[SUGGESTION] Sandvine fix (The Complete Guide to bypassing Sandvine)

here is something that i found on a site that I am a member of

my suggestion is to incorperate the solution below as a check box option into uTorrent

thus solving the comcast throttling issue for all uTorrent Users

----------------------------------------------------------------------------------

Here's a tut from the SBH threads! Hope this helps ya'll on Comcast!

A bit of a background to Comcast's Sandvine:

Comcast is blocking P2P traffic by using something called a Sandvine. Comcast searches for connections for file-sharing networks. When it finds a connection, comcast sends a "RST" packet to both your computer and the computer you are connecting to. The RST packet is telling both computers to "Reset" or "Close" the network connection. Thus, blocking any data from being sent over the connection. What this tutorial does here is sets your computer up to ignore any RST packets on your bittorrent port. DO NOT IGNORE RST PACKETS ON ALL PORTS - ONLY DO IT ON YOUR BITTORRENT PORT.

Make sure you ask questions here before doing anything you are unsure of. You have the ability to completely cut yourself off from the internet using this.

ALSO NOTE: You must use a single port for using bittorrent. THis will not work if you have your client use a "random" port.

------------------------------------------------------------------------------------------

------------------------------------------------------------------------------------------

------------------------------------------------------------------------------------------

------------------------------------------------------------------------------------------

Important!

This isn't just for Comcast users. It appears that sandvine sends RSTs to both the seeder and the leecher. Therefore, if you want to download from anyone who is on comcast, you have to do this fix, or something similar, as well.

-----------

I know there are a lot of us using comcast, and the tutorial (http://redhatcat.somewhere.com/2007/09/beating-sandvine-on-windows-with-wipfw.html) leaves out some important stuff... but not to fear, here's a complete guide to setting up WIPFW on Windows 2000 and XP. If you're having any problems, post 'em here and I'll have a solution for you in no time.

You MUST do this at a local console, as it will block all VNC/Remote Desktop connections by default.

This has only been tested on Windows 2000 & XP, with Vista YMMV.

Step 1:

Download WIPFW from sourceforge http://downloads.sourceforge.net/wipfw/

Step 2:

Unzip to C:\Program Files\WIPFW

Step 3:

If you want a "default deny", double click "install-deny.cmd". Network activity WILL be cut off at this point.

If you want a "default allow", double click "install.cmd".

A default deny means that ALL data will be BLOCKED by default. If you are behind a router (or any other firewall) that has a firewall already built in, use default allow (Because your router is blocking the bad stuff anyway).

Step 4 (Windows XP only):

Start -> Control Panel -> Security Center -> Windows Firewall

Turn Windows Firewall OFF and click OK

Then, in the security center, click "Recommendations..." under the (now red) firewall header.

Check "I have a firewall solution that I'll monitor myself" and click OK

Step 5:

Save the following text in the file %systemroot%\System32\drivers\etc\protocol (%systemroot% is the windows directory). NOTE: This text may already be there. If so, just ignore this step.

QUOTE(protocol)

# Copyright © 1993-1999 Microsoft Corp.

#

# This file contains the Internet protocols as defined by RFC 1700

# (Assigned Numbers).

#

# Format:

#

# <protocol name> <assigned number> [aliases...] [#<comment>]

ip 0 IP # Internet protocol

icmp 1 ICMP # Internet control message protocol

ggp 3 GGP # Gateway-gateway protocol

tcp 6 TCP # Transmission control protocol

egp 8 EGP # Exterior gateway protocol

pup 12 PUP # PARC universal packet protocol

udp 17 UDP # User datagram protocol

hmp 20 HMP # Host monitoring protocol

xns-idp 22 XNS-IDP # Xerox NS IDP

rdp 27 RDP # "reliable datagram" protocol

rvd 66 RVD # MIT remote virtual disk

Step 6:

Open C:\Program Files\WIPFW\wipfw.conf in notepad and replace the contents with the following:

NOTE: Make sure you replace "*****" with the port that your bittorrent client uses!

