Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Ask Slashdot: Managing Device-Upgrade Bandwidth Use?

timothy posted about a year ago | from the selective-enforcement dept.

Networking 159

First time accepted submitter wallydallas writes "I'm close to a solution, but I wonder how other people block their many devices and operating systems from updating in working hours. For example: I'm the IT guy who blocks iPads from updating when school is in session because we are in a rural location. 3mbps is the best WAN we can buy. Devices can update after hours just fine. We do this with our router (DDWRT) by blocking MESU.APPLE.COM. Many guests bring in Windows 7 laptops, and I want to welcome them, but not their updates. How can I block updates on Android Phones and Linux Laptops? I have a 4G device at home, and I'd like to apply the same tricks 24 hours a day so that I don't use up the bandwith from my vendor. And my many home visitors should have their updates blocked."

Sorry! There are no comments related to the filter you selected.

Wrong site (-1, Offtopic)

Anonymous Coward | about a year ago | (#45741459)

You're looking for expert sex change dot com.

For Windows (5, Informative)

jones_supa (887896) | about a year ago | (#45741465)

For Windows, you could try blocking the addresses listed in the Microsoft Knowledge Base article 818018 [microsoft.com] .

The Legend of the Racist Erection (-1)

Anonymous Coward | about a year ago | (#45741555)

How can we tell?

Re:For Windows (2, Informative)

Anonymous Coward | about a year ago | (#45743071)

That is not a complete list. We setup our DNS to return 127.0.0.1 for all of those hostnames, and Microsoft still found a way to do a forced update to MSIE10 that broke all of the Dell desktops running Windows in our office. We had to reimage all of Dells to get them running again. We found the IP addr Microsoft was using for their abuse and blocked it, but then about four months later Microsoft found another way to do yet another forced update and breaking of our desktops. Again, we had to reimage to get the systems to boot.

Again, that list is not complete. If you block just those, Microsoft will still find a way to break your systems.

Re:For Windows (1)

byornski (1022169) | about a year ago | (#45743261)

Broke, or fixed?

It depends on your environment. (2, Informative)

Anonymous Coward | about a year ago | (#45741487)

If there are a lot of people that want to do the updates, AND you have the space, a cacheing service can ease the pain. The first time an update is done, the cache (proxy) saves the reply, then when someone else asks for the update, it is supplied locally rather than downloading it again.

Re:It depends on your environment. (0)

Anonymous Coward | about a year ago | (#45741577)

you cannot proxy https and about anything that uses authentication

Re:It depends on your environment. (0)

Anonymous Coward | about a year ago | (#45741609)

*boggle*

Re:It depends on your environment. (0)

Anonymous Coward | about a year ago | (#45741679)

you cannot proxy https and about anything that uses authentication

So if a solution is not 100% perfect, it has to be thrown into trash can?

Re:It depends on your environment. (0)

Anonymous Coward | about a year ago | (#45741709)

Well, if there is a solution which is actually 100% perfect, yes.

Re:It depends on your environment. (2)

CohibaVancouver (864662) | about a year ago | (#45741923)

So if a solution is not 100% perfect, it has to be thrown into trash can?

Of course. This is Slashdot - Where the edge use case wins, every time - Where perfect is the enemy of good.

Re:It depends on your environment. (0)

Anonymous Coward | about a year ago | (#45742157)

Ironport.

Re:It depends on your environment. (1)

weilawei (897823) | about a year ago | (#45742323)

What planet do you live on? Plenty of corporations and schools mandate that you allow them to MITM you. Accept this certificate or don't use our network.

Re:It depends on your environment. (0)

Anonymous Coward | about a year ago | (#45743127)

There is an in-the-wild malware that takes advantage of HTTPS proxies and uses a forged Microsoft MD5 old cert to get Windows Update to install other malware as system.

Re:It depends on your environment. (1)

fuzzyfuzzyfungus (1223518) | about a year ago | (#45742599)

you cannot proxy https and about anything that uses authentication

You can't (easily) MiTM clients that you don't manage; but many, perhaps most, update mechanisms don't use SSL or authentication. It's assumed that ineligible users either have absolutely no interest, or (as in the case of pirates) are probably sophisticated enough that trying to keep them from scoring a copy somehow isn't worth the effort.

