rtorrent on. Could just be coincidence, but that it was a Comcast IP made me think of this thread.
--
"The Dude abides."



funchords
Hello
Premium,MVM
join:2001-03-11
Yarmouth Port, MA
kudos:6

said by pflog:

Understood, but in watching the traffic for a good half hour on a busy torrent, that was the only RST packet I saw destined for the port I was running rtorrent on. Could just be coincidence, but that it was a Comcast IP made me think of this thread.
With apologies, I have to retract. It could be Sandvine. I almost always get 2 RST packets from Sandvine -- one that has the right Sequence Number (which does tear down the connect), followed by one that has a Sequence number that is completely strange.

If your firewall does track sequence numbers, it would have passed the first one through and rejected the second one.

My apologies -- it's definitely possible that was a Sandvine RST.
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon USA
Are you affected by Comcast's RST forging? How to test it! -or- Read my original report.


pflog
Bueller? Bueller?
Premium,MVM
join:2001-09-01
El Dorado Hills, CA
kudos:3

No worries, you could be absolutely right, it certainly could have been a coincidence Just thought it funny...happened to see the R, and thought "hmm, I wonder..." and sure enough it was a GA Comcast address.
--
"The Dude abides."