PDA

View Full Version : sandvine workaround


cicada
2007-09-11, 10:10 PM
I don't have Comcast, but I understand that there is a sandvine workaround at Wikipedia (listed under Comcast). Here's the link http://en.wikipedia.org/wiki/Comcast . I hope some of you who are stuck with them will figure out how to beat the system. Good luck!

U2Lynne
2007-09-11, 10:14 PM
Thanks for the link! I thought I would post a direct link here for those that, for some reason, can't wade through the entry and find the link. :cool:

http://redhatcat.blogspot.com/2007/09/beating-sandvine-on-windows-with-wipfw.html

Please make sure you read the directions instead of just copy/paste. You need to change the port number they use there for your specific case.

Tubular
2007-09-17, 07:41 PM
Thanks, this is great news! :thumbsup

lgerard
2007-09-18, 12:13 PM
how would you rewrite this if you were using a range of ports instead of just one?

saltman
2007-09-18, 12:32 PM
From the link

# Drop incoming packets with RST flag on BitTorrent port
# This is what thwarts Sandvine.
add drop tcp from any to me 6883 tcpflags rst



If legit RST traffic is sent it will also be dropped and you will end up with half open connections which in time will timeout.... so I suppose it's not the end of the world. But there will be better workarounds soon I'm sure.

cicada
2007-09-30, 12:16 PM
Hi again... I cannot tell you this is going to work, but I found another possible sandvine workaround, while poking around elsewhere.
A solution was suggested to change the dns server from the Comcast default. If you go to www.opendns.com (http://www.opendns.com) , you can read up on how to change the dns server default to opendns. It is a free service and may help you with torrent seeding.
All I can say is to offer encouragement to all who cannot dump Comcast for whatever reason. And for those of you who can jump to another supplier... what are you waiting for?

rosc2112
2007-10-02, 02:41 AM
Apparently comcrap is sending these bogus RST's to *both* sides of the connection, so, both sides have to filter them. Probably a good practice to start implementing anyway, on general principle (forging packets to disrupt the Internet is just wrong..Any private citizen doing it would likely be arrested for it..Amazing how corporations can commit these crimes and yet be all squeaky clean about it under the guise of an AUP or other such bullshit.)

cicada
2007-10-14, 03:40 PM
Comcast users... Be sure to opt out!
Here (http://www.nbc4.com/money/13770401/detail.html) is an article that seems to say that everyone got instructions to opt out with their July bill. By not following those instructions they will automatically have to accept arbitration if they attempted to sue (unless they opted out).

headwingnut posted an interesting perspective over at (?)...
Press - Nontechnical Summary

Comcast is in violation of Internet standards as well as United States Federal law in its use of devices which send \"specially crafted packets\" to its own users in order to disrupt those users\' Internet Communications.

Executive Summary

Comcast\'s use of the Sandvine devices to prohibit its clients point-to-point Internet traffic is in violation of Internet standards as well as Federal law. Comcast\'s Terms of Service (\"ToS\") do not trump Federal Law. Further, Comcast\'s methods for blocking this traffic negate its claim that it offers \"an Internet connection.\"

Press - Technical Summary

Comcast uses devices manufactured by Sandvine Incorporated (\"http://www.sandvine.com\"). These devices inject specially crafted RST packets purportedly from upsteam P2P peers to Comcast customers, which destroy existing legitimate TCP connections. By doing so Comcast not only violates the TCP standard, but also the Host Requirements standards, and by crafting the packet to appear as if it came from the remote upstream peer is violating Federal Law.

ROADMAP

This memo will address the following:
1. What makes one \"part of the Internet\" or \"connected to the Internet\"
2. What standards and specifications spell out what is allowed and disallowed on the Internet.
3. What laws exist that govern these in the United States
4. What Comcast does which violates these standards and specification.

BEING CONNECTED TO THE INTERNET

Connection to the Internet in 2007\'s \"Broadband America\" is a simple matter of three items:
1. Get a carrier to provide a connection
2. Have a piece of hardware (typically a PC, a Mac, or a Router) which can connect to that connection
3. Make sure that hardware has the right software (Windows, MacOS, or embedded IP) to speak the right protocols.

