Follow Slashdot stories on Twitter


Forgot your password?
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Security Censorship

Comcast Forging Packets To Filter Torrents 413

An anonymous reader writes "It's been widely reported by now that Comcast is throttling BitTorrent traffic. What has escaped attention is the fact that Comcast, like the Great Firewall of China uses forged TCP Reset (RST) packets to do the job. While the Chinese government can do what they want, it turns out that Comcast may actually be violating criminal impersonation statutes in states around the country. Simply put, while it's legal to block traffic on your network, forging data to and from customers is a big no-no."
This discussion has been archived. No new comments can be posted.

Comcast Forging Packets To Filter Torrents

Comments Filter:
  • by unity100 ( 970058 ) on Tuesday September 04, 2007 @04:58PM (#20469659) Homepage Journal
    say it ! and add a "lawsuit" to the end. Such "companies" deserve it.
    • The question would be who could be a party to the lawsuit. Could someone that's not a customer but peered BT's to Comcast customers seek damages? All that would be needed for proof would be a peer's IP belonging to Comcast. Right?
      • by click2005 ( 921437 ) on Tuesday September 04, 2007 @05:06PM (#20469811)
        There are a lot of legal bittorrent downloads. Most linux distros are available this way as well as a large number of public domain movies. [] [] []
        • I believe the WoW patcher uses a bittorrent model, as well.

          Considering there are something like 2 million plus users in the U.S. alone, that would add up to a lot of traffic each patchday!
        • Re: (Score:3, Interesting)

          by Fizzlewhiff ( 256410 )
          I haven't noticed decreased speeds when grabbing torrents and I use Comcast. I grabbed an Ubuntu ISO just last week and it was speedy quick. I wonder if they are only throttling those who are using obscene amounts of bandwidth.
    • Re: (Score:3, Insightful)

      by ajs ( 35943 )
      If they attack any and all Torrents this way, then their users should build a case based on the blocking of major Linux distribution downloads from Fedora, SuSE and Ubuntu and make a class action out of it, certainly! This is a clear violation of their ToS, at least as I read it a few years ago when I was a customer. If it has changed, then perhaps someone could post the relevant quote from it here? Please, not the whole thing.
      • Re: (Score:3, Insightful)

        by Karzz1 ( 306015 ) *
        The problem is, as I see it, that their ToS is "fluid". In other words, the ToS can be changed at any time by the company. Whether or not this is in fact legal remains to be seen, but I suspect that it probably is (at least in the U.S. which is where I assume we are referring).
        • Re: (Score:3, Informative)

          by ajs ( 35943 )

          The problem is, as I see it, that their ToS is "fluid". In other words, the ToS can be changed at any time by the company. Whether or not this is in fact legal remains to be seen, but I suspect that it probably is (at least in the U.S. which is where I assume we are referring).

          Recent decisions [] have changed the playing-field for revisions to contracts over the Web. Unless Comcast sent their updates out to customers, I'm not sure the updates will hold up.

          • Re: (Score:3, Informative)

            by tlhIngan ( 30335 )

            The problem is, as I see it, that their ToS is "fluid". In other words, the ToS can be changed at any time by the company. Whether or not this is in fact legal remains to be seen, but I suspect that it probably is (at least in the U.S. which is where I assume we are referring).

            Recent decisions have changed the playing-field for revisions to contracts over the Web. Unless Comcast sent their updates out to customers, I'm not sure the updates will hold up.

            Two different issues, actually. The ToS terms are very

  • Is it just for throttling bit torrent traffic? Can't it also be used to report on potentially illegal bit torrent transfers, as well as legal ones?
    • by Penguinisto ( 415985 ) on Tuesday September 04, 2007 @05:55PM (#20470615) Journal

      Is it just for throttling bit torrent traffic? Can't it also be used to report on potentially illegal bit torrent transfers, as well as legal ones?

