zuzu on 30 Oct 2007 22:18:04 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Taking a Whack Against Comcast

  • From: zuzu <sean.zuzu@gmail.com>
  • To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
  • Subject: Re: [PLUG] Taking a Whack Against Comcast
  • Date: Tue, 30 Oct 2007 18:17:58 -0400
  • Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=30IhcoEF3CdHjbOz+avevUrxySualVNRFuJeeiXGX4c=; b=PzNVk139hA06IFrYQH9CUkOOiR9UHmVS5NmPf8KI9KDZfNDFehe1iKBNmbxbpkv8DjPblIlawI3h5gegOB22MQDCBo3O9STofQrGnzTFeNjTfXISInDjVoKGyJVXH+SoZ4QD2o7yT+xxTBC7ObyVAPPHo93pvtob5xNU8jqFeOA=
  • Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
  • Sender: plug-bounces@lists.phillylinux.org
http://slashdot.org/articles/07/10/30/134255.shtml
http://www.dslreports.com/forum/r19252565-Problems-loading-google-DNS-issues-possibly
http://forums.somethingawful.com/showthread.php?threadid=2669968
http://www.cl.cam.ac.uk/~rnc1/ignoring.pdf

Google Caught in Comcast Traffic Filtering?
Posted by Zonk on Tuesday October 30, @10:01AM
from the it's-the-craziest-thing dept.

marcan writes "Comcast users are reporting 'connection reset' errors
while loading Google. The problem seems to have been coming and going
over the past few days, and often disappears only to return a few
minutes later. Apparently the problem only affects some of Google's
IPs and services. Analysis of the PCAP packet dumps reveals several
injected fake RSTs, which are very similar to the ones seen coming
from the Great Firewall of China [PDF]. Did Google somehow get caught
up in one of Comcast's blacklists, or are the heuristics flagging
Google as a file-sharer due to the heavy traffic?"


http://slashdot.org/comments.pl?sid=344413&cid=21170235

iptables fake RST detector (Score:5, Interesting)
by EmagGeek (574360) <ehidle.ie-ap@org> on Tuesday October 30,
@10:18AM (#21170235)
(http://www.ie-ap.org/ | Last Journal: Tuesday March 28 2006, @06:27AM)
use connection tracking on this one:

iptables -I INPUT -j LOG -p tcp -m tcp --tcp-flags RST RST -m
conntrack --ctstate NEW,INVALID

The fake RST will probably not have a valid sequence number for the
established TCP connection, so the Linux stack will flag it as a NEW
connection, and the fact that you're getting a RST for a NEW
connection should be good enough alarm.

Or maybe it would also work with just the matching code

iptables -I INPUT -j LOG -p tcp -m tcp --tcp-flags RST RST -m state
--state NEW,INVALID

What do y'all think?


http://en.wikipedia.org/wiki/Sandvine#Controversy

Controversy

Sandvine is reportedly used by Comcast to reduce the impact of
BitTorrent and other P2P traffic, but does so by sending forged RST
packets rather than traffic shaping. This interferes with other
network protocols, and potentially violates network neutrality as well
as fraud laws on the part of the ISP.

See also
    * Deep packet inspection
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug