Regarding these Posts and similar:
»
redhatcat.blogspot.com/2 ··· pfw.html»
redhatcat.blogspot.com/2 ··· les.htmlSeveral have mentioned that it is possible to defeat the injected/forged RST packets by ignoring them at a firewall. I tested that theory earlier »
Re: Comcast is using Sandvine to manage P2P Connections but the rumor persists. "Redhatcat" claims first-hand knowledge that a forged RST is not sent from the Comcast network.
»
digg.com/linux_unix/Linu ··· _Killingquote:
Comcast does not kill non-Comcast connections. I only know from personal experience.
I believe they choose to not do this to avoid lawsuits from other ISPs, as that behavior could be seen as a DoS attack on their customers/networks. That's not to say what they are doing to their customers now is not a DoS attack, but they are less afraid of lawsuits from individuals than other ISPs most likely.
Unfortunately, he is incorrect.
The following are two Wireshark copies of the same TCP conversation -- one from a Comcast system that is seeding a BitTorrent file, one from a Non-Comcast system that is trying to download it. The connection is torn down by forged RST packets about 30 seconds after it starts:
LOG from 192.168.177.109
Wireshark Display Filter: (ip.addr eq 192.168.177.109 and ip.addr eq no.t-c.omc.ast) and (tcp.port eq 10941 and tcp.port eq 3828) and ((tcp.len > 0 and tcp.len < 256) or tcp.flags.reset == 1)
No. Time Source Destination Protocol Info
2615 270.433545 no.t-c.omc.ast 192.168.177.109 BitTorrent Handshake
2616 270.441617 192.168.177.109 no.t-c.omc.ast BitTorrent Handshake Continuation data
2617 270.821830 no.t-c.omc.ast 192.168.177.109 BitTorrent Continuation data
2619 273.854944 192.168.177.109 no.t-c.omc.ast BitTorrent Continuation data
2621 275.031345 no.t-c.omc.ast 192.168.177.109 BitTorrent Continuation data
2623 275.835629 192.168.177.109 no.t-c.omc.ast BitTorrent Unchoke
2624 276.217062 no.t-c.omc.ast 192.168.177.109 BitTorrent Request, Piece (Idx:0x1,Begin:0xc000,Len:0x4000)
2647 279.154962 no.t-c.omc.ast 192.168.177.109 BitTorrent Not Interested Have, Piece (Idx:0x1)
2648 279.155083 192.168.177.109 no.t-c.omc.ast BitTorrent Choke
2650 280.981972 192.168.177.109 no.t-c.omc.ast BitTorrent Have, Piece (Idx:0x2)
2652 282.025653 no.t-c.omc.ast 192.168.177.109 BitTorrent Interested
2654 282.834452 192.168.177.109 no.t-c.omc.ast BitTorrent Unchoke
2655 283.218291 no.t-c.omc.ast 192.168.177.109 BitTorrent Request, Piece (Idx:0x2,Begin:0x0,Len:0x4000) Request, Piece (Idx:0x2,Begin:0x4000,Len:0x4000)
2658 283.329341 192.168.177.109 no.t-c.omc.ast TCP [TCP segment of a reassembled PDU]
2678 283.919542 192.168.177.109 no.t-c.omc.ast TCP [TCP segment of a reassembled PDU]
2684 284.216967 no.t-c.omc.ast 192.168.177.109 BitTorrent Request, Piece (Idx:0x2,Begin:0x8000,Len:0x4000)
2710 285.284180 no.t-c.omc.ast 192.168.177.109 BitTorrent Request, Piece (Idx:0x2,Begin:0xc000,Len:0x4000)