If you are using the Default Deny:

QUOTE

#################

#

# wipfw.conf

# Replace ***** with your bittorrent port

#

#################

# First flush the firewall rules

-f flush

# Localhost rules

add 100 allow all from any to any via lo*

# Prevent any traffic to 127.0.0.1, common in localhost spoofing

add 110 deny log all from any to 127.0.0.0/8 in

add 120 deny log all from 127.0.0.0/8 to any in

# Drop incoming packets with RST flag on BitTorrent port

# This is what thwarts Sandvine.

add deny tcp from any to me ***** tcpflags rst

# Setup stateful filtering

add check-state

add pass all from me to any out keep-state

add count log ip from any to any

# Allow new incoming BitTorrent connections

add pass tcp from any to any *****

add pass udp from any to any *****

If you are using the Default Allow:

QUOTE

#################

#

# wipfw.conf

# Replace ***** with your bittorrent port

#

#################

# First flush the firewall rules

-f flush

# Drop incoming packets with RST flag on BitTorrent port

# This is what thwarts Sandvine.

add deny tcp from any to me ***** tcpflags rst

Step 7:

If you are using a default deny, you will have to change the config to allow other network data through your network with any of the following rules (just add these rules to the end of wipfw.conf)

QUOTE(File & Print Sharing)

#Replace 192.168.0.0/24 with your local subnet and mask

# Allow Microsoft SMB file sharing w/ NetBIOS

add pass tcp from 192.168.0.0/24 to me 135-139

add pass udp from 192.168.0.0/24 to me 135-139

# Allow direct-hosted SMB w/out NetBIOS

add pass tcp from 192.168.0.0/24 to me 445

add pass udp from 192.168.0.0/24 to me 445

QUOTE(VNC)

# Enable VNC

add pass tcp from any to me 5800-5801

add pass tcp from any to me 5900-5901

QUOTE(Remote Desktop)

# Allow RDP/Terminal Services connections

add pass tcp from any to me 3389

QUOTE(SSH server)

# Allow incoming SSH

add pass tcp from any to me 22

QUOTE(DNS server)

# Allow incoming DNS

add pass udp from any to me 53

QUOTE(Web server)

# Allow incoming WWW

add pass tcp from any to me 80

QUOTE(FTP server)

# Allow incoming FTP

add pass tcp from any to me 21

More ports for other network services can be found here.

Save wipfw.conf when you're done.

Step 8:

Start -> Run

Type CMD.exe and press enter.

run the following two commands

>net stop ipfw

>net start ipfw

All done!

----------------------------------------------------------------------------------

********* PLEASE NOTE **********

the above solution only will work if apllied on a global scale because

Quote:

As per my understanding of Sandvine, it only works if everyone install that kind of fix. From what I've read, Sandvine sends a perfectly forged RST(-flagged) packet to both parties, which makes both users believe the other one wants to disconnect, e.g.

A to B: "gtg, bye"

B to A: "gtg, bye"

If A installs the fix, A will disregard the RST flag allegedly sent by B, knowing that it's actually Sandvine messing with them.

But if B does not have a similar fix, B will not disregard the flag and will disconnect from A.

Therefore, both A and B must disregard those packets.

Quote:

Maybe someone should make a quick App that that only does the "add deny tcp from any to me ***** tcpflags rst" so that non-computer litterate peeps can just install it as a utorrent pluginn or parhaps utorrent can add it in as an option such as they have with encryption, because from what I have read comcast does not internally forge rst packets meaning they do nothing to block traffic from one comcast user to another comcast user. so all parties on the torrent need to be block the RST packets on the uTorrent port

This probably won't work, as the OTHER ends of your connection is ALSO sent connection resets.

you didn't read the whole post because that issue is addressed at the begining and at the end. Basically to sum it up if the solution was intergraded into uTorrent it would work for anyone who used uTorrent. A very large majority of torrent users use uTorrent so it would make a big difference and other clients would follow the lead.

I fully believe this is a viable solution to the Comcast Bittorrent Throttling / Blocking issue.

You're right, if alot of people did this it would help.

Here's a proposal that, if implemented, would aid every future-version uTorrent user without them having to screw around with anything.

fieldju its working for me but I'm getting Huge up and down speeds.

one minute its 40 to 100 kbps then 0 for like 60 seconds.

but this is good.... right after I did this my uploads actually started uploading:)

Thanks for this

Edit:so now its back to the way it was before..do I need to redo this process?