As for SSL, that's extra overhead, and the server is shovelling out the same set of patches to everyone and (on all remotely recent and non-insane update systems) the update client is verifying the package signature before installation, so protecting the package on-the-fly isn't a high priority.

There are likely to be exceptions, which you'll have to block or suck up; but SSL is not a priority in basic patching scenarios (though the fact that some of the big guys, like Windows update, use BITS [wikipedia.org] rather than HTTP will be modestly inconvenient, since HTTP proxies are incredibly common compared to other flavors).

Re:It depends on your environment. (1)

Architect_sasyr (938685) | about a year ago | (#45742619)

There are two options available to you - 1. Apple's caching server works perfectly (so long as your external IP doesn't change and everyone is on iOS 7 and Mountain Lion or Mavericks) - you download once (on demand rather than syncing the whole repo "WSUS" style) and distribute to many. This saves heaps of space without screwing with the end user, and it doesn't need to be managed via GP or anything like that. 2. SCCM on demand packages. Not an SCCM guy, but if you can replicate the caching server from Apple in SCCM, you're on the way.

Neither of these options gives a flying crap about HTTPS or Authentication.

Re:It depends on your environment. (0)

Anonymous Coward | about a year ago | (#45743209)

File serving updates over SSL is expensive, in terms of power, cycles and dollars. In most cases it's only the update manifests that are served over SSL (authenticated or otherwise) with the updates themselves are plain old HTTP and their checksum/hash is verified against the manifest once download is complete. Block/cache the HTTP downloads and you don't need to care who downloads the manifests.

3Mbps?!?? (1)

Anonymous Coward | about a year ago | (#45741499)

Wasn't there billions of dollars spent by the government like 10 years ago to get every school connected with high speed internet?

Re:3Mbps?!?? (5, Funny)

The_Wilschon (782534) | about a year ago | (#45741603)

Wasn't 3 Mbps "high-speed" ten years ago?

Re:3Mbps?!?? (2)

lactose99 (71132) | about a year ago | (#45741759)

Hell, I still think the FCC counts it as high-speed even now in their broadband reports.

Re:3Mbps?!?? (0)

Anonymous Coward | about a year ago | (#45741823)

Certainly if you divide that up among a large number of users it could be problematic. However, IMO it the highspeed classification is still valid in the context of a home connection with a few users. Most DSL is still around that speed, and cable is not much faster except for some of the higher priced tiers, but still not even approaching an order of magnitude faster. Fiber of course is the exception, but you wouldn't argue that an Indy car is not a race car just because there are jets that can travel an order of magnitude faster.

Re:3Mbps?!?? (-1)

Anonymous Coward | about a year ago | (#45742311)

I'm on a midrange (as defined by my ISP) cable connection. I've got 25mbps in theory, and closer to 30 in practice. If I wanted to pay about $40 more per month (and go to the top tier plan), I could quadruple my speed. My internet tier certainly approaches an order of magnitude faster than 3mbps.

Re:3Mbps?!?? (0)

Anonymous Coward | about a year ago | (#45742467)

Hell, I still think the FCC counts it as high-speed even now in their broadband reports.

Technically speaking you could have a broadband connection that runs slower than dial-up. Broadband is a type of technology, and while it's usually used to deliver faster speeds than narrowband, that's not necessarily going to always be the case.

As for the article, there's a couple things wrong.
"3mbps is the best WAN we can buy"
Wrong. It might be the best you can afford, but there are plenty of people who will run you a much better pipe if you're willing to pony up the cash. Yes, even in the middle of nowhere.

"We do this with our router (DDWRT)"
You should probably get a managed router/switch instead of that consumer grade POS.
That one should be fine for a "guest access" device, but you'll be better off hooking it up to a more capable upstream device and doing your traffic management on the upstream one instead. It might also be a good idea to get yourself an actual firewall of some sort, which can be used to set schedules for allowing or blocking traffic to/from various update sites (as well as other sites).

As for which sites to block, that should be a simple matter to determine using Wireshark and a couple test devices, or if you run your own DNS by checking the logs to see what lookups are being done.

