Linux Windows

The REAL Fix For Comcast BitTorrent Throttling

First, a little explanation may be needed as to what is happening in between our computers, Comcast and the Internet. Comcast is using a packet filtering platform called Sandvine. This platform is a at its core, a Quality of Service system that has legitimate uses, such as giving high priority to Xbox Live communications and VOIP […]

First, a little explanation may be needed as to what is happening in between our computers, Comcast and the Internet.
Comcast is using a packet filtering platform called Sandvine. This platform is a at its core, a Quality of Service system that has legitimate uses, such as giving high priority to Xbox Live communications and VOIP packets. 

Unfortunately, Comcast has decided to use Sandvine (some say illegally) to impersonate us and send a reset packet (known as an RST flag), which is exactly like the Chinese goverment filters the internet!  (PDF)

TorrentFreak hinted on August 22nd, is that someone was working on a fix for Comcast users.

“…we know that at least two BitTorrent client developers are including this fix in their next update.” –TorrentFreak 

It’s two weeks later, where is the fix!?  And just exactly how do you find out if you’re being throttled by Comcast?  And how can we figure out how to avoid this traffic shaping?The Fix(es):

There are three ways to fix this:

  1.   Paying for and setting up SSH or some other nefarious means (lol).
    • SSH access is not free, and if it is, it’s slow, and if you steal WiFi you might as well just switch ISPs.
  2. Use iptables or ipfw, this has been posted many times around the web, but here it is just for posterity:
    iptables -A INPUT -p tcp –dport $YOURTORRENTPORT –tcp-flags RST RST -j DROP
    ipfw add deny tcp from any to any YOURTORRENTPORT in tcpflags rst

    • Unfortunately, this only works if you have a *nix-based computer, or have a Linux Firewall around somewhere. I suggest Smoothwall if you’re looking to go that route. 
  3. Use the latest version of Azureus’ nightly CVS snapshot which includes the fixed mentioned by TorrentFreak.

Obviously we are going to be using the third option.  The latest version of Azureus can be downloaded as a nightly CVS snapshot.

    NOTE: Several readers have pointed out that this does not fix the issue for them. Your Mileage May Vary!

Jog dial back a little bit, picture me surfing the Azureus wiki and finding the following article entitled “Avoid Traffic Shaping.”  The juicy bits are as follows:

Level 5 (encryption) is specifically intended for people who have problems with a specific traffic shaping method used by Sandvine traffic shaping hardware, see Bad ISPs if this applies to you.  […]  Note: This is level is available from Azureus onwards.  […]  The premise of this method is to minimize the amount of unencrypted information leaked.

Bingo! This is what TorrentFreak was talking about!

Here are the steps to fix it:

  1. Download and install the regular version of Azureus which has been rebranded as Vuse
  2. Click here to visit their CVS download page.
  3. Grab the .jar file from that page
  4. Rename it to Azureus2.jar and copy it into the Azureus folder, overwriting the old one.
  5. If you need very detailed instructions, here you go.
  6. Once you’ve got the new CVS version installed, enable these settings:
    1. Tools -> Options -> Connection -> Transport Encryption
      Enable require encryption
      Select RC4
      Disable both fallback checkboxes
    2. Tools -> Options -> Tracker -> Client
      Enable Do not announce the listening port to the tracker
      Set the peer limit to a low figure, start with 1 or 2
      Set the Minimum time between tracker announces to 900 for example
    3. Adjust DHT settings (2 mutually exclusive alternatives):
      Disable the DHT:
      Go to Tools -> Options -> Plugins -> Distributed DB
      Uncheck Enable the distributed database
    4. Try to get more peers via DHT:
      Go to Tools -> Options -> Plugins -> Distributed Tracker
      Uncheck Only track normal torrents
  7. Now try to seed a torrent you haven’t seeded within the last few hours or so before applying these settings.
  8. You should see a huge increase in seeding speed.

I’m still waiting to see conclusive results at this time. This works!  I have personally seen better total upload rates in 5 minutes than in 5 hours. I’m no longer capped at 0.1 kbps upload during a seed… I’m seeing more like what I should be – 70+ kbps.

