digg

Join DiggAbout

The Digg Crew wants to hear your thoughts!
Please take our short survey about Digg and potential feature ideas.

Linux iptables Will Fix Comcast's BitTorrent Connection Killing

redhatcat.blogspot.com — If you are tired of Sandvine screwing with your BitTorrent and a user of GNU/Linux, then this is for you. I will tell you how to take your bandwidth back. If you are using a Red Hat Linux derivative, such as Fedora Core or CentOS, then you will want to edit /etc/sysconfig/iptables.

show profanity settings
expand all
  • qwuinc, on 10/15/2007, -5/+29This looks really fishy... it seems to accept loopback & icmp packets, drop the RST packets (some people commented on digg and /. that it will NOT help, quite the contrary), accept new tcp/udp connections, and rejects rest of the packets - the hell? There isn't even any reference to related/established packets...

    So, what was the author smoking?
    • baalzebub, on 10/10/2007, -3/+20i agree, i wont compromise my firewall just for bittorrent which works fine behind my iptables firewall, my provider does not filter anything, i would change providers first...

      comcast has been crap for years...
      • antdude, on 10/10/2007, -3/+5What if you can't get any other broadband services? Dial-up? Move? Satellite?
        • muszek, on 10/10/2007, -1/+1Download torrents on a remote machine? Cheap VPS is just $10... and you could do all those cool things with your own server. Especially in this case, when your ISP is crap and thus home server isn't very reliable.
      • dertyz, on 07/13/2008, -0/+0I want everyone who has read ANYWHERE that using Linux or Mac IP Tables to drop the forged packets with with the rst flag set won't help solve your peering problems to IGNORE what all the negative nellies are telling you!! I was a windows user on Comcast's network and until yesterday, my seeding capacity was ZERO...period...no seeding unless it was during the initial download. Yesterday I installed Ubuntu, dropped those bad, bad rst packets with the proper command and VOILA! I was seeding like crazy. So, if you wanna stick it to Comcast and everyone else using Sandvine - SWITCH TO LINUX OR MAC AND USE YOUR IP TABLES TO DROP THE FORGED RST PACKETS!!! It will fix your problem because now EVERYONE ELSE IS DROPPING THEIR PACKETS TOO!! So the packets get dropped from both sides and no rst is performed. JUST DO IT!! You'll be glad you did. I'll be happy to send you screen shots of two machines, side by side, one on windows and one on Linux...with the windows machine seeding to no one and the linux machine seeding like crazy. It really works! BELIEVE IT!
    • capiCrimm, on 10/10/2007, -8/+7I'm confused as to how some people can comment on digg when you are the first post? Is this a dupe or did you mean reddit or just /.?
      • dleifelohcs, on 10/10/2007, -4/+5Maybe I'm crazy, but the answer seems pretty obvious: this isn't the first topic about this on Digg! There was at least another that says "hey guys! Comcast is throttling BitTorrent!" wouldn't you think?
      • qwuinc, on 10/10/2007, -0/+1See what dleifelohcs said. The RST-dropping "solution" was brought into discussion in earlier digg submissions, and in comments of many other places (slashdot, torrentfreak).
    • CamZak, on 10/10/2007, -2/+11Most people I know who torrent are behind routers...when you're on your own LAN you don't quite have to worry so much about setting up a firewall on each and every PC.
      • thetinguy, on 10/10/2007, -6/+1Someone PLEASE tell us how to make this change on our routers. I have a Zyxel X-550 XtremeMIMO.
    • thecubic, on 10/10/2007, -3/+12Don't do this. When you DROP RST packets, that means that EVERY TCP connection hangs open until a very very long timeout, turning BitTorrent into a user-initiated DoS attack on your machine. Yeah, this _will_ stop Comcast's behavior, but you're screwed.

