My eyes, they burn
So Comcast has been doing this really sneaky thing to try and cut back on traffic in general. Bittorrent constitutes a significant percentage of overall traffic on the net, so Comcast is all like “hey, we can mess with that lolâ€. They got this program that seeks out Comcast customers with active bittorrent streams and basically severs them (it forges RST packets and injects them intot the stream towards each end). So if you’re a Comcast customer and your torrents have been dying, that’s why. They didn’t announce it, and it’s a pretty crappy thing try and pull in the first place. There are lots of legit bittorrent uses. What’s more, they forge very messy RST packets and basically break RFC protocol on how one is supposed to use TCP/IP… not the sort of thing an ISP should be doing. If I went around doing the same thing, dropping peoples’ connections to other people randomly while they’re in the middle of doing stuff, I’d probably get in trouble for it. It’s a really *bad* thing to get caught doing.
Anyways… It’s been bugging my roommate for a while now and I tried to see what I could do about it since I more or less control our network. I spent a decent chunk of the day reading up on this issue, TCP/IP in general, and scanning through tcpdump output (basically a record of the raw packets passing through the firewall). It’s funny how I get on kicks like this, going into it knowing *not so much*, and I come out as if I re-learned something I knew all along. And I get excited about it on top of that. Very much like having an epiphany. I feel like I took in so much in the few slow hours I had at work that it’ll take me a couple days to fully digest. I suppose that’s how I know I’m in the right field?
Sorry for so much Nerdy(tm). It pays the bills and keeps me occupied. I can’t complain.
Originally published at The IggBlog. You can comment here or there.
so what can we (comcast customers, the general public) DO about it?
I’ve been trying to download a new OS boot disk and they always end up dead. Which makes me a bored but loyal ubuntu user.
You should be able to FTP that I think. Gibbon is coming out soon too, and I never have issues DLing dist upgrades through synaptec.
The goggles do nothing.
I was so tempted to play off this while I was posting, lol. Ur in mah head, quotin mah thotz!
Those total dicks! Well, they fired the first shot. May as well take cover, if not actively return fire.
block in log quick from <assholes> proto tcp RST
The packets it creates are ugly ugly packets. Here’s an example of what I think is Comcast doing its nastiness:
Oct 04 07:56:01.306025 rule 0/(match) block in on xl0: 68.202.132.197.60408 > 192.168.2.12.49159: R 0:0(0) win 0 [tos 0x20]
Oct 04 08:03:05.309221 rule 0/(match) block in on xl0: 68.202.132.197.60682 > 192.168.2.12.49159: R 0:0(0) win 0 [tos 0x20]
Oct 04 08:08:45.314836 rule 0/(match) block in on xl0: 68.202.132.197.60901 > 192.168.2.12.49159: R 0:0(0) win 0 [tos 0x20]
Oct 04 08:19:09.310823 rule 0/(match) block in on xl0: 68.202.132.197.61318 > 192.168.2.12.49159: R 0:0(0) win 0 [tos 0x20]
Notice the TCP sequence is all zeros. Packet filter sees this and is like “ummmm… no.” and blocks it (thus the entries in pflog). Even if there was a state entry for this host, pf checks TCP sequence against the known state and drops the packet if it’s out of sequence. in this case, the machine it was trying to talk to wasn’t even on. I was getting these RST packets from that source IP all day long (49159 is the one port I give the roommate for torrents, the tracker must cache “once available” hosts). Not sure why someone would try to start a conversation with “STFU lol”, but that’s what it amounts to. Another reason I think that is a forged packet and not one from a legit stack.
Still, I’m proud of pf. I was trying to think of a clever rule to block the “bad” packets without stopping all RST packets… turns out that job was being done for me. sucks that the other end of the torrent isn’t so diligent.
See, even when I try to forge a packet with nemesis, I get TCP sequence numbers.
Oct 06 09:29:21.280395 68.202.132.197.60408 > 192.168.2.2.49159: R 49646141:49646141(0) win 0 [tos 0x20]
Ya know, I bet if you characterized this as a “denial of service attack” and reported it to the right state/federal agencies or public utility commissions, Comcast would put into a very awkward position.
“the internet” found out about this and did the typical digg/slashdot/forum internet rage thing. Comcast backed down. they tried to dismiss that this ever happened and stated they won’t do it anymore going forward. I call BS since my LAN isn’t the only one still having issue with comcast torrents.
so… if you can figure this out, then is there some news station or better business type of organization that you can tip off?
I’ve always hated Comcast, actually :p
You should report them.
I just replied to something like this with the posts above you. There’s nobody to report them to, really… but they ARE an ISP after all. they really ought to adhere to “best practices” and avoid doing sketchy things. “TCP spoofing” is a dark art. Forging packets to sever connections is considered malicious activity. If I went around doing this, I would probably get my account dropped by comcast. Like most people interested in security, I’m able to do stuff like this but I know better (the command “nemesis tcp -v -S 68.202.132.197 -D 192.168.2.12 -w0 -fR -t0x20 -x 60408 -y 49159” will forge a packet almost identical to the ones I quoted above). ISPs should be even more diligent.
There’s always the FCC and state public utilities commissions.
Comcast’s stunt is analogous to a construction company saying “gee, there are too many cars driving on that road we paved last year. Better pre-emptively install some potholes and screw with the traffic lights so people won’t drive on it so much.”
Alas, the department of transportation actually regulates public roads. Private intarwebs service, not so much.