By using these settings we only allow ourselves to connect to other clients that have enabled communication to encrypted clients. Also, when Comcast gets word that people are using this way to avoid leaking more information than needed, they can simply reconfigure Sandvine to be even more restrictive towards Internet-bound traffic and break it all over again.

How to Determine If You Are Blocked By Comcast:

The first indication that you are being throttled back is that when you finish downloading a torrent, your upload speed will absolutely STINK. I see around 0.1 kbps up. That’s a really good indicator, as my speedtest shows I can download at near 25mbit/sec and upload at around 1.5mbit/sec.

What if you REALLY want to know for SURE? I know I did. Thanks to funchords on the DSLReports forum, we have an easy way. I’ve modified it a little bit, but original credit goes to him.

In Windows, the following command will save a file onto your desktop. Click Start, then Run, and copy and paste this bit into the box and press OK.

netstat -s | find “Reset Connections” >> “%userprofile%\Desktop\reset_connections.txt”

For Linux, use this command:

netstat -s | grep -i “resets received” > ~/reset_connections.txt

Open up the reset_connections.txt file that showed up on your desktop (or Linux home directory) and record the number on a piece of paper.

This is your baseline number, it starts from here and can only go upwards. Now, start seeding ONE torrent for an hour. Many people have reported they they receive upwards of 1 RST flag per second when monitoring using a program called Wireshark (or Etheral). After one hour, record your new number by running the above command again and opening up the reset.txt file again. If the number is more than around 5000 than your first number, you are being throttled about as bad as I am.

Things to keep in mind:

Once you have torrent upload speeds working the way that it should to begin with, Comcast does terminate service for downloading more than ~200gb in a single month. I personally had ~150gb aggregate upload and download totals for several months in a row with no complaint from Comcast.

I believe that when more people are using this method, it can only get better.

60 replies on “The REAL Fix For Comcast BitTorrent Throttling”

This actually does “fix” the problem. I’ve been having issues for weeks trying to seed torrents, usually overnight only having a 0.25 to 1 ratio. .25 after 10 hours of seeding on a popular torrent is TERRIBLE!

Last night I left the torrent seeding after using the above settings (with some tweaks) and I was constantly uploading at 70-150kbps and in the morning (6 hours later) I had a regular 2.2 to 1 ratio.

Comcast IS in the wrong here. There is no disputing this.

Well, it was a nice thought. Followed every step TO THE LETTER. About 20 sec after a peer connects and starts the download… connection reset appears and peer drops off. Reset shows on my netstat list, I can watch the peers be booted in real time almost. +1-2 reset and peer is gone.

I am getting 0 peers connecting on 1000+ peer torrents. Share ratios on a 48hr open torrent are 0.0 🙁

I am in the Washington D.C. area if anybody is wondering. I wish there was another provider in my area, and crapcast needs to wake up to the reality… The WORLD is moving to the internet age, we will need fat pipes to achieve this. Japan is walking all over the US with their 50Mbit+ connections.

I miss my RoadRunner 🙁

Reset connections are a normal thing, people turn their PCs off, close their torrent program, or simply get disconnected. That’s when you normally get a RST flag.

However, when you are getting more than 1 RST flag a second, that is when you can tell you’re being throttled.

You write, “Level 5 (encryption) is specifically intended for people who have problems with a specific traffic shaping method used by Sandvine traffic shaping hardware . . . This is level is available from Azureus onwards.”

Perhaps RC5 encryption would do the trick, but this option is not available in Azureus. Did you mean RC4 there?

In any case, it’s not working on the east coast.

William – it’s called “level 5” because it is the most difficult to identify by your ISP. RC4 encryption is the type of encryption used between you and other peers.

Well, when I start Azureus after following these instructions precisely, UL speed is great – for about thirty seconds. Then it is back to normal crappy Comcast standards. Am I the only one experiencing this problem?

I am in Washington State. I’m going to give it another try, hopefully I did something wrong the first several times around….. I don’t like to be a leach in my legal file sharing adventures, after all.