      Also, you wouldn't need any reference to related/established packets - as when a RST comes it only applies to a related/established connection. (see: Connection Reset by Peer)

      // Linux systems administrator
      • Tenoq, on 10/10/2007, -0/+4Those running Linksys WRT54G/GL routers can use a custom firmware to timeout TCP connections earlier than normal. This should prevent holding too many open and killing your net connection. Lot of effort though. Changing provider is a better choice, if you can. If you don't, complaining to your local government representative would be a good step. Moving would be next. I'm buying soon, and I will be considering broadband access as a key criteria for property purchase.
      • redhatcat, on 10/10/2007, -0/+2"When you DROP RST packets, that means that EVERY TCP connection hangs open until a very very long timeout, turning BitTorrent into a user-initiated DoS attack on your machine."
        Legitimate BitTorrent connections are closed with FIN. If RSTs are being used by legitimate clients, the timeouts are not long in my experience.

        "you wouldn't need any reference to related/established packets"
        Actually, you do. I made a mistake stripping down my config for this post. The trick is to drop RSTs before accepting established connections.
        • thecubic, on 10/10/2007, -0/+0Legitimate connections are also closed with RST. See (from Wikipedia TCP):
          [Some host TCP stacks may implement a "half-duplex" close sequence, as Linux or HP-UX do. If such a host actively closes a connection but still has not read all the incoming data the stack already received from the link, this host will send a RST instead of a FIN (Section 4.2.2.13 in RFC 1122).]
    • redhatcat, on 10/10/2007, -0/+1"There isn't even any reference to related/established packets..."
      Oops. Sorry about that. I made this in a rush and I stripped more from my config than I meant to. Thanks for pointing that out. I've fixed it.

      • qwuinc, on 10/10/2007, -0/+1Certainly looks better now, although the custom "RH-Firewall-1-INPUT" chain is extra as you could've just simplified it to "INPUT". Sorry for the initial comment, maybe you weren't smoking enough coffee ;-)

        As for the fix itself, I probably should refrain from commenting anymore as I don't remember enough about TCP to understand implications of this. However, it's certainly worth the try as it only messes with the bittorrent packets anyway.
        • redhatcat, on 10/10/2007, -0/+1I thought about removing the custom chains for simplification. I'll make an edit in a bit. It is probably especially confusing for those using not using a Red Hat-like flavor.
  • schestowitz, on 10/10/2007, -20/+9So Linux torrents are back. How dare they throw out the baby with the bathwater in the first place? Is this some kind of a plot to stop dissemination of Free software under the guise of piracy? Like political censorship under the guise of "save the children from unhealthy content"?

    It would be best to just leave Comcast if you're a customer of theirs.
    • Tobark, on 10/10/2007, -3/+10Not really.
      i have no alternatives .DSL..too far. T1....yea right. No fios yet. Dialup? LOL
    • dleifelohcs, on 10/10/2007, -2/+7Linux torrents were never gone. Comcast doesn't BLOCK torrents, they just limit them. And they limit them ALL. Comcast has always limited and shaped traffic. That's why you get 8MBit DOWN, and 768kbps (or whatever) UP. They never wanted you to run webservers that would stress their system out, and just the same they don't want you to run torrent servers that will do the same.

      I ditched Comcast because it was too pricey. $80/mo for Cable Internet and Basic Cable TV was too much. Verizon sucks just as much, with my 768kbps/128kbps connection being quite slow, but at $30/mo or so including a landline, it's at least more reasonably priced.
      • baalzebub, on 10/10/2007, -1/+6i would too, why pay 80 bucks a month for unused (unusable) bandwidth...
  • j0kerz, on 10/10/2007, -4/+10Can someone verify this actually works?
    • albiniak, on 10/10/2007, -16/+3can someone verify comcast (or whatever, point remains) is actually RST'ing seeders? i'm on comcast.net in minneapolis, and seeding just fine.