      If any ISP did, it would kiss away any hope of a DMCA safe-harbor claim. As an ISP or other such party, if you know about it, you're supposed to stop it, not throttle it. Not stopping it immediately upon discovery and confirmation IIRC constitutes complicity.


  • by Creepy Crawler ( 680178 ) on Tuesday September 04, 2007 @05:01PM (#20469719)
    But when these huge companies work with other huge companies AND government agencies like the FBI and CIA, do you think you even have a chance in Hell?

    Like many have said before me, we need to go pure encrypted communications to prevent this kind of violation. TOR, WASTE, and Linux based encryption techniques allows us these kind of tools to defend against attackers: our very providers of bandwidth.

    • do you think you even have a chance in Hell?

      Then again, Rosa Parks [] had no legal right to keep her bus seat from a white guy. And yet, she did.

      If you don't stand up and fight for your rights, who else will?
      • Re: (Score:2, Insightful)

        by nuzak ( 959558 )
        There are legal torrents. Comcast is certainly screwing you. That said:

        I may not have known Rosa Parks, Rosa Parks wasn't a friend of mine, but I can say with pretty god damn clear certainty that you are no Rosa Parks.
        • by WindBourne ( 631190 ) on Tuesday September 04, 2007 @05:50PM (#20470531) Journal
          First, Spyder was not saying that he was Rosa, but even ignoring that, why do you say with certainty that this is not the same? This is standing up to a MUCH bigger bulley who is trying to take what is not theirs. It was no different than when the geek stood up to a circuit city store and then the police. That is a case that may make a difference, as might this (keeping our rights from those that would gladly steal them). You can bet that at the time of Rosa, the locals just thought it was a silly disturbance.
          • by PCM2 ( 4486 )

            This is standing up to a MUCH bigger bulley who is trying to take what is not theirs.

            You mean like your right to vote; your right to go to school, even to learn to read; your right to use the same public facilities as people of different races than you; your right not to be strung up on a tree by your neck until dead and then have your body burnt in effigy -- is that that kind of thing these big, bad bully cable companies are taking from you?

            Or is it more like you buying a car with a spedometer that go

    • Re: (Score:3, Informative)

      by ajs ( 35943 )

      But when these huge companies work with other huge companies AND government agencies like the FBI and CIA, do you think you even have a chance in Hell?

      Cases are won against the Federal Government on a regular basis. The question is, what kind of service should these users expect? They are sold a service that says they get fast downloads, and so they try to download something and it's not only fast, but blocked. I see no reason that Comcast, even if assisted by the Federal Government, could justify that.

    • My SELinux Torrent should trump both the FBI and the FBI, the NSA is way more l33t and spookier than those CIA lamers, NSA RULEZ!
  • I am thinking that the vendor of their routers probably didnt disclose this bit of information.... Opps...
  • Technical merit? (Score:5, Interesting)

    by WPIDalamar ( 122110 ) on Tuesday September 04, 2007 @05:05PM (#20469787) Homepage
    Legal questions aside, is there some technical merit to sending a RST instead of just blocking the packets? Is it less expensive to the ISP or something? I don't understand why they're doing it.
    • Re:Technical merit? (Score:5, Informative)

      by bagboy ( 630125 ) <{neo} {at} {}> on Tuesday September 04, 2007 @05:10PM (#20469879)
      Blocking bittorrent causes the client to find other open ports (if you are using port-based blocking). As an ISP, by throttling it way back to almost nil, but keeping it as an established connection, you have a better chance at keeping bittorrent traffic from overcoming your own upstream/downstream connection to your provider.
    • Why they're doing it... because linux can get around this?? =20275301? []
    • Yeah, it works better. Sending a RST packet closes the TCP connection. Just eating the packet would cause the computer to resend it, creating more traffic on the network. The forged-RST attack is "fire and forget." You identify a TCP connection that has bad traffic in it, and then you target the connection. It doesn't require matching every packet, you can instead look for patterns of packets that indicate types of traffic you dislike, and then just terminate it, and move on to the next connection. It may use deep-packet inspection, but it's not a 'packet blocking' attack. It's better, because it avoids having the computers retransmit packets that just contribute to the traffic you need to screen.