I’ve been trying to find some way to circumvent this Comcast bittorrent throttling mess for quite some time and nothing has worked. I was really hoping this howto would fix the problem, but unfortunately, it did not. I’m located in Michigan btw. I guess I’m pretty much out of luck. Unfortunately, Comcast is the best option available where I live.

“Xbox Live communications and VOIP packets”
sooo, why not form BT packets to look like VOIP packets, or at least XBox packets.. or anything else for that matter – make it universal or something?

I am also in the Washington DC area (actually just across the river in Arlington VA) and Comcast fluxes a lot. One minute I’m getting 200 – 300k on a download the next 20. I’m curious about the huge number of people I’m connected to under peers but with no data tx between – ie. they have 100% of the file and they’re not uploading a drop. Does it help to kick/ban these folks? I’ve also experienced ONLY on comcast an issue of turning on force start gets it going but then when you turn off force start it all drops to zero and stops. Anybody else had that issue?

I too followed all of these instructions. My problem is that all of my seeds now say “Error (invalid port)” next to them. The 2 I’m currently downloading are still downloading and uploading. The other 6 I’m trying to seed are still going slow or not at all. Is there something I did wrong? Was I supposed to remove all of my seeds and downloads before doing this?

Hey guys – I’m up here in portland, oregon; and for some reason we’re still getting great juice out of comcast. We’re only torrenting on one linux box and using azureus, ktorrent, the iptables fix, and a couple other lin tricks, and I get huge speeds still. I don’t get it, don’t even know if I’m being targeted for jamming or no.

smoothwall is a pile of shit. don’t recommend it.

and, heaven forbid that you actually need to ask the developers a question. i was a devoted smoothwall user and had set them up in about 50 of my client’s networks, and i had donated $50 to the project and encouraged many of my clients to either donate to the free project or by the corporate version. i was having a minor issue, dropped by the IRC channel, kicked, told i didn’t “donate enough to get any support” and then glined/banned from the server by the lead developer. this same guy that seems to think that having an e-mail address is some sort of penis extension.

if you are using linux, build your own firewall. if you don’t have the time or inclination, check out one of the other *nix based firewall distros.

The real fix is you buy access to a foreign broadband VPN connection and everything you do is encrypted and unfiltered.

sites such as offer these ‘windows’ of privacy and secure surfing. However the real problem is that most of the files you want to download are coming from ISP’s that are filtering or will be soon.
Fortunately hd space is going up much faster than the size of media and apps to fewer high bandwidth connection can effectively take the burdeon. Unfortunately the largest consumers of internet are being filtered the most, China and the US.

A good business may be providing cheap VPN from a country with no data regulations. Making laws such as Germans choice to enforce keeping logs around less effective.

German’s can buy access to VPNs in countries where that law cannot be enforced and all their traffic will be hidden.

You are putting all your traffic in some other potentiall smaller companies hands and you may be hidding it for a reason. so I’d pay the extra to help ensure the place is legit.

On the other the CIA could make a lot of money reslling this service and getting the side benefit of all your data, though in most cases I doubt that. You will want to review the service you choose.

A service that say, offers you to pay by international money order and gaurantees log removal is more likely to be a well run operations. I think it is more realistic to expect a well run place to keep logs for network analyzing for a short peroid. Saying you keep no logs might be a lie. How do your network running well without logs ?

Though, I am not VPN reseller expert nor have I any ISP experience. Nor have a walked in on a secret NSA spy room at my local telco provider.

I find it more or less impossible to know who to trust with certainty. You really are better off borrowing your neighbors or such especially doing shady stuff.

seems to me a distributed project such as freenet is a great idea. We call share bandwidth for the common goal of having highly anonymous traffic. Maybe even create some packet morphing technology to spoof the filters a bit.

It could be it’s own project or even integrated with a p2p. There are many many uses for a distributed online app. Utorrent and such could make their programs vaslty more versatile and more or less be creating an entire platform not just one app. They would also be securing the right to P2P which is important since it’s their products main use.

