Cox dropping (not blocking) P2P traffic

Author	All Replies
afx114 join:2005-01-18 San Diego, CA moderated: February 26th, @02:19AM	Cox dropping (not blocking) P2P traffic After much research it has become clear that Cox is selectively monitoring and dropping certain P2P (Gnutella) traffic. I am in the San Diego area, so I do not know if this applies elsewhere. Some details: 1) Cox is NOT blocking P2P traffic. The proper term is DROPPING P2P traffic. 2) This may be Gnutella specific. Soulseek and BitTorrent both still work fine. I am not sure about other file sharing networks. 2) Cox is selectively targeting UPLOADS only. All other aspects of Gnutella network activity (host connections, downloads) work fine. 3) On uploads, connections are reset right after the HTTP 401 Authorization is given by the uploader. Here's a little graph (client on left, server on right): CLIENT ==> sends out search returns matches <== SERVER CLIENT ==> sends HTTP GET request sends HTTP 401 Auth <== SERVER !!!! CONNECTION MAGICALLY RESET !!! Sample conversation: Upload to X.X.X.X:6346 ("BearShare Lite 4.5.0.63") Processing request --REQUEST-- GET /uri-res/N2R?urn:sha1:123412341234123412341234 HTTP/1.1\r\n Host: \r\n User-Agent: BearShare Lite 4.5.0.63\r\n Range: bytes=0-324965\r\n Content-Disposition: inline; filename=somefile.mp3\r\n X-Queue: 0.1\r\n X-Gnutella-Content-URN: urn:sha1:123412341234123412341234\r\n X-Connection-Type: Broadband\r\n FP-1a: \r\n FP-Auth-Challenge: JUKZSOUFLZ2TOG2KAILXH34JA7WJWK3J\r\n X-Features: queue/0.1\r\n X-Node: X.X.X.X:6346\r\n \r\n --RESPONSE-- HTTP/1.1 401 Authorizing\r\n Server: BearShare 4.7.0b38\r\n Content-Length: 0\r\n FP-1b: \r\n \r\n (At this point the connection is reset) 4) In a firewalled situation, outbound GIVs from a firewalled user are reset right after the GIV is received. 5) Cox is sniffing/dropping based on the DATA field of the TCP packet, NOT the packet header (source/dest ports), because uploads are dropped even while running over non-standard (6346) ports. 6) I'm not 100% positive, but Cox may allow uploads to other Cox subscribers in the same area. A few rare uploads slipped through to other Cox subscribers during my early testing. This may have just been a glitch/oversight in their traffic sniffer that has recently been fixed, because I have not seen a successful upload in weeks since. But for sure, all uploads heading outside the Cox area are dropped. This is pretty sneaky actually, because Cox keeps their users happy by allowing downloads, and keeps the RIAA happy by disallowing uploads. However, Cox is interfering with their customers' outbound connections without their knowledge, and crippling legitimate uses for P2P networks (the debate over whether P2P is "server-based" and against Cox's TOS is for another day/thread). It's even more ironic that Cox recently ran a TV commercial for HSI, and one of the reasons they suggest getting Cox HSI is to "fill up that new iPod you just got for Christmas." In other words, Cox is promoting drug use, but preventing drug dealing. Sounds like Cox it attempting to have their cake and eat it too.
	to forum · permalink · · 2005-01-19 15:39:00 · (locked)
SubTexel Keyboard Commando join:2003-11-20 Hampton, VA	Re: Cox dropping (not blocking) Gnutella traffic Of course I am sure they meant obtaining those files legally. At any rate, that sucks.
	to forum · permalink · · 2005-01-19 16:26:57 · (locked)
manifest bitches join:2004-08-14 Hartford, CT	reply to afx114 Are you using this on windows or *nix/bsd? I'd like to see a tcpdump of the whole connection from initiation to it getting reset.
	to forum · permalink · · 2005-01-19 16:34:19 · (locked)
nchw68 join:2003-03-19 Chula Vista, CA	reply to afx114 I have only WinMx installed and the exact same thing happens to me. I can download, but get 100% failure on uploads. I'm in Chula Vista by the way. It stopped working sometime late last year - everything was fine and then BAM! Instantly no uploads. Kinda like they can just flick a switch and turn off uploads for small areas or maybe even individual users. If it wasn't for their bundled package (cable/internet/phone) I would switch back to DSL.