      FUD FTW!
      • albiniak, on 10/10/2007, -1/+2-10 diggs and counting ... for spreading the truth? ubunto server 386 - seeding to 20 users, upload maxed out. connection? comcast.net. yay diggers!
        • redhatcat, on 10/10/2007, -0/+1This may not be happening in your area, but it is happening in others. I'm glad they aren't destroying your seeding. :)
    • trunkster, on 10/10/2007, -1/+6Comcast is stopping seeding, at least in Washington State. My upload drops and if I try creating a torrent and then seeding it... uploads for a few seconds and stops. This even happens with Comcast users now.
    • redhatcat, on 10/10/2007, -0/+2It may not be in your area...yet. In Colorado and many other places, they are. You can use tcpdump to verify that you are receiving illegitimate RSTs.
    • dertyz, on 07/13/2008, -0/+0I want everyone who has read ANYWHERE that using Linux or Mac IP Tables to drop the forged packets with with the rst flag set won't help solve your peering problems to IGNORE what all the negative nellies are telling you!! I was a windows user on Comcast's network and until yesterday, my seeding capacity was ZERO...period...no seeding unless it was during the initial download. Yesterday I installed Ubuntu, dropped those bad, bad rst packets with the proper command and VOILA! I was seeding like crazy. So, if you wanna stick it to Comcast and everyone else using Sandvine - SWITCH TO LINUX OR MAC AND USE YOUR IP TABLES TO DROP THE FORGED RST PACKETS!!! It will fix your problem because now EVERYONE ELSE IS DROPPING THEIR PACKETS TOO!! So the packets get dropped from both sides and no rst is performed. JUST DO IT!! You'll be glad you did. I'll be happy to send you screen shots of two machines, side by side, one on windows and one on Linux...with the windows machine seeding to no one and the linux machine seeding like crazy. It really works! BELIEVE IT!
  • eddieroger, on 10/10/2007, -5/+33This is pretty ingenious. Basically, they've noticed that Comcast is sending RST packets to close the connections, and this configures the firewall to drop them. For those who notice that it allows ICMP in still, I believe the author's intention was to only remedy the Comcast issue, but keep normal function, and for those who don't run a firwall at all, ICMP can get in. If you know what you're looking at when you read the code and want ICMP blocked, remove that line - it won't break the fix.
  • funchords, on 10/10/2007, -10/+22Concast's forged RST is sent both ways -- not just to the Comcast customer. Nothing that you do to your local firewall will keep your distant peer from receiving the forged RST and tearing down the connection on that end.

    Buried: This article is inaccurate.
    • zybch, on 10/10/2007, -10/+8Um, no its not.
      • Enuratique, on 10/10/2007, -2/+6Yes, it is. Both parties need to ignore the RST packet in order to keep the connection live. Read the TCP/IP protocol if you like [http://www.night-ray.com/TCPIP_State_Transition_Diagram.pdf]. If the other party properly handles the RST flag (because a firewall didn't block the packet), then it will enter the passive listen for new connection state while the other party continues to send information. Those data packets aren't acknowledged, eventually timeout, and then the connection itself times out.
      • MxxCon, on 10/10/2007, -2/+3yes it is. sandvine send spoofed RST packets both way.
      • redhatcat, on 10/10/2007, -0/+1True, despite the comment burying. Comcast does not kill non-Comcast connections. I only know from personal experience.

        I believe they choose to not do this to avoid lawsuits from other ISPs, as that behavior could be seen as a DoS attack on their customers/networks. That's not to say what they are doing to their customers now is not a DoS attack, but they are less afraid of lawsuits from individuals than other ISPs most likely.
  • GiulianoB, on 10/10/2007, -11/+6If this works then someone make an Azureus plugin to drop the unwanted packets. kthx.
    • Canumbler, on 10/10/2007, -0/+6Azureus is quite a ways above the TCP layer, it has no exposure to this sort of thing.
      Layer 3 (I think I remember that right) can only be screwed with by the OS, hence linux iptables.
      I don't know what the equivalent would be with windows, but considering the general state of their network stack I imagine it wouldn't be worth it.