Getting a Carrier

In most areas, the dominant carrier for \"broadband access\" is the local cable company, most of which have their own dedicated coaxial and fiber infrastructure, and a franchise agreement or otherwise similarly codified effective monopoly. Alternate access may exist in the form of lower-speed via the telephone company\'s Digital Subscriber Loop (\"DSL\") or a wireless Internet Service Providers (\"wISP\"). These latter two offer speeds that rival 1/10th the Cable Companies advertised speeds* to 1/2 at best. Thus definitionally the only true \"broad\" band coverage is that provided only by the cable company. Getting the cable company to install a circuit is a simple matter usually handled by one telephone call, requiring no special contract or signature, and in most cases not even requiring a supervised site visit. (An unsupervised site visit by a technician to remove a high-pass or low-pass filter is sometimes required depending on the cable company\'s network.)

* Based on advertised speeds available in Tucson AZ, June-August 2007

Having a piece of hardware

A Personal Computer (PC) is available ubiquitously, and complete systems are sold throughout the Internet (e.g. eBay, Dell.com, etc.) and in stores (e.g. Best Buy, Circuit City, Walmart, etc.)

Having a piece of software

Most PCs come preloaded with a form of the Windows operating system. Mac systems come preloaded with MacOS. Either can be converted to running the popular and free open-source operating system Linux. Embedded routing devices run their own embedded operating system, often based on Linux.

INTERNET STANDARDS AND SPECIFICATIONS

1. There are standards all hosts on the Internet must adhere to. This includes all routers and end users\' systems. (End-Systems and Intermediate Systems in ISO-speak.)
2. These are protocol standards that specify how a protocol is to be implemented

Hosts Requirement RFCs

RFC 1123 is the Host Requirements RFC. It is an official specification which \"...supplements the primary protocol standards relating to hosts.\"[RFC-1123, para 1 \"Status of This Memo\"]. The \"primary protocol standards relating hosts\" are discussed in RFC-1122, \"Requirements for Internet Hosts -- Communication Layers.\" It \"...supplements the primary protocol standards documents relating to hosts.\" [RFC-1122, para 1 \"Status of This Memo\"].

Transmission Control Protocol RFC
-
The primary specifications document for hosts communicating using the Transmission Control Protocol(TCP) is RFC-793. [RFC-793, Sec 1.3]
This document specifies in which case an RST may be sent. Section 3.2 specifies the TCP state machine, which indicates from which state, specific actions are allowed, and new states attainable. Figure 6 is the TCP Connection State Diagram. [RFC-793 Sec 3.2 Figure 6]. The Routers used by Comcast on its network might also be considered Intermediate Systems, and as such are not participator to the TCP endpoints of the Comcast-Client Remote End System TCP communication. Its TCP state machine for that connection should therefore be considered in \"CLOSED\" state. From that state there are various allowed things, but sending an RST is not one of them. [RFC-793 Sec 3.9, \"CLOSED STATE\"].

LAWS RELATED TO THIS COMMUNICATION

There are two distinct issues involved in the matter.
1. Denial of Service Attack
2. Disrupting legitimate communication

Laws -Denial of Service Attack

18 USC 1030 \"Fraud and related activity in connection with computers\" has several related sections. 1030(a)(5)(A)(i) specifically prohibits \"knowingly\" causing a transmission which \"...causes damage without authorization.\" Destroying a legitimate TCP connection without authorization damages the tranferred item (File, etc.) as well as the connection, as well as the download process.

Laws - Disrupting Legitimate Communication

1030(a)(6)(A) offers an alternative view which is that \"intent to defraud traffics...\" [if] \"such trafficking affects interstate or foreign commerce.\" This means that for those who use point-to-point clients for Commerce (e.g. distribution of software patches, programs, drivers, etc.) and for which these downloads occur over the Comcast network using the Peer to Peer network, the fraudulent IP address destroying its legitimate traffic constitutes a clear violation of this statute.

WHAT COMCAST DOES WHICH VIOLATE THESE STANDARDS, SPECIFICATIONS, AND LAWS

Facts

Comcast owns, leases, or operates devices manufactured by Sandvine Incorporated. http://www.lightreading.com/document.asp?doc_id=11 8890 [lightreading.com]
These devices craft TCP packets, purportedly from a non-Comcast end-user to a Comcast end-user which affect a TCP RST. These packets have a spoofed IP address, a spoofed TCP control bitfield, and a crafted TCP Sequence Number, a crafted TCP Checksum, and a crafted IP checksum.

Relation to Standards and Laws

(henceforth, TCP packets containing a control bitfield with the RST bit set, and encapsulated within an IP packet and sent over the Internet shall be referred to as simply \"An RST\", and the disrupted peer-to-peer conversation a \"TCP Communication\").

Standard:Only an END-SYSTEM in the LISTEN state may send An RST.
Violation 1: Comcast\'s systems are not END-SYSTEMS party to the TCP Communication
Violation 2: Comcast\'s systems are not in the LISTEN state for the TCP Communication.