	to forum · permalink · · 2005-01-19 18:18:38 · (locked)
manifest bitches join:2004-08-14 Hartford, CT	reply to manifest any response afx114?
	to forum · permalink · · 2005-01-20 17:45:37 · (locked)
afx114 join:2005-01-18 San Diego, CA	I'm on WinXPSP2. My FreeBSD box doesn't have GUI so I can't run GTK-Gnutella to get a tcpdump. Do you know of any non-graphical Gnutella clients for BSD? Let me try WinDump I'll post my results here.
	to forum · permalink · · 2005-01-20 22:18:25 · (locked)
afx114 join:2005-01-18 San Diego, CA	Ok I have WinDump set up, but there's so much garbage flying through the pipe it's hard to see anything. Can someone help me test? I'll give you a file to search for, you try and grab it from me, and I'll filter your IP in WinDump so I can see just the upload traffic.
	to forum · permalink · · 2005-01-20 22:34:52 · (locked)
afx114 join:2005-01-18 San Diego, CA edit: January 20th, @11:18PM	Nevermind, I was able to filter it out myself. In the below TCPDump you will see a Bell South customer attempt to download a file from me. He makes two attempts. (LOCAL.PORT is me, note PORT is NOT 6346, but another random port, with NAT port forwarding, so I am effectively not firewalled) 1ST ATTEMPT 19:56:00.598539 IP adsl-1-139-33.clt.bellsouth.net.50736 > LOCAL.PORT: S 910058714:910058714(0) win 65535 19:56:00.598624 IP LOCAL.PORT > adsl-1-139-33.clt.bellsouth.net.50736: S 591457694:591457694(0) ack 910058715 win 65535 19:56:00.714254 IP adsl-1-139-33.clt.bellsouth.net.50736 > LOCAL.PORT: . ack 1 win 65535 19:56:00.725367 IP adsl-1-139-33.clt.bellsouth.net.50736 > LOCAL.PORT: P 1:251(250) ack 1 win 65535 19:56:00.731713 IP adsl-1-139-33.clt.bellsouth.net.50736 > LOCAL.PORT: R 910058965:910058965(0) win 10240 19:56:00.732075 IP adsl-1-139-33.clt.bellsouth.net.50736 > LOCAL.PORT: R 910071468:910071468(0) win 10240 19:56:00.736472 IP adsl-1-139-33.clt.bellsouth.net.50736 > LOCAL.PORT: R 910058971:910058971(0) win 10240 19:56:00.736840 IP adsl-1-139-33.clt.bellsouth.net.50736 > LOCAL.PORT: R 910071474:910071474(0) win 10240 2ND ATTEMPT 19:57:01.850407 IP adsl-1-139-33.clt.bellsouth.net.50747 > LOCAL.PORT: S 2222769745:2222769745(0) win 65535 19:57:01.850485 IP LOCAL.PORT > adsl-1-139-33.clt.bellsouth.net.50747: S 2025320299:2025320299(0) ack 2222769746 win 65535 19:57:01.982241 IP adsl-1-139-33.clt.bellsouth.net.50747 > LOCAL.PORT: . ack 1 win 65535 19:57:01.993511 IP adsl-1-139-33.clt.bellsouth.net.50747 > LOCAL.PORT: P 1:251(250) ack 1 win 65535 19:57:01.999252 IP adsl-1-139-33.clt.bellsouth.net.50747 > LOCAL.PORT: R 2222769996:2222769996(0) win 10240 19:57:01.999618 IP adsl-1-139-33.clt.bellsouth.net.50747 > LOCAL.PORT: R 2222782499:2222782499(0) win 10240 19:57:02.003452 IP adsl-1-139-33.clt.bellsouth.net.50747 > LOCAL.PORT: R 2222770002:2222770002(0) win 10240 19:57:02.003816 IP adsl-1-139-33.clt.bellsouth.net.50747 > LOCAL.PORT: R 2222782505:2222782505(0) win 10240 EQUIVALENT BS LOGS (one for each attempt): Upload from 65.1.139.33 ("LimeWire/4.0.8") Processing request --REQUEST-- GET /uri-res/N2R?urn:sha1:RJXSPMRB6EZO36USTVEQREOP6XFAM5KX HTTP/1.1\r\n HOST: XXX.XXX.XXX.XXX:PORT\r\n User-Agent: LimeWire/4.0.8\r\n X-Queue: 0.1\r\n X-Gnutella-Content-URN: urn:sha1:RJXSPMRB6EZO36USTVEQREOP6XFAM5KX\r\n Range: bytes=0-99999\r\n X-Features: queue/0.1\r\n \r\n --RESPONSE-- HTTP/1.1 206 Partial Content\r\n Cache-Control: no-cache\r\n Server: BearShare 4.7.0b54\r\n Content-Type: audio/mpeg\r\n Content-Length: 100000\r\n Content-Range: bytes 0-99999/6213632\r\n X-Gnutella-Content-URN: urn:sha1:RJXSPMRB6EZO36USTVEQREOP6XFAM5KX\r\n X-Create-Time: 1082000768000\r\n X-Features: chat/0.1, queue/0.1\r\n \r\n --RESPONSE FILE-- fileBytes: 6213632 szFileName: "somefile.mp3" szBaseName: "D:\some\path"
	to forum · permalink · · 2005-01-20 23:06:55 · (locked)
Razr1 join:2004-11-30 Fort Smith, AR	dude, im in arkansas, and none of them work. bearshare, kazaa, shareaza. i cant download or even get a search going. irc works fine. how can i make p2p work again...arrrgghhh.
	to forum · permalink · · 2005-01-21 11:54:16 · (locked)
Starkiller @cox.net	In AR too, Nothing but BitTorrent works. With Winmx and the like, they wont connect to anything.
	to forum · permalink · 2005-01-23 08:41:44 · (locked)
EL_TB join:2003-05-03 Fairfax, VA edit: January 23rd, @10:40AM	Mine works but it is slow. I hope Cox isnt charging me for a crippled net connection. Once they start blocking(dropping) it all the time I'm moving to something else. I bet most people at school will too.
	to forum · permalink · · 2005-01-23 10:34:42 · (locked)
manifest bitches join:2004-08-14 Hartford, CT	reply to afx114 afx114: can you do the equivalent of -nettt in windump?
	to forum · permalink · · 2005-01-25 12:46:24 · (locked)
afx114 join:2005-01-18 San Diego, CA	Here's an upload attempt using -nettt ... windump output on top, Bearshare console output on the bottom. 000000 00:06:25:ea:40:b9 > XX:XX:XX:XX:XX:XX, ethertype IPv4 (0x0800), length 62: IP 24.243.4.6.1773 > 192.168.X.X.MYPORT: S 790131918:790131918(0) win 65535 000090 XX:XX:XX:XX:XX:XX > 00:06:25:ea:40:b9, ethertype IPv4 (0x0800), length 62: IP 192.168.X.X.MYPORT > 24.243.4.6.1773: S 107096962:107096962(0) ack 790131919 win 65535 061333 00:06:25:ea:40:b9 > XX:XX:XX:XX:XX:XX, ethertype IPv4 (0x0800), length 60: IP 24.243.4.6.1773 > 192.168.X.X.MYPORT: . ack 1 win 65535 015100 00:06:25:ea:40:b9 > XX:XX:XX:XX:XX:XX, ethertype IPv4 (0x0800), length 635: IP 24.243.4.6.1773 > 192.168.X.X.MYPORT: P 1:582(581) ack1 win 65535 004598 00:06:25:ea:40:b9 > XX:XX:XX:XX:XX:XX, ethertype IPv4 (0x0800), length 60: IP 24.243.4.6.1773 > 192.168.X.X.MYPORT: R 790132500:790132500(0) win 10240 000360 00:06:25:ea:40:b9 > XX:XX:XX:XX:XX:XX, ethertype IPv4 (0x0800), length 60: IP 24.243.4.6.1773 > 192.168.X.X.MYPORT: R 790145003:790145003(0) win 10240 005326 00:06:25:ea:40:b9 > XX:XX:XX:XX:XX:XX, ethertype IPv4 (0x0800), length 60: IP 24.243.4.6.1773 > 192.168.X.X.MYPORT: R 790132506:790132506(0) win 10240 000381 00:06:25:ea:40:b9 > XX:XX:XX:XX:XX:XX, ethertype IPv4 (0x0800), length 60: IP 24.243.4.6.1773 > 192.168.X.X.MYPORT: R 790145009:790145009(0) win 10240 Upload from 24.243.4.6 ("BearShare 4.6.2.1") Processing request --REQUEST-- GET /uri-res/N2R?urn:sha1:PZWSAFKCQSRZ32CZSKXBUH4VCMMH7M2K HTTP/1.1\r\n Host: IP.IP.IP.IP:MYPORT\r\n User-Agent: BearShare 4.6.2.1\r\n Range: bytes=3932160-4194303\r\n X-NAlt: IP.IP.IP.IP:MYPORT\r\n X-Gnutella-Content-URN: urn:sha1:PZWSAFKCQSRZ32CZSKXBUH4VCMMH7M2K\r\n X-Connection-Type: Broadband\r\n FP-1a: \r\n FP-Auth-Challenge: NAAVOYFU5T7NZJ666YT5VCJDRICINWJM\r\n Content-Disposition: inline; filename="somefile.mp3"\r\n X-Features: browse/1.0, queue/0.1\r\n X-Node: 24.243.4.6:6346\r\n X-Queue: 0.1\r\n \r\n --RESPONSE-- HTTP/1.1 401 Authorizing\r\n Server: BearShare 4.7.0b57\r\n Content-Length: 0\r\n FP-1b: \r\n X-Features: chat/0.1, queue/0.1\r\n \r\n
	to forum · permalink · · 2005-01-25 14:28:58 · (locked)