As for your 4G device, are you talking about something like a phone which has both wireless and 4G? Or do you mean that your only internet access is via a 4G plan? If the latter is true, then the same tricks apply at home as they do at the office, assuming your hardware can handle it. If your internet is not via 4G and you're talking about a device which can use both, that solution will have to be implemented on the device itself... nothing you do on your router will affect what happens when the device is not going through it. You can check the various app stores to see if there's a firewall/scheduler application of some type if that's your situation.

Re:3Mbps?!?? (0)

Anonymous Coward | about a year ago | (#45743017)

It might be the best you can afford

So, yeah; they can't

there are plenty of people who will run you a much better pipe if you're willing to pony up the cash.

So it's not that I can't buy my own island, it's just that I can't afford it, even though there are plenty of people who will build one for me if I'm willing to pony up the cash. Yes, even in the middle of nowhere.
I don't know about you but for me, affording is usually a prerequisite for buying.

Re:3Mbps?!?? (1)

mysidia (191772) | about a year ago | (#45743321)

Hell, I still think the FCC counts it as high-speed even now in their broadband reports.

It is high speed, for a typical household of 3 people.

Hell; 1 Megabit per 10 students is high-speed.

1 Megabit per 20 students is NOT.

3 Megabits per 100 students is insanely crappy.

3 Megabits per 1000 students is a friggin joke.

Re:3Mbps?!?? (0)

CAOgdin (984672) | about a year ago | (#45741847)

AT&T Still think it IS High-speed! (I, too, am rural, and getting the fastest speed I can...3 Mb/s...and cursing AT&T every hour of the day for their focus on THEIR profit, not any customers' quality of service.

Of course, if you're willing to pay them thousands of dollars a month, they'll happily give you higher speed...but not a worldwide comparable rates.

Broadband, in the home country of broadband, still sucks, and AT&T, Verizon, and all the other crooks enabled by the FCC (the head of the agency came from one of the major firms) have a singular pricing policy: Summarized, it is: "BEND OVER!"

Re: 3Mbps?!?? (0)

Anonymous Coward | about a year ago | (#45742095)

Yeah its pretty sad. I have seen 70Mbps (45 of actual throughput) on at&t. The beat time warner can offer here is 35mbps download though. When did the cell networks get faster than a dedicated line? Oh yeah... when corporate greed took over.

Re:3Mbps?!?? (1)

Grishnakh (216268) | about a year ago | (#45741989)

3Mbps isn't blazing fast, but it's not completely horrible (though I don't think it's quite fast enough for Netflix).

The problem is if you're trying to run an entire school on it, rather than a single person's apartment.

Re:3Mbps?!?? (1)

dugancent (2616577) | about a year ago | (#45742349)

I watch Netflix on a 3Mbit connection with no problem. That said, I have a standard-def TV.

Re:3Mbps?!?? (1)

i.r.id10t (595143) | about a year ago | (#45742537)

I have 1.5mb down DSL - its all I can get. Well, I can "get" 3 but I'm so far out at the end of the run it randomly disconnects 5 or 10 times a day and refuses to reconnect, requiring a power cycle of the "modem" (ISP provided) or router (and I've tried quite a few).

Re:3Mbps?!?? (0)

Anonymous Coward | about a year ago | (#45743095)

Modem should reconnect automatically. It sounds like you have some other problem.

Re:3Mbps?!?? (0)

Anonymous Coward | about a year ago | (#45743173)

I can get a 10mb/10mb dedicated Active Ethernet with dedicated bandwidth for $40/month 2 miles outside the city proper, and static blocks for $8/month per /29. I'm in the Midwest USA. That $40 includes all fees and taxes and assumes naked Internet with no bundling.

Re:3Mbps?!?? (1)

Albanach (527650) | about a year ago | (#45742039)

3mb isn't a lot for a school, especially where there might be a need for streaming video. It would be pretty straightforward to add another connection or two and do some load balancing. Combining that with the QoS suggestion others have made might make the whole network a lot nicer to use.
 

Re:3Mbps?!?? (0)

Anonymous Coward | about a year ago | (#45741691)

Submitter is incompetent. Microwave point-to-point connections are available in even the deepest of rural areas and offer 50mb for very little per month/quarter. Even our local piss pot coal mining community public school is on a 100mb link these days.

Re:3Mbps?!?? (1)

queazocotal (915608) | about a year ago | (#45741785)

If you happen to be in range of an existing tower.

