Avoid traffic shaping
Note: This is documentation specific to Vuze (Azureus), if you're looking for the specifications see Message Stream Encryption.
General info for endusers
Since more and more users are affected by overly aggressive traffic shaping Azureus implements this traffic obfuscation feature to allow users to use their bandwidth properly. Since this only works when a shaped peer can connect to any peer in the swarm with the crypto header it is currently not possible to turn this feature off.
This feature does NOT provide anonymity and only very limited confidentiality, i.e. if somebody is in possession of the correct infohash he can obtain your IP/Port combination from public sources like a tracker or from other clients via PEX he will be able to connect to you as usual. Only a passive listener can't determine what you're downloading.
When to turn it on
Generally this feature will not help you with any kind of download speed or other problems unless
- you're affected by P2P/BitTorrent traffic shaping or it is completely blocked (see Bad ISPs)
- you're on torrents with a large fraction of traffic shaped users
- you want to hide what protocol you're using from passive surveillance (it is not for those who seek anonymity)
Please note: You should make sure that you don't violate any rules (e.g. 'reasonable use' clauses) that are associated with your internet connection such as the contract with your ISP.
You might also test with the built-in Mlab speed test in Vuze for your effective speeds and also for possible traffic shaping/throttling/blocking activity. Go to Help menu, select "Speed test..." and run the "General speed test".
To enable the encryption you have to switch to intermediate user mode and go to Tools -> Options -> Connection -> Transport Encryption and enable the Require encrypted transport checkbox.
Enabling this feature instructs to establish connections with the crypto handshake, which will consume more CPU time due to the D-H key exchange. If it is disabled Azureus will only use the obfuscation header for peers that either require that via PEX/DHT or when a remote peer initiates a crypto connection.
Further details are controlled by the following settings:
- Minimum encryption level
- this will specify the minimal encryption level you will choose when establish encrypted connections, currently available are
- Plain: This only uses the obfuscation header and transmits the entire payload unencrypted. It's still easy to identify but might be enough to confuse simple traffic shapers
- RC4: This mode uses strong cryptography to obfuscate the traffic and is only attackable with very sophisticated and expensive attacks but it consumes more CPU time than the Plain method.
- Allow non-encrypted outgoing connections if encrypted connection attempt fails 2
- This option ensures compatibility with legacy clients that don't support the traffic obfuscation but makes it easier for the ISP to identify users that engage in BitTorrent activity.
- Allow non-encrypted incoming connections
- Disabling this option will prevent any peer from connecting to you unless he uses the obfuscation header. Thus it even prevent peers from connecting to you when they support encryption but don't know that you require it. But as stated in the implementation specs Azureus' PEX and Distributed tracker is obfuscation aware and thus tells other peers to use it even when they default encryption to off.
Enabling this option may be necessary when the ISP limits ports instead of single connections.
Escalation of the crypto settings
Since different methods of traffic shaping and protocol discovery exist different levels of shaping avoidance are necessary. The following configuration options are listed in ascending order.
It's suggested to use one of the first 3 combinations unless there is evidence that more drastic steps are necessary. If you turn off fallback for incoming connections we suggest to change the listening port in case the shaping is done on a per-port basis.
|Level||Enabled||Method||allow outgoing fallback||allow incoming fallback||advantages||disadvantages|
|0||No + using a non-standard port||none||Yes||Yes||Doesn't use cryptography unless required by a peer1; no additional CPU consumption||Doesn't prevent traffic shaping, unless the provider simply throttles standard P2P ports|
|1||Yes||Plain||Yes||Yes||Least CPU intensive and most compatible setting to avoid traffic shaping||Easy to detect since the payload isn't encrypted|
|2||Yes||RC4||Yes||Yes||Still maintains maximum compatibility but avoids traffic shaping, at least for outgoing connections||The incoming port used for BT connections may be detected|
|3 2,3||Yes||RC4||Yes||No||Prevents that any classic BT connection to the incoming port is successful and thus makes it harder to identify ports that are used for BT traffic||Limited backwards compatibility|
|4 3||Yes||RC4||No||No||Prevents any classic BT connection and thus makes it harder to identify the entire host as a BT user||No backwards compatibility at all|
|5 3||see Level 5 below|
- Note: This is level is available from Azureus 126.96.36.199_B05 onwards.
Level 5 is only intended for people who have problems with a specific traffic shaping method employed by sandvine traffic shaping hardware, see Bad ISPs to discover if this applies to you. The premise of this method is to minimize the amount of unencrypted information leaked. To enable it select following settings:
- Tools -> Options -> Connection -> Transport Encryption (See here)
- Enable require encryption
- Select RC4
- Disable both fallback checkboxes
- Tools -> Options -> Tracker -> Client
- Enable Do not announce the listening port to the tracker
- Set the peer limit to a low figure, start with 1 or 2
- set the Minimum time between tracker announces to 900 for example
- Adjust DHT settings (2 mutually exclusive alternatives):
- Disable the DHT:
- Go to Tools -> Options -> Plugins -> Distributed DB and uncheck Enable the distributed database
- Try to get more peers via DHT:
- Go to Tools -> Options -> Plugins -> Distributed Tracker and uncheck Only track normal torrents[...]
- Try to seed a torrent you haven't seeded within the last few hours or so before applying these settings
- For some of these settings to be available you will have to switch to intermediate or higher user mode
- This might not work on torrents with very few peers because the shaping device may grab all necessary data with the first few tracker announces
- These settings will significantly increase the time it takes to join a swarm, regardless of downloading or uploading, so you have to be patient and/or perform a manual announce a few(!) times until you get your first few pex-capable peers. You should also consider that PEX takes at least a minute, if not longer to gather additional peers.
- This will not work on private torrents, see below.
- This solution may not work at all for you! We've had both reports of success and failure with the method described above.
Since level 5 is highly dependent on PEX which is mutually exclusive with private torrents/trackers this mode cannot be applied to seed or download on private trackers. But since private trackers are usually community-based it should be easy for you to request your administrators to add HTTPS-support to their tracker and thus reduce the information leak to traffic shaping hardware.
- Note: Since only users affected by this kind of traffic shaping will need https-tracker announces and the remaining userbase can use http the performance impact should be negligible.
If you are not the initial seed of a torrent and just want to do your fair share of uploading you can do that while you're still downloading by dynamically limiting the download speed to a multiple or fraction of the upload speed, you can do that by using autospeed classic under tools -> options -> transfer -> autospeed and setting an download to upload speed ratio.
Disguising tracker traffic
Another option is to tunnel the tracker over TOR or an SSH-Tunnel via tracker communication proxying using SOCKS under tools -> options -> connection -> proxy options. If you do this you won't have to set any of the above options (limiting peer requests etc.), but you will have to set your announce IP override to your external, public IP under tools -> options -> tracker -> client.
- Note 1: Doesn't work with private torrents
- Note 2: Should not be used in combination with the bind to local port feature
- Note 3: You should change your listening port and adjust your port forward and/or firewall rules after you've disabled incoming fallback connections