We would all basically serve as encyrupted proxies with some reasonable yet practical means to create complete plausable deniability. Such a program would be illegal to run since you provide free unregulated proxy in some countries technically, but then for the most part so is p2p.

I suggested it years ago but everyone said it would require too much overhead. I think it’s becoming more and more of a reasonable solution as bandwidth goes up and filtering becomes the obvious future. Even if we had more bandwidth, it would still be economic to filter the P2p users out. You know they will still want internet even if they can’t get P2P. So if all ISP’s conspire their are no other options. Therefore the solution is we claim some infrastructure as private.

The two main ways to do that are by making a secure network within the existing internet that keeps out snoopers. OR the best idea which is to move American’s over to a public wireless internet. This could be done privately where each person own’s their own wifi bridge. In some areas you might need and antenna and booster or even a professionally installed link. The cell network will be there soon, so the technology is by no means futuristic. A good WIFI can go miles when installed well and that’s without even being designed for this application in mind.

It works just like the old CB network where you bounce off your closest neighbors to get more range. In all reality there are fastly better ways that usnig WIFI if you designed it from the ground up.
The lower the MHZ in most cases the further the range. The 700 mhz as a wifi bridge spectrum would kick ass. The reason Verizon has better coverage in most areas is because they bought the lower MHZ way back when. Verizon runs 850 mhz in most places. Sprint for instance runs 1900 mhz, which is why their network has more dead spots on average.

Sooooo, we can all just stop paying basically for all out communication bills by making one time investments in these home wifi bridges. It’s entirely possible and practical, but co-existing could be tricky if major network sources refuse the new model. Places like MSN might be pissed that you were taking comcasts customers and refuse to be hosted. Since many major news companies are owned by companies that also own media distribution it could be a market wide trend to resist any new medium, but especially ones that offer so much.

You can see many telcos fighting cheap VOIP solutions. However making the device individually owned really eliminates a lot of their power. There is little to nothing they could do about it in the long run. Once enough people got this thing, the old ways would be dead and we could all just have free phone, free TV, free internet and whatever else you can think up to move across a wireless network.

In think in the end the bandwidth would be greater since the average wireless connection is way faster than cable internet. It should also make hosting costs go WAAY down. The only problem is the complexity of the routing, but it seems to me a wireless network like that is just easier and cheaper to maintain. Every 3-4 years we all buy new boxes and the network upgrades itself. No monopolistic companies needed to support an aging infrastructure.
Now there might be a reasonable limit to just how fast wireless can go, but laser internet will be on the way also and that should be just as fast as fiber. Sure super expensive but how long will it really take us to get faster than WIFI speeds to our house. Verizon’s FIOS is still slower than most WIFI connections. We could make some badass WIFI bridges compared to ones out today able to support tons of channels and traffic for probably little more than the SOHO ones today. Most of the price increase is artificial, just like Intel could really sell us their top of the line P4 for the price they sell the celeron, but that’s business right. Well I dunno, if we’d make products cheaper maybe more people would effectively benefit from them, increasing overall national productivity and intelligence.

Remember back in the day when we forced Ma’ Bell to provide telephones to everyone, not just those who could proovide it because it was an obvious public service that would make the entire country stronger.

Well many infrastructures are like that, and waiting on corporate profit margins is usually a big waste of time since they are ONLY interested in their profit, not things like national security or personal rights.
We’d probably still be wait for telephone service to some parts of the country had we not stepped in a regulated the market a little.

Same goes for internet. The US people need not put up with this. The solution is this case is NOT with boycotting comcast, though that won’t hurt, but I see all ISP’s doing this sooner or later so it’s probably the federal or state government we’ll need.

I only say state since they seem more likely to actually do things and pay attention to the peoples needs than the federal government lately.

So, how about that. ME for President. You liked Bush’s tax cut maybe you got 300 bucks or something. You’ll love this. Imagine not paying so damn much for communications. Imagine regulation kept energy prices down for decades for the GOP deregulated them and not energy companies have record high profits. Yet I don’t see this trickle down economy paying off to the working class who can barely afford to heat their homes they so industriously invested in for the last 20 years. People invested in big houses so now energy prices are high. People invested in big cars, not gas prices are high. Why can’t enough people see this coming and actually get of their asses.

