[ubuntu-ar] [Bulk] Re: extraño problema con la navegación en internet

Mariano Reingart reingart at gmail.com
Tue Oct 12 20:00:48 BST 2010 

2010/10/12 leo fishman <leofishman at gmail.com>:
> sigue todo igual para mi
> :(
> Esta semana voy a ir a defensa del consumidor y les aviso
>

¿Y si ignoramos los RST del todo?

sudo iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -j DROP
# (para ignorarlos silenciosamente)

o

sudo iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -j REJECT
# (para informarle a speedy que no los aceptamos...)

algo más específico (aclaro que mi manejo de IPTABLES esta un poco
desactualizado):
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST --source-port 80  -j DROP

Lo estoy probando y parece una solución provisoria viable (aunque no
es optimo ni muy standard-friendly/compilant), y funciona porque al
parecer el proxy de speedy tambien los ignora (ya que posiblemente
sean falsos -forged-...)

Mas info:
http://ubuntuforums.org/showthread.php?t=556539

Leyendo los blogs y foros, parece que este comportamiento no es
casual, sino que podría ser una tendencia de los ISP para controlar el
tráfico de redes peer-to-peer (ej, bittorrent), pero lamentablemente
el algoritmo no es muy inteligente y perjudica a los usuarios (sobre
todo en nuestro caso, con Ubuntu en particular):

http://en.wikipedia.org/wiki/Hart_v._Comcast
http://en.wikipedia.org/wiki/TCP_reset_attack
http://stackoverflow.com/questions/251243/what-causes-a-tcp-ip-reset-rst-flag-to-be-sent

Quizás habría que buscar una solución mas a largo plazo, con un método
que reconecte las conexiones reseteadas (el hammer-of-tor parece un
buen camino, sería bueno si pudiera usarse como proxy transparente, y
analizar los paquetes TCP a más bajo nivel).

Les adjunto los resultados provisorios, parece que podría andar.
Resumiendo: descartando los resets falsos no hay errores, sin
descartarlos (por defecto) hay 16% de fallas (a esta hora, puede
variar...).

Habría que ver con netstat -an si esto deja conexiones abiertas o
algún otro problema.

Sds

Mariano Reingart
http://www.sistemasagiles.com.ar
http://reingart.blogspot.com
-------------- next part --------------
root at reingart-desktop:/home/reingart# iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -j DROP
root at reingart-desktop:/home/reingart# ab -n 100 http://www.speedy.com.ar/
This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking www.speedy.com.ar (be patient).....done


Server Software:        Apache
Server Hostname:        www.speedy.com.ar
Server Port:            80

Document Path:          /
Document Length:        0 bytes

Concurrency Level:      1
Time taken for tests:   34.302 seconds
Complete requests:      100
Failed requests:        7
   (Connect: 0, Receive: 0, Length: 7, Exceptions: 0)
Write errors:           0
Non-2xx responses:      100
Total transferred:      47212 bytes
HTML transferred:       27146 bytes
Requests per second:    2.92 [#/sec] (mean)
Time per request:       343.022 [ms] (mean)
Time per request:       343.022 [ms] (mean, across all concurrent requests)
Transfer rate:          1.34 [Kbytes/sec] received

Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:       10  315 1170.0     13    9007
Processing:    12   28  45.9     16     371
Waiting:       12   25  40.6     15     371
Total:         25  343 1177.9     29    9028

Percentage of the requests served within a certain time (ms)
  50%     29
  66%     32
  75%     38
  80%     42
  90%    201
  95%   3030
  98%   3512
  99%   9028
 100%   9028 (longest request)
 
root at reingart-desktop:/home/reingart# iptables -F INPUT
root at reingart-desktop:/home/reingart# ab -n 100 http://www.speedy.com.ar/
This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking www.speedy.com.ar (be patient)...apr_socket_recv: Connection refused (111)
root at reingart-desktop:/home/reingart# ab -n 100 http://www.speedy.com.ar/
This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking www.speedy.com.ar (be patient)...apr_socket_recv: Connection refused (111)

root at reingart-desktop:/home/reingart# ab -r -n 100 http://www.speedy.com.ar/ 
This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking www.speedy.com.ar (be patient).....done


Server Software:        Apache
Server Hostname:        www.speedy.com.ar
Server Port:            80

Document Path:          /
Document Length:        0 bytes

Concurrency Level:      1
Time taken for tests:   22.895 seconds
Complete requests:      100
Failed requests:        17
   (Connect: 0, Receive: 8, Length: 1, Exceptions: 8)
Write errors:           0
Non-2xx responses:      92
Total transferred:      22522 bytes
HTML transferred:       3878 bytes
Requests per second:    4.37 [#/sec] (mean)
Time per request:       228.950 [ms] (mean)
Time per request:       228.950 [ms] (mean, across all concurrent requests)
Transfer rate:          0.96 [Kbytes/sec] received

Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:        0  136 595.5     13    3119
Processing:    10   93 423.4     15    3007
Waiting:       12   56 104.5     15     419
Total:         10  229 733.6     29    3500

Percentage of the requests served within a certain time (ms)
  50%     29
  66%     31
  75%     35
  80%     40
  90%    147
  95%   3007
  98%   3027
  99%   3500
 100%   3500 (longest request)

More information about the Ubuntu-ar mailing list