dygital join:2004-02-09 Tucson, AZ	reply to afx114 Gnutella 1 and 2, an edonkey work fast for me, and I have nice constant uploads at 65KB/sec I have DUMeter and I said I uploaded 25GB last month . As you can tell I support peer to peer. All I got so far is 4 notices forwarded from MPAA to Abuse@Cox.net to tell me to stop sharing some movie about megacorporate culture.
	to forum · permalink · · 2005-01-27 03:09:32 · (locked)
hipigrl Premium join:2005-01-21 Virginia Beach, VA	careful, they will suspend you if you are sharing copywrited materials and get caught. They might send you a few warnings first, then all of a suddon, your inet stops working
	to forum · permalink · · 2005-01-27 14:36:54 · (locked)
afx114 join:2005-01-18 San Diego, CA	quote: careful, they will suspend you if you are sharing copywrited materials and get caught. They might send you a few warnings first, then all of a suddon, your inet stops working I'm not sharing copyrighted materials, I'm sharing my own materials. That's why it sucks. I pay for a service and expect to receive that service as advertized. Cox is messing with that service without warning or even admitting to it.
	to forum · permalink · · 2005-01-27 15:17:57 · (locked)
manifest bitches join:2004-08-14 Hartford, CT	afx114: It looks as if the connection just times out. Does it matter what isp the downloading user uses? Or does it always just time out no matter the users ISP?
	to forum · permalink · · 2005-01-27 15:32:39 · (locked)
afx114 join:2005-01-18 San Diego, CA	said by manifest37: It looks as if the connection just times out. Does it matter what isp the downloading user uses? Or does it always just time out no matter the users ISP? Very early on in testing I had two successfull uploads to other Cox customers, but it's been months since even that has happened. As I stated in my original post, it was probably a few transfers slipping through their filters. Cox has since tightened them down.
	to forum · permalink · · 2005-01-27 20:48:14 · (locked)
b5turbo join:2005-01-28 Manhattan, KS	reply to afx114 Are the home office cable accounts port blocked also? I run a webserver off my cable connection and have a static IP and custom PTR entry as well. I try to use p2p and it doesnt work and I'll be PO'ed if my ports are blocked.
	to forum · permalink · · 2005-01-28 00:12:49 · (locked)
Bobby Boy join:2003-05-29 Vienna, VA edit: January 28th, @04:37PM	reply to afx114 said by afx114 : I'm not sharing copyrighted materials, I'm sharing my own materials. That's why it sucks. I pay for a service and expect to receive that service as advertized. Cox is messing with that service without warning or even admitting to it. Cox's blocking of P2P uploads has undoubtedly hosed the upload speed of my connection. Sheesh. 2005-01-28 16:13:31 EST: 4583 / 20 Your download speed : 4693204 bps, or 4583 kbps. A 572.9 KB/sec transfer rate. Your upload speed : 20895 bps, or 20 kbps.
	to forum · permalink · · 2005-01-28 16:34:01 · (locked)


Tuesday, 07-Oct 16:58:05	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 9 years online! © 1999-2008 dslreports.com. page compression OFF