I bet a coal powered car really wouldn’t be that bad.
We are on the verge of either an economic crisis or the electric revolution and American’s can’t figure out which way to go.

It’s kind of scary how many stupid people their are in this nation and that everyone of them has just as much of a right to vote as me even though I read and they just watch Fox News after World Wrestling Entertainment every night.

Do you think they changed their name because WWF was was the World Wildlife Foundation. That must have been embarassing on web searches, either way.

So, you know, we mostly chose to be slaves to the system because it’s less thinking. We have other options and in a land of supposed opportunity and supply and demand you’d think we’d have a bit more competition in the most expensive sectors since it’s obviously very profitable. Seems though when we do, they find a way to kill it.

Eliminating some of that control through media would be easy to do if we had more control over the infrastructure itself. Seing that it’s our contry and those wires are buried in state land. We can legislate and regulate this system to be whatever we want. We can lower communication costs, we can install public wifi and put cell phones and everything on it and have it cost almost nothing compared to what we pay now.

You idiots running out to buy HD have created this problem, stealing what little bandwidth we have so you can see the wrinkles in your favoirate actors face. The increase in bandwidth isn’t even remotely worth the quality. We should be streaming out divx or something efficient if we must suffer such low bandwidth. Nobody wants to upgrade the infrastructure and with the dollar dropping even less people will want to. That’s why it’s up to either individuals to piece together a privately own joint effort network of it’s up to us to mandate it through the government.

Either way, well managed will cost roughly the same. I’d prefer the government run system, but since governments change and people don’t vote you can’t ensure privacy, so in todays world a privately owned network makes sense. Making it have emergency communication potential would also be a great idea. This makes the US a very hard target for IT threats by diversifying our bandwidth distribution

fsck smoothwall: I’m almost done writing a fairly in-depth review of eight different *nix software firewalls: ClarkConnect, Endian, Gibraltar, IPCop, Monowall, pfSense, SmoothWall, and Vyatta. Ouch… you got glined/banned from from Smoothwall IRC channel? That is fscked up!

Joedoe: Some ISPs delay encrypted traffic, so the VPN solution may not be idea. The BETTER solution is using an ISP that doesn’t filter traffic. For example, in my city, there are two big players – Qwest DSL and Comcast Cable. Fortunately, Qwest is forced to provide “naked” DSL, and another ISP in the city, Xmission does not filter p2p traffic.
Logs are a necessary evil, but logs that do not keep track of personally identifiable information may be another solution.
Freenet, Tor, etc are not designed to carry high bandwidth traffic. Also bigger social problems where abuse of the exit node occurs and the owner ends up being thrown in jail until cleared of a bomb threat (just a recent example) cause them to rethink their intentions. Some guy in Germany running the largest exit node in the country recently was locked up for the second time, and ended up turning off his server.
Then again, running a server (which Freenet and Tor exit nodes are) is against the TOS of most ISPs as well. It’s not an ideal solution.
Cellular data wouldn’t work very well and you would have resistance from the vendors already in place.
A wireless mesh network has more problems than using Freenet – how does that data get onto the internet? Who pays the bill for that traffic to enter the public internet? How are they protected from the above bomb threat scenarios? Somewhere, somehow there needs to be infrastructure. A network with half a million nodes does not scale well without server racks and fiber.
“You idiots running out to buy HD have created this problem, stealing what little bandwidth we have so you can see the wrinkles in your favorite actors face.”
I personally don’t own an HD TV yet, but I’m certainly shopping around now that it’s getting less expensive and in 2009 HDTV becomes the standard – as mandated by the government…

I live in the Houston area, and this problem just started occurring for me about 3 or 4 days ago. My bandwidth wasn’t just being throttled, I was having my connection dropped twice a minute. Which means things like chat programs were impossible to use. I’ve applied the Level 5 settings to my Azureus and have been monitoring my connection for the last 15 minutes and I haven’t been dropped yet. So it appears this solution is working for me. However, I haven’t really tried seeding yet, I’m just downloading (but before the settings, even just downloading got my connection dropped).