Laws: Disrupting other people\'s communications is a bad thing
Violation: Comcast distrupts a perfeclty good TCP Communication with An RST fraudulently disguised as originating from elsewhere.
Violation: In the case of interstate or foreign commerce, Comcast disrupts this commerce with An RST>

SUMMARY

Comcast\'s actions violate one or more statutes as well as Internet standards and specifications required for all hosts (end-systems as well as intermediate systems) connected to the Internet.

Comcast should immediately cease and desist these egregious violations and cease perpetrating targeted Denial of Service attacks on its customers.

ccrider895
2007-10-15, 08:57 PM
That's some interesting reading, cicada. I don't believe I've gotten one of these notices yet, but I'll check out your other link later.

I could devote an entire thread to the problems I've had with Comcrap this week, and the whole sandvining issue, however it would be more appropriate for the Lounge.

Y'know for language and all...... ;)

Anyway, I just want to thank Lynn for sharing that link. I'm using that little firewall now, and was finally able to seed a show on another site. I still can't connect to as many people as before, and I found that I can better connect to people who are using Azureus, utorrent and Bittornado with encryption enabled.

In a large swarm it seems to work pretty well, but not so well when there only a couple seeders/leechers.

I hope the govt. or the EFF takes these bastards to court. Even my mother was savvy enough to read articles on this and drop them as her ISP. I was pretty damn impressed she got it!

I would drop them myself, but very soon I will be moving to another city that is not served by those f*ckers.

ccrider895
2007-10-15, 09:05 PM
Yikes! didn't mean for that picture to be so big. It didn't look that imposing when I emailed it to somebody.

possessed
2007-10-15, 09:15 PM
I was originally pissed that my apartment didn't get Comcast (based on speed of their packages vs what I was offered) but the rest of the city did. Now I'm quite happy with my local provider that has given me no trouble with my terabyte of of transfer in the last 11 months. I've had months as low as 9 gig both ways and as high as 185 gigs both ways.

I suggest everyone get DUmeter and install it on there rig to monitor there traffic should they ever need to argue with their provider.

http://www.hageltech.com/dumeter/

dcbullet
2007-10-15, 11:06 PM
I was originally pissed that my apartment didn't get Comcast (based on speed of their packages vs what I was offered) but the rest of the city did. Now I'm quite happy with my local provider that has given me no trouble with my terabyte of of transfer in the last 11 months. I've had months as low as 9 gig both ways and as high as 185 gigs both ways.

I suggest everyone get DUmeter and install it on there rig to monitor there traffic should they ever need to argue with their provider.

http://www.hageltech.com/dumeter/

Hey thanks, I've tried some other bandwidth monitor programs and haven't like them. I'll try this.

cicada
2007-10-16, 12:41 AM
(pardon my double post) message is below
V V V V V V V V V

cicada
2007-10-16, 12:44 AM
Here is the link that I read which states Comcast has given all it's customers the chance to "opt out" or accept arbitration ... if it should go to court http://www.nbc4.com/money/13770401/detail.html

If you are still with Comcast... be sure to read the fine print on your recent billings. It appears that this meassage was NOT prominent.

Comcast customers can opt out of the arbitration notice either online or by mail.

Online:

Go to comcast.com/arbitrationoptout and fill out the form. Subscribers will need a copy of their Comcast bill so they can enter their entire customer account number as it appears on the bill. If they have difficulties they should call 800-COMCAST (800-266-2278) and report the problem. They should keep a copy of the form.

By Mail:

Subscribers should write a note to Comcast that includes their name, address, Comcast account number and a statement that they do not wish to resolve disputes with Comcast through arbitration, and then mail to: Comcast, 1500 Market Street, Philadelphia, PA 19102, ATTN: Legal Department/Arbitration. They should also keep a copy of the letter they send to Comcast.

possessed
2007-10-16, 01:04 AM
Hey thanks, I've tried some other bandwidth monitor programs and haven't like them. I'll try this.
no problem. I've used DUmeter for years. Simple but effective. And you get daily, weekly, monthly and overall bandwidth usage. Everyone should use it. It gives you a leg up on your ISP if they want to cry foul.

ccrider895
2007-10-16, 01:54 AM
Here is the link that I read which states Comcast has given all it's customers the chance to "opt out" or accept arbitration ... if it should go to court http://www.nbc4.com/money/13770401/detail.html

If you are still with Comcast... be sure to read the fine print on your recent billings. It appears that this meassage was NOT prominent.