      It's a fairly insidious way to block traffic, which is why the Chinese do it. Frankly it's a fundamental weakness of TCP: it wasn't really designed to cope with hostile intermediate nodes. (Flaky ones, sure, but not hostile ones.) You could configure your computer to reject RST packets, but then you'd end up leaving connections open all over the place and cause all sorts of other problems. It's not something that you can trivially work around.
      • by Vellmont ( 569020 ) on Tuesday September 04, 2007 @05:53PM (#20470593) Homepage

        You could configure your computer to reject RST packets, but then you'd end up leaving connections open all over the place and cause all sorts of other problems. It's not something that you can trivially work around.

        How about just wait until some specified timeout and see if you receive any other packets? If someone sends RST, but you receive a bunch more packets, there's a very good chance the RST was faked. Better yet, wait for timeout1, then wait timeout2 for any more packets. (Since packets can be received out of order). Then if you receive more packets during timeout2, ignore the RST. I'd say that's pretty trivial. It could even be implemented on a NAT router so you wouldn't even have to modify your OS.
        • Both ends (Score:3, Informative)

          by Anonymous Coward
          They send the RST to both ends. It's no good unless both do it.

          Then again, if anyone figures out a way to stop it, they could advertise that they're plagued by that curse as part of the BT protocol and only bother conversing with those who can handle it. It should still be obvious that someone is sending data to a connection that should've been reset.

          Then again, NATs and things like that in between could go crazy, because the 2nd packet could be lost long before it ever gets to your computer...
  • Forged RST packets (Score:5, Insightful)

    by ACMENEWSLLC ( 940904 ) on Tuesday September 04, 2007 @05:05PM (#20469789) Homepage
    We use a popular web content filter. The way it works is by doing the same thing. So when we are blocking traffic, we block it by issuing a forged RST. It's either do this, or place the content filter inline ACTIVE. Right now it is passive It does packet capturing and RST to block. If it's down, then traffic still flows. If it were active, we could simply drop the traffic and not forge the RST. But performance and uptime are horrible on many products when these are inline.

    Initially this sounded a lot worse to me.
    • by Opportunist ( 166417 ) on Tuesday September 04, 2007 @05:33PM (#20470251)
      The difference is most likely that you're the endpoint of the traffic. When traffic comes to me, it's my business what I send in reply. A RST, nothing or a "thanks for sexual services".

      Comcast is the carrier. They have no business sending RST packages. Their business is to transfer packets to and from you. If you allow them to manipulate your packets (which this essentially is, injection of packets is by no means different from altering them, it changes the data stream and the information transmitted), you can never be sure that what you sent is what arrived on the other end.
  • by poetmatt ( 793785 ) on Tuesday September 04, 2007 @05:07PM (#20469827) Journal
    take a look at [] and you will note that plenty of examples of this impersonation exist. They disconnect by impersonation after about 10 seconds of seeding, and it seems to be courtesy of Sandvine. Gotta love lack of net neutrality here, although I am not in favor of extreme net neutrality, some would be, well, nice.
  • by Cheesey ( 70139 ) on Tuesday September 04, 2007 @05:09PM (#20469869)
    Last time this piece of news was discussed [], someone helpfully posted a solution [] for your Linux firewall.
  • If no one prosecutes.

    This one stands an extremely low probability of actually improving comcast's service from a consumer-geek perspective. Quick and dirty reasons why:

    1. Comcast is in up to their necks with municipal politicians. They need campaign contributions from Comcast.
    2. Comcast is in up to their necks with state politicians too.
    3. What's the penalty here? Certainly not meaningful enough to warrant the expense of a trial.
    4. Since when do consumers Comcast's terms of service? They'll spew the usu
  • by iONiUM ( 530420 ) on Tuesday September 04, 2007 @05:12PM (#20469923) Journal
    I'm so glad I live in Canada.
  • Good heavens... (Score:3, Insightful)

    by Otter ( 3800 ) on Tuesday September 04, 2007 @05:13PM (#20469933) Journal
    ...forging data to and from customers is a big no-no...

