Tuesday, January 1, 2008

Overriding ComCasts' Throttling (Getting around Sandvine)

Windows Users


This isn't just for Comcast users. It appears that sandvine sends RSTs to both the seeder and the leecher. Therefore, if you want to download from anyone who is on comcast, you have to do this fix, or something similar, as well.


I know there are a lot of us using comcast, and the tutorial here leaves out some important stuff... but not to fear, here's a complete guide to setting up WIPFW on Windows 2000 and XP. If you're having any problems, post 'em here and I'll have a solution for you in no time.

You MUST do this at a local console, as it will block all VNC/Remote Desktop connections by default.

This has only been tested on Windows 2000 & XP, with Vista YMMV.

Step 1:

Download WIPFW from sourceforge

Step 2:

Unzip to C:\Program Files\WIPFW

Step 3:

Run install-deny.cmd

Any windows file sharing, remote desktop, or VNC connections WILL be cut off at this point.

Step 4 (Windows XP only):

Start -> Control Panel -> Security Center -> Windows Firewall

Turn Windows Firewall OFF and click OK

Then, in the security center, click "Recommendations..." under the (now red) firewall header.

Check "I have a firewall solution that I'll monitor myself" and click OK

Step 5:

Save the following text in the file %systemroot%\System32\drivers\etc\protocol (%systemroot% is the windows directory)

protocol wrote:

# Copyright © 1993-1999 Microsoft Corp.
# This file contains the Internet protocols as defined by RFC 1700
# (Assigned Numbers).
# Format:
# [aliases...] [#]

ip 0 IP # Internet protocol
icmp 1 ICMP # Internet control message protocol
ggp 3 GGP # Gateway-gateway protocol
tcp 6 TCP # Transmission control protocol
egp 8 EGP # Exterior gateway protocol
pup 12 PUP # PARC universal packet protocol
udp 17 UDP # User datagram protocol
hmp 20 HMP # Host monitoring protocol
xns-idp 22 XNS-IDP # Xerox NS IDP
rdp 27 RDP # "reliable datagram" protocol
rvd 66 RVD # MIT remote virtual disk

Step 6:

Open C:\Program Files\WIPFW\wipfw.conf in notepad and replace the contents with the following:


# wipfw.conf
# Replace 55259 with your bittorrent port

# First flush the firewall rules
-f flush

# Localhost rules
add 100 allow all from any to any via lo*

# Prevent any traffic to, common in localhost spoofing
add 110 deny log all from any to in
add 120 deny log all from to any in

# Drop incoming packets with RST flag on BitTorrent port
# This is what thwarts Sandvine.
add deny tcp from any to me 55259 tcpflags rst

# Setup stateful filtering
add check-state
add pass all from me to any out keep-state
add count log ip from any to any

# Allow new incoming BitTorrent connections
add pass tcp from any to any 55259
add pass udp from any to any 55259

Step 7:

Season to taste with any of the following rules (append at the end of the file)

File & Print Sharing wrote:

#Replace with your local subnet and mask

# Allow Microsoft SMB file sharing w/ NetBIOS
add pass tcp from to me 135-139
add pass udp from to me 135-139

# Allow direct-hosted SMB w/out NetBIOS
add pass tcp from to me 445
add pass udp from to me 445

VNC wrote:

# Enable VNC
add pass tcp from any to me 5800-5801
add pass tcp from any to me 5900-5901

Remote Desktop wrote:

# Allow RDP/Terminal Services connections
add pass tcp from any to me 3389

SSH server wrote:

# Allow incoming SSH
add pass tcp from any to me 22

DNS server wrote:

# Allow incoming DNS
add pass udp from any to me 53

Web server wrote:

# Allow incoming WWW
add pass tcp from any to me 80

FTP server wrote:

# Allow incoming FTP
add pass tcp from any to me 21

More ports can be found here

Save wipfw.conf when you're done.

Step 8:

Start -> Run

Type CMD.exe and press enter.

run the following two commands

>net stop ipfw

>net start ipfw

Step 9:(New!)

How to use a static source port in uTorrent:

Preferences -> Advanced

Set net.outgoing_port to the port on which you are blocking RSTs.

Click OK

And you're done!

Mac OSX Users

For mac OSX users, you can JUST do the following:

1) Open Terminal
2) type:

sudo /sbin/ipfw -f flush

This will FLUSH all of the Firewall rules you have currently set, so if you have a custom set up, such as the one at http://oink.cd/redir.php?url=http://www.ib...acsupport/ipfw/ it will remove everything, be careful, or skip this step if you arent sure.

3) REPLACE the ***PORT NUMBER*** in the statement below with a port you are using for bittorrent
then type:
sudo /sbin/ipfw -f add deny tcp from any to me ***PORT NUMBER*** tcpflags rst

4) type:
sudo /sbin/ipfw list

It should list the entry with something like:

##### deny tcp from any to me dst-port ***PORT NUMBER*** tcpflags rst

If you see the above you are currently blocking sandvine's attempts at sending RST commands to you, but keep in mind that the people on the other end *ALSO* need to be blocking this in order for it to work properly. Its not a complete solution, but its one that will at least give you a modicum of uploading.

The other solution is to use a tunneling service, which would work much better, but require you to have 1) a shell account with the ability to do this or 2) paying for a proxy service like Secure Tunnel.

1 comment:

Eric hoffman said...

Nice info for fighting back against traffic shaping, hopefully more people will catch on to this technique rendering sandvine useless.