Sneaky bastards :disbelief

I came very close to switching to ATT this week until I read their user agreement. It's way to long to print out, but it's buried on their website if anyone wants to look.

Legally speaking, it looked even worse than Comcrap's and they also use sandvining. I am told that ATT's technology is much easier to bypass, though.

Where I live right now, those are the only 2 choices, and I just can't wait to move to a place I don't have to use either!

Perhaps tomorrow I'll start that thread in the Lounge :devil:
I'm way too tired at the moment to drag all that shit out.

possessed
2007-10-17, 08:44 PM
So who's tried this and does it work?

ccrider895
2007-10-18, 10:36 PM
So who's tried this and does it work?

http://redhatcat.blogspot.com/2007/...with-wipfw.html

^^^
I'm using it right now, and it DOES work. The only limitation is that I also have to use encryption as well, and I can only connect to other people that are using it.

Before, when I finished d/ling a show, all my torrents went "blue" (in Azureus) once I finished downloading. I could no longer upload anything to anyone. Now I can seed and upload to encrypted peers. The encrypted peers that aren't being sandvined can seed to the people not using encryption.

It's not quite as smooth as before, but I've successfully seeded 2 shows to Dime this week. Yeah I said the "d" word, :D but I needed to try this out with a larger swarm size.

possessed
2007-10-18, 10:47 PM
http://redhatcat.blogspot.com/2007/...with-wipfw.html

^^^
I'm using it right now, and it DOES work. The only limitation is that I also have to use encryption as well, and I can only connect to other people that are using it.

Before, when I finished d/ling a show, all my torrents went "blue" (in Azureus) once I finished downloading. I could no longer upload anything to anyone. Now I can seed and upload to encrypted peers. The encrypted peers that aren't being sandvined can seed to the people not using encryption.

It's not quite as smooth as before, but I've successfully seeded 2 shows to Dime this week. Yeah I said the "d" word, :D but I needed to try this out with a larger swarm size.

excellent! Glad to hear that a workaround actually works. I've been getting some really crappy newsgroups speeds lately and I'm starting to wonder if it might be some kind of sandivine type blocking. And I don't use Comcrap.

ccrider895
2007-10-18, 11:09 PM
excellent! Glad to hear that a workaround actually works. I've been getting some really crappy newsgroups speeds lately and I'm starting to wonder if it might be some kind of sandivine type blocking. And I don't use Comcrap.

Yes it really does

Just 2 things:

1. Follow the original link that Lynn posted in the thread. It did not copy & paste right for me

2. The last command - "net stop ipfw & net start ipfw"

Must be entered right into Windows. Start-> run-> (type) cmd
When the black screen comes up, just type that in without the quotes & you're good to go.

sihinka
2007-10-19, 02:19 PM
http://redhatcat.blogspot.com/2007/...with-wipfw.html

^^^
I'm using it right now, and it DOES work. The only limitation is that I also have to use encryption as well, and I can only connect to other people that are using it.


Is Windows Vista your OS by chance (I hope, I hope)?

ccrider895
2007-10-20, 01:24 AM
Is Windows Vista your OS by chance (I hope, I hope)?

Sorry, I should have mentioned I'm using Windows XP.

Lou
2007-10-20, 09:04 AM
Thanks for the link! I thought I would post a direct link here for those that, for some reason, can't wade through the entry and find the link. :cool:

http://redhatcat.blogspot.com/2007/09/beating-sandvine-on-windows-with-wipfw.html

Please make sure you read the directions instead of just copy/paste. You need to change the port number they use there for your specific case.

I tried doing that last night, and it completely fucked up my internet connection. I had to use Windows System Restore to get things back to normal. Just a warning to anyone who may try and do this.

ccrider895
2007-10-20, 02:03 PM
I tried doing that last night, and it completely fucked up my internet connection. I had to use Windows System Restore to get things back to normal. Just a warning to anyone who may try and do this.

I'm sorry to hear that Lou. It's always a good idea to back up your data and make sure you make a new restore point before you go installling any new programs.

Because I don't know what your OS is, whether you are using a router/firewall
or how you went about installing it, I can't figure out what happened in your case. Everyone's mileage may vary on this. Are you being sandvined by Comcast or another Company?

I have another very simple solution for a internet provider that begins with 'A' and ends with 'T'. It does not involve any new software installation and I imagine would work with any OS platform.

If anyone wants to know that, please pm me! I just don't want them to get wise to this and start using using stronger technology like Comcrap's.