I just set my connection to encryption enabled (*not* forced), and now it works fine.

I didn't see it anywhere in the above posts, so I just wanted to note that what Comcast does affects people who've finished a download and are only seeding that download (and obviously the people they're trying to upload to). The proposal above is a good idea, and I hope it'll be implemented in future releases. If people with Comcast are having trouble seeding, one method that should work (if CC hasn't changed how they're screwing everything up) is to stop a download at 99% (or a little less) and to just "seed" the torrent for a while in that state. You won't actually be designated as a seeder (by Bittorent clients) b/c the download hasn't reached 100%, so you should be able to upload to your full capacity.

Obviously you'll want to finish the download at some point so you can use the file, but if you know any programming or have a file splitter you could always copy the file so you can use it, and then cut the end off of the original being seeded so that the next time it's hash-checked it once again goes under the "non-seeding" category. (sry I have run-on sentences >_>)

If I understand it correctly Comcast's method works by sending a message to the seeder's computer saying the person they're trying to upload to doesn't need them, and does the same thing for leecher - although how that would make any sense eludes me, as a seeder is supposed to have the whole file so they should be useful to anyone else who isn't also a seeder.

W/e, hopefully CC will get their asses sued for Net Neutrality reasons and have to stop what they're doing. Does anyone know if encryption has any affect on this? I guess if the packet that identifies someone as a seeder isn't encrypted than it wouldn't stop CC's method... yeah... not a protocol analyst (yet)

Cheers

I've read rumors of there being a true Sandvine fix just around the corner. Can anyone confirm if that's true or not? Are bt developers working on a fix?

Yeah, the developers are working on possible ways to get around the throttling. Guaranteed fix in all cases? I'm not sure; they have come up with some ideas and implementations, though.

Thanks for the response. I'd be happy to help test in the event there's a need.

Excellent guide! Works perfectly!

There's just one problem. It seems to be blocking my computer from communicating with my DHCP server. Would anyone know how to fix this? Like when I repair the network card that is using my internet connection, it's unable to.

Can this be done with Zone Alarm? Also, does Peer Guardian can block that packets? It's blocking most of the anti-p2p servers.

Also, does Peer Guardian can block that packets? It's blocking most of the anti-p2p servers.

And a lot of legitimate traffic.

http://neuron2neuron.blogspot.com/2006/05/blocklist-balderdash.html

http://www.slyck.com/story1593_MediaDefender_Leak_Offers_BlueTack_Users_a_Reality_Check

About Peer guardian... Yes, it's true. It does blocking a lot of legitimate traffic, but then you put allow permanetly on that ip.

Problem with me is that I'm behind ruter that over the day is set to block p2p. Forced protocol encryption and problem is partially solved. During that blockade, torrent tracker is blocked. While dht is working, there is not much problems, but if torrent doesn't have dht, that brings me to the manually added peers whose ip's and ports I collected during the night. :/ That also is not a problem with guys with static ip and non-random ports. Then, the question is... does this settings can solve my problem?

Or... protocol encription on torent tracker

HTTPS increases load on trackers by orders of magnitude I hear. :/ Note when your tracker communication is blocked, IF it tracks your ratio, you CANNOT START OR STOP those affected torrents without "losing" your stats since the last successful announce.

Well, when torrent functioning is in stake... "loosing" stats is the least concern. Bigger problem then is how to wake up offline (timeout) tracker during p2p blockade? While dht enabled, there is no problem, I'll get peers even if tracker is blocked. But if that specific torrent have disabled dht... :/

Now, anybody knows, is that related with sending connection reset, to me or to the tracker? And then, does trackers have implemented protection from connection reset? Like I see, turning on my protection from connection reset will do nothing if trackers don't have the same setting...

load from https is honestly not that high.

Hi, did a Sandvine fix make it on a to-do list for µTorrent? Or is it just a wish-list item?

It's on a level that uTorrent doesn't handle.

Right, I think I read in the beginning of this thread somewhere. I'm definitely seeing speed improvements on some torrents with the wipfw install, but it is not consistent across torrents. Some peers continue to drop, but other peers I am able to receive requests from and send pieces to. Why would that be?

ComCast disruption method doesn't always kill every peer...at least not all at once.