      That said, other posters are correct, as the RST packets are sent to both ends it's not really going to help much unless every client starts doing it.
      • d3matt, on 10/10/2007, -0/+0Technically speaking, you're correct. If you use the TCP/IP stack, you have to modify packets at an OS level with a kernel module like iptables.
    • signal15, on 10/10/2007, -0/+2It also won't matter if you have a firewall and the firewall sees the RST first. Your bittorrent client wouldn't have any control over the firewall closing the connection. You could always get around this by just using one of the cheap PPTP vpn services out there.
  • EvilMoose, on 10/10/2007, -11/+2Buried as being inaccurate and stupid. I hope no one else does this iptables trick.
  • tonycomputerguy, on 10/10/2007, -13/+2Protocal Encryption + Comcast = no problems here, kthxbye.
    • clearzen, on 10/10/2007, -2/+5that doesn't work duuude.....it's called deep packet inspection.
      • dleifelohcs, on 10/10/2007, -2/+3He says it works for him, "duuude" - you know better than he does about his own connection? Comcast speeds, services, and yes even throttling vary by region.
      • wolferz, on 10/10/2007, -3/+0do you understand what encryption means? You cant inspect beyond the encryption unless you have the encryption key or more cpu power than is reasonable for such a task.
        • rootstyle, on 10/10/2007, -0/+3Do you understand what deep packet inspection is? They dont decrypt the traffic, they look for traffic patterns. I.E. heuristic analysis. The product is called P-Cube, its a company CIsco bought. Don't flame when you are just being ignorant.

          Some ISPs have already put it into place, and encryption doesn't fix it (although it may help throw it off a bit). These are just cost saving measures, thats the unfortunate bottom line.
        • wolferz, on 10/10/2007, -3/+0Perhaps I was ill informed as to what deep packet inspection is then. However all forms of data encryption I know of which would work with p2p software would make heuristics less than helpful for identification as well.

          I will freely admit that was a very long time ago (years). However, last I checked bit torrent doesn't have any form of native encryption. Thus, unless I'm mistaken, the only way some one could have any form of encryption for torrent traffic is via a encrypted proxy.

          Seeing how all data for bit torrent would be traveling to/from a single destination/source instead of the hundreds or even thousands that are common for unproxied torrent data or other forms of p2p traffic. Wouldn't this negate the normal tell tale signs of p2p traffic leaving only much less significant patterns that could be any of thousands of things?

          Thus far using tor has solved this problem for me and applies to more than just torrents.
    • InsaneMachine, on 10/10/2007, -1/+2doesn't Azureus have full protocol inspection? liek encrytps the data as well. although Comcast could be sending the RST packets based on amount of data, and then nothing you can do.
  • yamyogurt, on 10/10/2007, -1/+3I have the same problem and I'm using Cox.
    • shakajumbo, on 10/10/2007, -2/+21*AArrghh* Must resist.... ***** joke........
    • MxxCon, on 10/10/2007, -1/+2figure out how to use wireshark or any other network sniffer and post traffic dump showing that Cox is doing the same other.
    • cawpin, on 10/10/2007, -0/+1Cox doesn't block torrents. I've never noticed ANY packet shaping, or dropping, of any kind with Cox.