    I realize that to the nerdish mind falsifying the sender of an IP packet is equivalent to "impersonating another", but no sane prosecutor would ever make such a case.

    • I agree. This is exactly what I thought when I read the article submitter's summary. If I had mod points I would mod you up.
    • Show me a prosecutor who knows a thing about TCP/IP and isn't just listening to the first person talking to him and we'll talk.
    • Why not? Comcast is, by sending out fraudulent packets, sending information which states, "The computer you're connected to has terminated the TCP connection."

      To analogize, A and B are two people, with a significant geographical distance between them. They send a truly ridiculous amount of letters back and forth, and the postal carriers don't want to carry them. Thus, a postal carrier sends a letter to A, in all ways looking as if it came from B, telling A that B never wanted to speak with A again. Is it an
  • New York, a state notorious for its aggressive pro-consumer office of the Attorney General, makes it a crime for someone to "[impersonate] another and [do] an act in such assumed character with intent to obtain a benefit or to injure or defraud another."

    Crazy. Almost makes me want to move to New York.
  • Technical question: why does Comcast do it this way? Why not do flow control the normal TCP way - drop packets on the floor?
    • Probably because then they'd have to peek into every single packet going through them and deciding whether to forward or drop it. This way, they don't have to see every packet, they just have to take a sample every now and then (read: a few times per second) and if it's found to be for a torrent, they just tell you to drag the connection down and discard all further packets coming for this connection.
  • Comcast, like most large companies, tend to do things they wish to do assuming they are right unless they are slapped down.

    IANAL, but I hope that Comcast IS running afoul of the law, and that one or more AG offices will bring it to their attention and force them to stop.

    (No, I'm not a Torrent user, I just don't like companies assuming they are above the law.)

    I won't hold my breath, though - I don't like turning blue and falling to the floor...

  • Standard Approach (Score:3, Informative)

    by madsheep ( 984404 ) on Tuesday September 04, 2007 @05:32PM (#20470237) Homepage
    This method is how most content filters do their jobs. Why not just drop the traffic you ask? Well here's why.. if you don't reset the connections, both sides will just continue trying to communicate with one another by retransmitting the packets. That's why it's TCP and not UDP.. the whole trying to guarantee the delivery thing. Now, they're not just blocking on IP addresses. If that was the case they could just drop the traffic altogether and not need to "forge" anything. However, since it's discovering the traffic is P2P related later on, it does it in such a fashion.

    Now the other thing is that the IP addresses being used are owned by the ISP. I am not so sure this is really forging something on behalf of the customer that's breaking laws. The customer doesn't own that IP. On top of that (and I am ASS-U-MING HERE) they are probably breaking the acceptable use policy for the ISP. If they don't allow P2P stuff, you're in violation. They could do a lot worse stuff to be a PITA than just reset your connections. :)
    • Some companies use torrent aas a distribution method for their legal, legitimate software and movie distributions.

      The originating IPs do NOT belong to Comcast.

      By impersonating those originating IPs to terminate the connections is Comcast breaking either the law or contracts?

      I believe that is the question.

  • by moseman ( 190361 ) on Tuesday September 04, 2007 @05:59PM (#20470673)
    Christopher(Tue Sep 04 2007 17:54:47 GMT-0400 (Eastern Daylight Time))>

    Please provide me with a complete list of TCP/IP ports which Comcast actively blocks/filters/or limits traffic to users??

    analyst Tallilee.7304 has entered room

    Tallilee.7304(Tue Sep 04 2007 17:54:50 GMT-0400 (Eastern Daylight Time))>

    Hello Christopher_, Thank you for contacting Comcast Live Chat Support. My name is Tallilee.7304. Please give me one moment to review your information.