For me (in the Redmond, WA area), these settings have improved my download speed dramatically. However, like another poster, I cannot seem to get anyone to connect to me. So my sharing ratios are very low (.0001).

I didn’t understand your “2 mutually exclusive alternatives” statement. Could you clarify? There are two items that can be checked/unchecked, which gives four possible settings. Which two are valid/advisable?

Update: I managed to get a green light by turning off the “Do not announce the listening port to the tracker” but I fear that this has prompted Comcast to start sending the resets.

Everett, WA – Followed Level 5 on Azureus OSX and Win2K boxes. Still zero upload. 🙁 . Get near 800kb up at network speed test sites. Netstat -s yields hundreds of RST packets per hour.
Perhaps I can control the dropping of reset packets via a [replacement] router with DDWRT on it? Or is Sandvine controlling the resets at both ends?

2 questions

1. when I type in the line you posted into the run box in windows, I get nothing. Is it in the cmd line box or the run box?

2. where do you adjust dht settings in vuze?

I think the real fix would be, rather than trying to get around their limiting tactics, is to let Comcast lose in court, let all bittorrent run completely free, watch the networks collapse, and rather than slow bittorrent, we will all have NO bittorrent and we can watch our $50 a month internet bills go to $250 a month to fund bigger internet pipes (which aren’t cheap) and help defray comcast’s legal fees too! Wouldn’t that be awesome???!!!

I use private tracker files so no help there.
Has anyone tried using the default ports like ftp, telnet or http ports? I dont know where to change the default listening port for these applications before using them in bittorrent client. can some1 pls help?

Also since the other peers doesnt use the same port, they can detect this and hence this also might not work i guess. what do u think?

This is the problem with the “privatize everything and private interest is A OK” mentality that is in the US. You do realize that the connections we have here in the US are much slower than in the EU, for instance, where people run fiber optic straight into their homes, right?

Why? Well because it is not in private corps interest to spend anymore money than they have to, as you pointed out, whereas in the EU internet is regulated heavily by the government and the result has been consistently better and faster internet for the populace.

A significant portion of the EU population has 10mbps connections in their HOME. While we sit on antiquated technology even though prices go up, prices are dropping in the EU, while service and speed are consistently getting better. Now then, support Comcast and their moneygrab if you want, or realize that you have been sold on a BS version of capitalism in the US that allows this kind of thing to happen, fight against it, and get something better.

Thanks for shedding some light on this. I just finished and I’m still at 1.5 kbps. I have a history of randomly slow download, even ones on limewire that aren’t tracked, but I’m still unsure about whether I’m being tracked. They found a file I downloaded a year or so ago and sent me a warning. Do I have to check if the source is encrypted? I’m just afraid of getting terminated. Also, is there any definitive way to check if they’re picking it up?

This worked for me today. It was a little challenge to get all the settings right, because the client’s interface has changed a bit since this was written (on version 4.2 now, now called Vuse). Otherwise, seeding would NOT happen with uTorrent today (was working fine two days ago), and today, seeds and download speeds went through the roof. So, thank you!

I tried to download the .jar file from the given Azureus CVS page today but it kept timing out. Is there a problem with the site or the file?

Any ideas?


This really works! Comcast was kicking my ass with this garbage. I did everything it said and now I’m downloading at about 400/kbs which is a hell of a lot better than zero!


I don’t know how this is working for you folks! I followed every step to the letter, and am not new to computers/torrents or anything, but since we got Comcast Cable I am getting 0kb/s download speed on everything torrent-related. Absolutely appalling. If they weren’t the only option other than shit DSL in the area you can bet I wouldn’t be using them, but… Can anyone help me get this working?

I admire the valuable information and facts you present inside your articles.I enjoying reading your post. You make right points in a concise and pertinent fashion, I will read more of your stuff, many thanks to the author

Leave a Reply

Your email address will not be published. Required fields are marked *