      -cox jokes-
      If you're having a problem with your Cox, call a Cox repair man.
      Make sure to review your Cox bill every month to make sure you're only being billed for the Cox service you received.
      -/cox jokes-
  • HappyScrappy, on 10/10/2007, -8/+7This was debunked a while back.
  • opusagogo, on 10/10/2007, -2/+15won't this just queue up a bunch of unclosed connections until the program runs out of file descriptors and panics? and create huge memory leak? can somebody post a tcpdump of the RST packet thanks
  • CrAkaRJax, on 10/10/2007, -2/+14how do you tell if your bandwidth is shaped? That would be a diggable article.
    • rootstyle, on 10/10/2007, -0/+3There are some test suites out there to detect the presence of QoS shaping, as its been a problem with carrier to carrier, GRE and MPLS style connections.. however its not a simple task, nor very definitive and something an end user really can't do. I can't think of the name of the one I had used before, but if I do I will post it in the thread.
    • DigDugDigger, on 10/10/2007, -1/+3I haven't tried this, but try torrenting a linux distribution or something else you'd expect to get very high speeds with.
    • obby, on 10/10/2007, -2/+3I am gonna say, I am on Rogers, and basically bittorrent is a nightmare. You can't upload, download has improved mildly now, it used to top out at 90KB/s down and about 5 KB/s up.
    • Phatt138, on 10/10/2007, -1/+5If you're using Bittorrent and seeing many hundreds of peers that you never connect to, have the connection entirely drop out once in a while, suffer severe slowdowns in all network functions while actively downloading a torrent, or see plenty of peers but never get above ~30kb/s, then you're suffering from this problem.

      Suffice to say that if you've used bittorrent -before- the new shaping measures and after, you'll be able to tell the difference.
  • thetinguy, on 10/10/2007, -9/+9I wish someone would tell me how to do this with my router. Zyxel X-550 XtremeMIMO. I run OS X, and if some were to write and ipfw filter, I would LOVE them. Comcast BLOWS. I can't wait to get FioS.
    • luchid, on 10/10/2007, -1/+4Why is he getting dugg down? It was a perfectly valid question and request and would be useful for anyone with a router capable of iptables filtering...
      • sacr3dc0w, on 10/10/2007, -1/+2because the average digg user is retarded and if they can't answer a question, they digg down. You'd figure with "OS X" he would have a 1000 digs by now.
  • TheZorch, on 10/10/2007, -6/+8Even if this so-called "fix" works or not (which apparently it doesn't), an ISP who deliberately blocks a free service from working is an ISP that nobody who visits Digg.com should be paying out to. Nothing speaks louder to these "too big for their own good" corporations like lost profits. Just means DSL and up-start cellular ISPs will be getting their business. Considering how inept Comcast's support staff are and how unstable their network (myself and several others had unresolved connection problems for several months before we switched to DSL) has been the past year and a half I'm surprised they still have customers at all.
    • everett3, on 10/10/2007, -2/+1I don't have any other reasonable options. I am too far from the CO for DSL and clearwire is only 1.5mb
    • Vektuz, on 10/10/2007, -0/+2Zorch: That would be a great if people had an option. A lot of comcast customers have two choices: Comcast or 56k.

      The ISPs have a hidden natural monopoly, which they are working very hard to hide
      • jzp-digg, on 10/10/2007, -0/+1You have the choice too! Get millions and run your own last mile. Good luck with that.
  • wolferz, on 10/10/2007, -14/+2I'm personally proxying across the tor network and it works awesome. Before some one sais proxy wont work, of course it wont. The key here is that tor encrypts all data going out (data coming in is encrypted too). This means Comcast has no idea what is being sent back and forth beyond "encrypted tor network data." This also would work with vpn "proxying" but that requires access to some hefty bandwidth.

    The key is to use a system of proxying that not only supports socks (tor) or some form of tunneling (vpn) but also (more importantly) encrypts the data from the moment it leaves your computer till after it has left the comcast network (ie the system the proxy is hosted on),

    tor is available free from: http://tor.eff.org/
    • luchid, on 10/10/2007, -1/+8Tor was NOT meant to be used for P2P and by using it for such activities you are bogging down the service for everyone with a legitimate use for it.
    • Vektuz, on 10/10/2007, -1/+8Tor would stop functioning completely if people used it for P2P traffic.
  • alricsca, on 10/10/2007, -0/+18I still do not understand why no one is suing Sandvine and Comcast for creating fraudulent packets. The drop connection request that Sandvine is using impersonates another ISPs and networks packets exactly. How is this legal, it would be like writing mail in another company's name or calling and pretending to represent one company when you belong to another. This is hacking, very black hat.
    • jzp-digg, on 10/10/2007, -1/+4Read your customer service agreement.
  • paradexes, on 10/10/2007, -0/+4It was the same way in the AOHELL (AOL) hay day. They did well and then got pwned cause their customer service sucked so bad. Part of it is due to corporate friendly government. Hopefully the next incoming government does a better job of handling this mess. They can regulate the crap out of them.