    Christopher_(Tue Sep 04 2007 17:55:23 GMT-0400 (Eastern Daylight Time))>


    Tallilee.7304(Tue Sep 04 2007 17:55:18 GMT-0400 (Eastern Daylight Time))>

    The only ports that may be actively blocked on the Comcast network are 67, 68, 135, 137, 138, 139, 445, 512, 520, and 1080 at this time. Any ports that are blocked will not be unblocked. If the port you would like to use is on this list, please select another port to use with your software. There are over 10,000 ports available for use. Please be advised that Comcast reserves the entitlement to block any ports on the network without prior notice. We thank you for understanding this security policy.

    Christopher_(Tue Sep 04 2007 17:56:14 GMT-0400 (Eastern Daylight Time))>

    I have read that Comcast is now actively retarding bittorrent traffic.

    Tallilee.7304(Tue Sep 04 2007 17:56:09 GMT-0400 (Eastern Daylight Time))>

    That is not a true statement.
  • Check this out... (Score:3, Interesting)

    by xquark ( 649804 ) on Tuesday September 04, 2007 @06:10PM (#20470865) Homepage
  • It shouldn't be. These companies are advertising access to the internet, there are decades old standards that describe how the internet is supposed to work, and "dropping packets because an router owner might not like the contents" isn't in any of the RFCs. There's a reason why Prodigy, AOL, MSN, Compuserve, and all the old proprietary networks had to become ISPs or become bankrupt, and that's because consumers demanded unrestricted networks. Giving us restricted networks but just calling them "internet access" is fraud.
  • by DynaSoar ( 714234 ) on Wednesday September 05, 2007 @04:10AM (#20476139) Journal
    Slap a filter on all your web sites and torrent trackers that keep Comcast customers out.

    Give the reasons that all the bogus resets cause wasted connections and time and deny legitimate users from using the service effectively.

    That's just the technical end. No effective net changing strategy will work on only that basis. It requires social fixes also.

    Notify Comacst customers what's happening and why. Tell them the action is against Comcast, not them, that you're sorry for them, but have no other choice due to Comcast's actions. Tell them to contact Comcast to tell them to either remove the block or they'll change services or call a class action suit.

    The Comcast users become collateral damage. It's a sad thing, but it's what happens sometimes. If it's presented to them in the right way, they'll become and loyal and effective allies.

    It's worked before. Against Worldcom/UUNet, PSINet, the pipe into India via their country's long distance, network and satellite company affecting 90% of India, and others. It was called the Usenet Death Penalty. Look it up. It made news stories all over the world. The biggest, against Worldcom, was launched on a Friday evening so they couldn't react until Monday, and by Thursday afternoon John Sidgemore made them change their corporate policy to cut off their downstreams that were major spam sources (which was the reason all these were done). In all cases I/we got many emails from effected customers decrying the need for this, but supporting the action and us, most of them promising to step up complaints against the company involved.

    A key is to get individuals participating in doing this based on a publicized suggestions from someone who doesn't participate. That makes the people doing it a temporary autonomous group, not an official body or organized group with a membership or leadership. The result of that is each individual has to be pursued one by one, and they can just drop off if and when they need to, and come back on at another point. Best way is to set aside a few people who aren't participating themselvess, but are holding forth the whys and wherefores, and acting as contacts for the affected users, the press, and inevitably the company.

    It works, oh my yes. Combine technical and social tactics, and you'll have them by the nadgers. As big and bullying and rich and litigious as the companies are, they all rely on a user base. When that base threatens to jump ship, they listen and things get done.

