As mentioned before, if it becomes an arms race, they will force you to invest more time to stop what they’ve come up with. If you place part of the responsibility with the users, they might stop fighting against you.

For example, if you register macs, baddies will snoop other people’s macs and use those. Mahyem ensues…..

Glad you go to the bottom of it so quickly, nice one.

You were potentially giving criminals a free pass to do whatever they liked on the internet, in complete anonymity, and safe from any possibility of prosecution.

All those other (selfish) people who were locking down their networks were actually doing the responsible thing.

All that would be left is limits on nonpaged memory space, which this method would possibly use more per table entry anyways.

If the issue wasn’t the bandwidth but the number of ports being used, that is where it restrictions should be applied. If you were able to limit any ip/mac to under 50-100 ports the torrent software would be allowed to adjust to the environment and function as best it can.

Everyone would be able to do what they are trying to do, keeping them from trying to get around some artificial block.

It’s the “tragedy of the commons,” and it and similar scenarios take place commonly on open networks. I had run my home Wi-Fi in our apartment block as a deliberately open network, because many of our neighbors were broke undergrads or grad students to whom a monthly Comcast internet bill was a big expense. We used to get thanks from our neighbors. I also saw it as a reciprocity thing — when our upstream connection failed, which was rare but happened, we could get on a nearby open network and at least get our mail.

But a funny thing happened: as the number of networks in our neighborhood grew, suddenly everyone was locking them down, and ours was the only open one. Simultaneously we would frequently start to experience “denial of service” on our own connection — and we’d have no nearby network to jump to. Sometimes we wouldn’t even be able to get a NAT’ed IP address from our Netgear router, despite configuring it to reserve a block for the specific MAC addresses used by our computers, and making the public set of NAT IP addresses disjoint from it. (It turns out the router doesn’t really honor those settings correctly). The culprit was either BitTorrent or MMPORPGs. We finally had to secure our network.

I didn’t have the forensic skills (or want to take the time) to diagnose it in detail, but since we frequently saw a case where we couldn’t get any bandwidth despite having only a few public users connected. I now wonder if it had something to do with the port exhaustion scenario you outline.

I would definitely say though, it’s really inappropriate and inconsiderate that people be torrenting from a public event with shared bandwidth like that. Leave it to your seedboxen at home, folks!

The sad part is that you had to go through all this work because of the limitations of your NAT — and worse is that no one else will benefit from what you’ve done if they’re stuck using the same software.

I’ve found on our network that simply blocking ports above 1024 cuts >99% of torrent traffic, while most other stuff still works. Most instant messengers etc. will automatically revert to lower port alternatives. (And you could probably make a small white list for those that don’t without cutting much from the 99% efficiency.)

I doubt this will cause an “arms race” to use lower ports for bittorrent. Most of the peers out there won’t know and won’t care that the abusers at the event have been limited.

I realize this isn’t as esthetically pleasing as most of us techies like it, but its cheap on resources, very effective and damage to innocent users is minimal. (IMHO a shaped connection or DPI is worse.)

(For completeness sake: on our network we don’t block high ports for everyone anymore. We made simple script that’s triggered by traffic from known torrent trackers/peers and blocks high ports for the local user accordingly for 60 minutes.)

One does not know whether these people did it on purpose or didn’t – but the fact remains that if they would have configured their bittorrent client in a better way, they wouldn’t have “destroyed” your network.

Fix that, and haven’t you solved your problem?

“Most of the torrenting was done on the free netbooks that MS gave to each delegate to keep (i.e. was brand new for them at the event).”

I know there’s a ton of stuff I install on a new machine, and if I were using BitTorrent and wanted to be friendly to other users, I’d be more focussed on limiting the bandwidth than the number of connections – the port exhaustion problem wouldn’t readily occur to me.

“We confronted people directly to have them lie to our faces.”

Some people can have good intentions but still react very poorly to being “caught” in the wrong. From my experiences running a website with a lot of users, it’s pretty common.

Observe traffic from any MAC address and slowly increase its available bandwidth if it behaves well.

This way all legit users will soon get good connection, and abusers faking MACs will keep starting from zero.

If you do rate limiting, couldn’t you exempt HTTP/S? Then pretty much all legitimate users wouldn’t be punished (except, I suppose, people using a non-SSL VPN).

We’re far from mean and actually bend over backwards to accomodate the delegates.

There is nothing special about a RR script. You just need a HEAP of EXTREMELY ANNOYING client-side code and Rick Astley!

David

A combination of blanket traffic shaping and outright quota system is the way forward – but to be honest, I still really don’t like doing that. In my view, it is perfectly valid for someone to legally download 5GB from Connect/MSDN/wherever in one hit if they need, for example, ISOs of Win7/SQL/etc for a demo. Those sorts of emergency scenarios will be casualties of whatever shaping we end up doing. When you hit an Akamai server at a peering exchange the download rates are astronomical so you can expect to give a half gig link a bit of a flogging. Blocking those valid use cases, though, sucks.

So in some cases – yes – we WANT you to use a lot of data if you need to. That is why we put in hundreds of mbps of capacity.

Pre-announcing shaping will do nothing to change behaviour. We confronted people directly to have them lie to our faces. One of the guys in particular worked for a charity – Great spend of the donated dollars, grants and goodwill sending him to teched.

If this were advertised widely at the start of the 2010 event, I wonder if the “anti-social” types would even bother to try it on?

BTW, did anyone ever find out what the “baddies” were downloading?

This post was mentioned on Twitter by NickHodge: Rick Astley, NAT, Bittorrent and above-and-beyond service: http://tinyurl.com/y9k4znq...