Evading Audible Magic’s Copysense filtering

As I noted on Monday, the Irish branches of several major record companies have brought a case against Eircom, demanding in part that the ISP install Audible Magic’s Copysense anti-filesharing appliances on their network infrastructure.

I thought I’d do a quick bit of research online into how they do their filtering. Here’s what the EFF had to say:

Audible Magic’s technology can easily be defeated by using one-time session key encryption (e.g., SSL) or by modifying the behavior of the network stack to ignore RST packets.

It’s interesting to see that they used RST packets — this is the same mechanism used by the “Great Firewall of China” to censor the internet:

the keyword detection is not actually being done in large routers on the borders of the Chinese networks, but in nearby subsidiary machines. When these machines detect the keyword, they do not actually prevent the packet containing the keyword from passing through the main router (this would be horribly complicated to achieve and still allow the router to run at the necessary speed). Instead, these subsiduary machines generate a series of TCP reset packets, which are sent to each end of the connection. When the resets arrive, the end-points assume they are genuine requests from the other end to close the connection — and obey. Hence the censorship occurs.

But there’s a very easy way to avoid this, according to that blog post:

However, because the original packets are passed through the firewall unscathed, if both of the endpoints were to completely ignore the firewall’s reset packets, then the connection will proceed unhindered! We’ve done some real experiments on this — and it works just fine!! Think of it as the Harry Potter approach to the Great Firewall — just shut your eyes and walk onto Platform 9¾.

Clayton, Murdoch, and Watson’s paper on this technique provides the Linux and FreeBSD firewall commands they used to do this. Here’s Linux:

   iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP

For FreeBSD, the command is:

   ipfw add 1000 drop tcp from any to me tcpflags rst in

So assuming Copysense haven’t changed their approach yet, it’s trivial to block Copysense’s filtering, if both ends are running Linux or BSD. I predict if Copysense becomes widespread, someone will patch Windows TCP to do the same.

I love Audible Magic’s response:

The current appliance happens to use the TCP Reset to accomplish this today. There are many other technical methods of blocking transfers. Again, we have strategies to deal with them should they ever prove necessary. This is why we recommend our customers purchase a software support agreement which provides for these enhancements that keep their purchase up-to-date and protect their investment.

in other words, “hey customers! if you don’t have a support contract, you’re shit out of luck when the p2p guys get around our filters!” Nice. ;)

This entry was posted in Uncategorized and tagged , , , , , , , , , . Bookmark the permalink. Both comments and trackbacks are currently closed.

4 Comments

  1. bubba
    Posted March 15, 2008 at 20:58 | Permalink

    how likely is it that both sides are going to be ignoring the RST packets? that’s a lesson learned in the US when Comcast started doing the same thing with bittorrent traffic. if you ignore the RST on your side, but the other peers didn’t, you wind up with a lot of half-open connections.

  2. Posted March 16, 2008 at 19:04 | Permalink

    bubba: yes, unfortunately both sides have to ignore the RSTs. My theory is that as more ISPs use RSTs to filter, more people using filesharing apps will install patches or firewall rules to ignore the RSTs — so a network effect would apply.

  3. Posted March 19, 2008 at 13:17 | Permalink

    The last sting of a dying wasp? If the recording industry were to perhaps make tracks available for convenient download at prices that acknowledge the lower cost to them.

    The current price is usually 99c per track making most albums €10 for download compared to €17/18 in the stores but the store price includes the money to the vendor and manufacturing cost for the physical product. Neither of which exist for the online version. And let’s remember the price differential compared to the US where those numbers above are the same but in dollars! Also mp3/4 are lower quality than CDs or LPs, so you are in essence paying the recording industry the same money as they currently get for a physical sale for a lower quality good.

    And let’s remember almost nothing appears to get remaindered on the download world. So no cheap 2nd hand bargains.

  4. Don
    Posted November 20, 2009 at 19:09 | Permalink

    It is illegal for the music, software, & entertainment industry to falsely advertise that you are buying a cd when buying means that you own it.

    They are lying about you buying it since their actions prove they really think you rented it! No permission to copy? They still own the rights?

    I would say that since they violate a lot of laws, truth in labeling being one, truth in advertising being another, & I am sure you can think of lots more….

    I would say that this pretty much gives you permission to do whatever you skippy please with YOUR CD that you BOUGHT (not rented).

    If you are renting it like they claim, they should be required by law to say so on the package!