    This hack wont really work.
    • Mononuclear, on 10/10/2007, -3/+2all we need is more government regulation of everything in our lives...
  • trunkster, on 10/10/2007, -2/+3Hmm very tempting to try, suppose just trying it and seeing if it actually does or does not work won't hurt anything. I have a hacked linksys with DD-WRT that uses iptables... though I don't want to put a hole in my firewall.
  • sloppychris, on 10/10/2007, -1/+3Would this harm my system if I tried it? Not really sure if this is the right place to ask, but it's worth a shot.
  • Ebacherville, on 10/15/2007, -1/+6Wish this were true , P2P would make Linux the #1 OS of choice :)

    TIme to find P2P safe ISP's.. Really p2P doesnt make you a pirate.. you can downlaod terabytes of free open stuff on p2p and be totally legal..

    Thats like banning cars because you can kill people with them. Do you part ban the p2p blocking ISP's from your money.. boycot them and tell all your freinds to not use them because they filter you connection, they will fall out of use quickly.
    • jzp-digg, on 10/15/2007, -1/+2"Thats like banning cars because you can kill people with them."

      No. last mile providers don't CARE that you're torrenting RIAA-controlled content, pr0n, whatever. They care that torrent blows stat-mux models of bandwidth utilization out of the water. If you want dedicated bandwidth rather than muxed at residential levels, BUY IT. Expect to pay accordingly.
    • unrealmp3, on 01/30/2008, -0/+1Easy to say when Comcast is the ONLY ISP in the area.
  • ClOlD, on 10/26/2007, -11/+3If you're smart enough to use Linux, aren't you smart enough to know that you can get the copyrighted files you want off Usenet FASTER than with P2P, and without the risk of getting sued for uploading to others?
    • DontSayFanboy, on 10/10/2007, -0/+6pssst! on'tday alktaay aboutaay usenetay
    • trunkster, on 10/10/2007, -0/+2Usenet does not have everything... especially older material plus you have to pay extra service fee for a good newsgroup server.
      • ClOlD, on 10/10/2007, -2/+0A good server with 90+ days 99% retention costs less than $14 a month.

        If that means I can get ANY file I want at my full 2.5MBbs download speed, vs. 100-900KBps for a torrent, even after it "warms up", and no uploading to get me sued? Yeah - I think that's worth it.
  • thecubic, on 10/10/2007, -3/+6Don't do this. When you DROP RST packets, that means that EVERY TCP connection hangs open until a very very long timeout, turning BitTorrent into a user-initiated DoS attack on your machine. Yeah, this _will_ stop Comcast's behavior, but you're screwed.


    Also, you wouldn't need any reference to related/established packets - as when a RST comes it only applies to a related/established connection. (see: Connection Reset by Peer)

    // Linux systems administrator
    • redhatcat, on 10/10/2007, -0/+1"When you DROP RST packets, that means that EVERY TCP connection hangs open until a very very long timeout, turning BitTorrent into a user-initiated DoS attack on your machine."
      Legitimate BitTorrent connections are closed with FIN. If RSTs are being used by legitimate clients, the timeouts are not long in my experience.

      "you wouldn't need any reference to related/established packets"
      Actually, you do. I made a mistake stripping down my config for this post. The trick is to drop RSTs before accepting established connections.
  • lead2thehead, on 10/10/2007, -1/+3"You will have to run this script every boot, by the way."

    Not if you add this line:
    iptables-save > /etc/sysconfig/iptables
  • benplaut, on 10/10/2007, -2/+5OK FOLKS!!