2742 288.151657 no.t-c.omc.ast 192.168.177.109 BitTorrent Not Interested Have, Piece (Idx:0x2)
2743 288.151817 192.168.177.109 no.t-c.omc.ast BitTorrent Choke
2745 289.983878 192.168.177.109 no.t-c.omc.ast BitTorrent Have, Piece (Idx:0x5)
2747 291.022881 no.t-c.omc.ast 192.168.177.109 BitTorrent Interested
2749 291.842268 192.168.177.109 no.t-c.omc.ast BitTorrent Unchoke
2750 292.232989 no.t-c.omc.ast 192.168.177.109 BitTorrent Request, Piece (Idx:0x5,Begin:0x0,Len:0x4000) Request, Piece (Idx:0x5,Begin:0x4000,Len:0x4000) Request, Piece (Idx:0x5,Begin:0x8000,Len:0x4000)
2782 293.362854 no.t-c.omc.ast 192.168.177.109 BitTorrent Request, Piece (Idx:0x5,Begin:0xc000,Len:0x4000)
2839 297.074532 192.168.177.109 no.t-c.omc.ast TCP [TCP segment of a reassembled PDU]
2843 298.111256 no.t-c.omc.ast 192.168.177.109 BitTorrent Not Interested Have, Piece (Idx:0x5)
2844 298.111379 192.168.177.109 no.t-c.omc.ast BitTorrent Choke
2846 299.882328 192.168.177.109 no.t-c.omc.ast BitTorrent Have, Piece (Idx:0x6)
2848 301.036256 no.t-c.omc.ast 192.168.177.109 BitTorrent Interested
2850 301.949703 192.168.177.109 no.t-c.omc.ast BitTorrent Unchoke Continuation data
2851 302.331317 no.t-c.omc.ast 192.168.177.109 BitTorrent Request, Piece (Idx:0x6,Begin:0x0,Len:0x4000) Request, Piece (Idx:0x6,Begin:0x4000,Len:0x4000) Request, Piece (Idx:0x6,Begin:0x8000,Len:0x4000)
2853 302.332386 192.168.177.109 no.t-c.omc.ast TCP [TCP segment of a reassembled PDU]
2854 302.344482 no.t-c.omc.ast 192.168.177.109 TCP 3828 > 10941 [RST] Seq=406 Len=0
2855 302.344668 no.t-c.omc.ast 192.168.177.109 TCP 3828 > 10941 [RST] Seq=12909 Len=0
2856 302.351237 no.t-c.omc.ast 192.168.177.109 TCP 3828 > 10941 [RST] Seq=406 Len=0
2857 302.351407 no.t-c.omc.ast 192.168.177.109 TCP 3828 > 10941 [RST] Seq=12909 Len=0
Note: Packet 2854 indicates receiving an RST from the Non-Comcast system.
LOG from no.t-c.omc.ast
Wireshark Display Filter: (ip.addr eq 24.20.3X.XXX and ip.addr eq no.t-c.omc.ast) and (tcp.port eq 10941 and tcp.port eq 3828) and ((tcp.len > 0 and tcp.len < 256) or tcp.flags.reset == 1)
No. Time Source Destination Protocol Info
2594 270.413086 no.t-c.omc.ast 24.20.3X.XXX BitTorrent Handshake
2595 270.820312 24.20.3X.XXX no.t-c.omc.ast BitTorrent Handshake Continuation data
2596 270.821289 no.t-c.omc.ast 24.20.3X.XXX BitTorrent Continuation data
2598 274.249023 24.20.3X.XXX no.t-c.omc.ast BitTorrent Continuation data
2600 275.032226 no.t-c.omc.ast 24.20.3X.XXX BitTorrent Continuation data
2602 276.213867 24.20.3X.XXX no.t-c.omc.ast BitTorrent Unchoke
2603 276.213867 no.t-c.omc.ast 24.20.3X.XXX BitTorrent Request, Piece (Idx:0x1,Begin:0xc000,Len:0x4000)
2626 279.146484 no.t-c.omc.ast 24.20.3X.XXX BitTorrent Not Interested Have, Piece (Idx:0x1)
2627 279.541992 24.20.3X.XXX no.t-c.omc.ast BitTorrent Choke
2629 281.361328 24.20.3X.XXX no.t-c.omc.ast BitTorrent Have, Piece (Idx:0x2)
2631 282.023437 no.t-c.omc.ast 24.20.3X.XXX BitTorrent Interested