    The 70% to 80% figure doesn't hold water. The same was said about the increase in traffic on usenet binaries groups, and that was fought off in some cases and gave rise to companies advertising specifically to provide them in others. There's nothing in their TOS that says what sort of programs the users can and can't use, just as when they decided to start dropping and blocking alt.binaries.*. There's stuff about illegal activities which is good and for a good reason, but it's up to the company to prove that's going on. If they don't, forcing their customers to drop P2P connections regardless of content is denial of service, and that's illegal. Since their doing it to people who are paying them to provide the service their denying, it's also fraud. With those points made to the media prior to and during the action, and with some affected but supporting Comcast members having their word in, it'd be damn hard for Comcast to defend itself without looking like thugs, and if they don't defend themselves they look like hypocritical and greedy thieves.

    I'm serious. This works a charm. Set up and laid out properly, its the perfect media fodder to garner support -- the little guys inside and out fighting the awful corporate ogre to take back the net. And, it stirs up righteousness more of the affected users, bring them on board, and it's enormous fun for those doing the actual fighting against the suits.

    Not planned and executed properly, it falls apart when the press is able to make the action look like a blackmail attempt. Properly done, it can take on a multi-billion dollar company and bring them to their knees. "Properly" in the case of the UDPs, meant using accepted technical means available to and potentially if not actually used by the company in questions, for their own purposes, as well as planning according to a solid model (we used War College war games simulations) and pre-emptive media attention based on another solid model (here, psychological warfare techniques for propaganda development and delivery).

    It was a heady time. A dozen guys brought low a US$4.5 billion company. Knocking their stock price down while they were negotiating a merger with Sprint probably had something to do with it. Luckily that was secret, so we couldn't be accused of doing it for that reason. I'll always remember with fondness a 10 minute phone call from Sidge consisting almost entirely of obscenity laced threats. I credit his embarrasing loss in the UDP to Worldcom only allowing him to be CEO for 13 days until they found someone else. I felt sorriest for their chief scientist VP John Snow, who actually cried over the phone asking us to stop. Sidge was a full tilt bastard to work for, so I hear. Of course, the message-kill software being used was based on some developed at UUNet and still available from them via FTP, so I can see how Sidge might be frustrated.

    It was also exciting to be talking to 40 some different media outlets from around the world, although that around the world part required 2 days of 24 hour talking. I even made Collegiate Times as a minor hero, being a successful graduate student at the time, knocking misbehaving corporations down to size as a hobby. The only less than flattering report was from the Roanoke VA paper, who mentioned my stringy hair and scruffy mocassins. But they came at the tail end of the 48 hour press contact marathon.

    UDPs aren't called anymore because they wouldn't work. Usenet has lost popularity and there's many alternative sources making customer access not bound to the ISP. But in the case of connectivity providers, especially the semi-monopolies of the very few providers in a given location, they're highly vulnerable. With one doing it and a competitor not, they're highly vulnerable.

    Get your shit together and go after them. If any of you are Comcast customers, join the ranks of indignant collateral damage and blame the real problem child. It works, and it really ought to be used before it doesn't any more. If it's not done, more and more ISPs will do it until trying this would effectively turn the net into incommunicative fiefdoms ruled over by little kings and you'll never have a chance again. Already at least two others, in Canada, are doing the same. Don't exect it to take a long time for others to start adopting it. If this is done, expect some providers to come on board claiming they don't and never will do this, becoming de facto allies. Sure, they'll be getting good press out of it, and so what? Let them, if it serves your purpose.

    Go ahead and tell me why it won't work. Use specific examples of trying and failing. I'll see yours and raise you. Give me any real specific examples and I bet I can tell you why they didn't, but I don't expect there to be many.

    First step is looking up the basis for their 70% to 80% claim and tearing it apart. The massive use of high bandwidth audio and video by YouTubish sites and media outlets would make a good comparison. Build a solid case proving them liars. That'd be one shell in the opening barrage. And find someone with War College or similar training in strategy & tactics and psyops.

    Unit IV (retired)
    Subgenius Police (Usenet Tactical Units) Mobile [SPUTUM]
    and Not A Member Of The Cabal (There Is No Cabal)
    "Remember Doug Mackall; Use a Golden Mallet"

"Stupidity, like virtue, is its own reward" -- William E. Davidsen