    I just tried this on my virtual machine (debian). It seemed to do "something," and it half worked, but the connection was unbelievably slow.
  • toastgodsupreme, on 10/22/2007, -6/+1Buried.
  • Kooroo, on 10/10/2007, -1/+2looks like a suspect solution to me. It relies on being relatively widespread, regardless of either end's ISP and only functions by futzing with the normal operation of TCP communications. There's potential that you'll fly through file descriptors and run out (bad thing ... but kind inherent in BT anyways) and, in the end, if your ISP can identify you as suspect to even determine it needs to send an RST, you're pretty much flubbed as there's other things they can do.

    It seems to me the trick would be for BT clients to establish connections to random DST ports for ever peer pair and have those all funnelled into a single port via a local DNAT or REDIRECT in iptables. add encryption on top and I imagine meaningful deep packet inspection becomes very difficult for the ISP -- defeating the detection vs defeating the policy.

    Just my 2 cents.
  • akkibaba, on 10/10/2007, -1/+1So, another shot is fired in this arms race we have going...brilliant!
  • Hewbie, on 10/10/2007, -0/+1just cancel yer service with them if enough users leave they have to sit/up and take note, hopefully this would send strong message to isp(s) who do this :> we wont be force upon this crap anymore
  • BrandNewJesus, on 10/10/2007, -0/+1This is why everyone should root for google. I would even turn off adblock if it would cure all of this BS.

    Another dig article mentioned using ssh which is what i am going to do...does it work?
    • DrawingTheSun, on 10/10/2007, -0/+1It Didn't work for me, I use Pipex in the UK and their traffic shaping effect bittorrent over ssh and VPN tunnels
      So if Comcast uses similar tactics (i guess they would do) then your out of luck
  • AMadeUpName, on 10/10/2007, -1/+3DON'T DO THIS!!!! When a peer actually sends an RST packet you will not get it, leaving the connection open till it times out. So if you are doing bunch of transfers you are effectively DOSing yourself.

    Now I am not saying what they are doing is not shady and evil and full of crap but I worked for an ISP a while back, and the reason Comcast is trying to screw with bittorrent is this. This is an over simplification, but lets say your ISP has a 100Mbit connection to the back bone, and they plan on selling 1Mbit connections to customers. This means that they can have 100 people on their network using full bandwidth. Now you may be thinking that this is the number of people they should have on their network then, but you would be wrong because most people do not use the internet at full speed 24/7. They will probably sell it out to 3000+ customers. This is (in their minds) good for you as it keeps your connection cost lower and good for them as it keeps their profit margins higher (quite high). Along comes bittorrent and other P2P software programs. Slowly more and more of their users start using programs 100% of their connections. Suddenly they need to get a bigger backbone to cover their customer base. Lowering their profit margins because they know damn well they cannot raise their high rates or they will loose customers. So they try and find ways to throttle bandwidth.
  • guinnessstout, on 10/10/2007, -0/+2TCPDUMP while using torrent to capture the IP Comcast is sending RST's from then adding that IP to my firewall to block all traffic works fine. I use a PIX515 for my border firewall and it does the trick well. I guess I could also add an ACL that would block RST's from any comcast host, still a little dangerous if you download from a comcast torrent. Just my two cents.
  • kevmaster, on 10/10/2007, -1/+2Another great use of iptables: Block Brute Force Attacks:
    http://digg.com/linux_unix/Ubuntu_Brute_Force_Attacks
  • funchords, on 10/22/2007, -0/+1Tests and Results-RSTs are set in both directions

    http://www.dslreports.com/forum/r19036168-Tests-and-ResultsRSTs-are-set-in-both-directions

    Comcast users should not modify their firewalls to drop RST packets as it is not an effective defense against the injected RST packets.
  • docsharp76, on 02/16/2008, -0/+0If you want more bandwidth using Linux, you need to use a reliable T1 internet access provider.
    http://www.1-satellite-tv-facts.com/T1-Internet-Se ...
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2008 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.