2633 283.212890 24.20.3X.XXX no.t-c.omc.ast BitTorrent Unchoke
2634 283.212890 no.t-c.omc.ast 24.20.3X.XXX BitTorrent Request, Piece (Idx:0x2,Begin:0x0,Len:0x4000) Request, Piece (Idx:0x2,Begin:0x4000,Len:0x4000)
2638 283.733398 24.20.3X.XXX no.t-c.omc.ast TCP [TCP segment of a reassembled PDU]
2655 284.208007 no.t-c.omc.ast 24.20.3X.XXX BitTorrent Request, Piece (Idx:0x2,Begin:0x8000,Len:0x4000)
2666 284.309570 24.20.3X.XXX no.t-c.omc.ast TCP [TCP segment of a reassembled PDU]
2676 285.265625 no.t-c.omc.ast 24.20.3X.XXX BitTorrent Request, Piece (Idx:0x2,Begin:0xc000,Len:0x4000)
2720 288.116211 no.t-c.omc.ast 24.20.3X.XXX BitTorrent Not Interested Have, Piece (Idx:0x2)
2721 288.539062 24.20.3X.XXX no.t-c.omc.ast BitTorrent Choke
2723 290.380859 24.20.3X.XXX no.t-c.omc.ast BitTorrent Have, Piece (Idx:0x5)
2725 291.022461 no.t-c.omc.ast 24.20.3X.XXX BitTorrent Interested
2727 292.223632 24.20.3X.XXX no.t-c.omc.ast BitTorrent Unchoke
2728 292.227539 no.t-c.omc.ast 24.20.3X.XXX BitTorrent Request, Piece (Idx:0x5,Begin:0x0,Len:0x4000) Request, Piece (Idx:0x5,Begin:0x4000,Len:0x4000) Request, Piece (Idx:0x5,Begin:0x8000,Len:0x4000)
2749 293.343750 no.t-c.omc.ast 24.20.3X.XXX BitTorrent Request, Piece (Idx:0x5,Begin:0xc000,Len:0x4000)
2816 297.459961 24.20.3X.XXX no.t-c.omc.ast TCP [TCP segment of a reassembled PDU]
2820 298.100586 no.t-c.omc.ast 24.20.3X.XXX BitTorrent Not Interested Have, Piece (Idx:0x5)
2821 298.490234 24.20.3X.XXX no.t-c.omc.ast BitTorrent Choke
2823 300.263671 24.20.3X.XXX no.t-c.omc.ast BitTorrent Have, Piece (Idx:0x6)
2825 301.036132 no.t-c.omc.ast 24.20.3X.XXX BitTorrent Interested
2827 302.329101 24.20.3X.XXX no.t-c.omc.ast BitTorrent Unchoke Continuation data
2828 302.329101 no.t-c.omc.ast 24.20.3X.XXX BitTorrent Request, Piece (Idx:0x6,Begin:0x0,Len:0x4000) Request, Piece (Idx:0x6,Begin:0x4000,Len:0x4000) Request, Piece (Idx:0x6,Begin:0x8000,Len:0x4000)
2830 302.717773 24.20.3X.XXX no.t-c.omc.ast TCP 10941 > 3828 [RST] Seq=149186 Len=0
2831 302.717773 24.20.3X.XXX no.t-c.omc.ast TCP 10941 > 3828 [RST] Seq=161689 Len=0
2832 302.722656 24.20.3X.XXX no.t-c.omc.ast TCP [TCP Retransmission] [TCP segment of a reassembled PDU]
2833 302.722656 24.20.3X.XXX no.t-c.omc.ast TCP 10941 > 3828 [RST] Seq=149286 Len=0
2834 302.722656 24.20.3X.XXX no.t-c.omc.ast TCP 10941 > 3828 [RST] Seq=161789 Len=0
Note: Packet 2830 indicates receiving an RST from the Comcast system.
Conclusion: The RST is sent to both the Comcast and Non-Comcast sides of the connection.
If only one side respects the RST flag, the connection will be left in a half-open state. To one side, the TCP connection will appear to be valid and open. To the other, the TCP connection will have been ended. A half-open TCP connection is useless for exchanging data.
Comcast users should not modify their firewalls to drop RST packets as it is not an effective defense against the injected RST packets.