Re:3Mbps?!?? (0)

Anonymous Coward | about a year ago | (#45741961)

Microwave transmissions are good for something like 30 miles, and relay stations can be setup if they need to go farther.

Re:3Mbps?!?? (3, Interesting)

queazocotal (915608) | about a year ago | (#45742111)

They are good for 30 miles - if there is a clear path.
This is not just line of sight - but slightly more than this - the path cannot go just past obstacles.
http://www.proxim.com/products/knowledge-center/calculations/calculations-fresnel-clearance-zone [proxim.com]

For a 30 mile link, the fresnel zone reaches 100 feet in the middle of the link - if anything is in this zone, then the signal will be severely affected.
Add to this the limitation of sight due to a non-flat horizon - 150 feet towers are needed just to get minimum line of sight.
For flat land with trees up to 30 feet in places in the middle, for example, that adds up to a total of (100/2)+30+150 =
230 feet towers.

If one end is at altitude - you still may need a significant tower in order to clear the fresnel zone.

slow down partner (1)

Anonymous Coward | about a year ago | (#45742645)

you're making a lot of assumptions about the fresnel zone without knowing the frequency the equipment is operating on.

Re:slow down partner (1)

queazocotal (915608) | about a year ago | (#45742705)

Quite - I arbitrarily assumed 2.4GHz.

Re:3Mbps?!?? (1)

aaronb1138 (2035478) | about a year ago | (#45742405)

Too bad so many of those providers have insufficient backhaul. For every small town with reportedly good line of sight wireless, there are 5 with ISDN like peak daytime speeds due to congestion and crap equipment.

Re:3Mbps?!?? (1)

Cramer (69040) | about a year ago | (#45742417)

Reading the post, I immediately said, "not the best you can buy, just the best you're willing to pay for."

Re:3Mbps?!?? (1)

mysidia (191772) | about a year ago | (#45743335)

Reading the post, I immediately said, "not the best you can buy, just the best you're willing to pay for."

Yeah.... use of freebie or low-end consumer-grade broadband services in a large scale instruction environment.

If your school spends more in a month on toilet paper; or getting the grounds mowed or floors cleaned, in costs, than on your internet connection, then you are doing it wrong.

Re:3Mbps?!?? (1)

mysidia (191772) | about a year ago | (#45743315)

Wasn't there billions of dollars spent by the government like 10 years ago to get every school connected with high speed internet?

Discounted telecommunication services available to schools under E-Rate.

For every 1000 students; there should be 100 Megabits.

This is like saying.... for our school lunch program; the budget we have allocated, only allows us to buy 10 pounds of meat. All 10000 of you will just have to share it.

By the way; if any of you are hungry because you skipped breakfast: we're going to have to take measures to block you from accessing the serving dish, since we find that such users are likely to eat a lot more food.

Pfsense (5, Informative)

bhenson (1231744) | about a year ago | (#45741513)

Use PFsense and use the package squidguard(or dansguardian) and use the software downloads list.

Re:Pfsense (0)

Anonymous Coward | about a year ago | (#45743217)

Does squidguard even work with the current versions of Squid?

pfSense (4, Informative)

Anonymous Coward | about a year ago | (#45741519)

http://www.pfsense.org/

install pfsense plus squid and block the update sites.

pfsense wan goes to the modem
pfsense lan goes to the access point.

squid time based acl (0)

Anonymous Coward | about a year ago | (#45741541)

http://www.squid-cache.org/Doc/config/acl/

acl aclname time [day-abbrevs] [h1:m1-h2:m2]
            # [fast]
            # day-abbrevs:
            # S - Sunday
            # M - Monday
            # T - Tuesday
            # W - Wednesday
            # H - Thursday
            # F - Friday
            # A - Saturday
            # h1:m1 must be less than h2:m2

Exercise for the reader
Create different time acls and block & allowed based on them

cheers

Don't block it, QoS it. (5, Interesting)

phizi0n (1237812) | about a year ago | (#45741599)

There's no reason to avoid using your bandwidth when you can use QoS to deprioritize it so that they can still update any time the bandwidth is available. Most any linux router can do this with tc and iptables, or sometimes with less configurability through their GUI's.

At home you have control over the devices and can just disable them from automatically updating.

Re:Don't block it, QoS it. (0)

PeeAitchPee (712652) | about a year ago | (#45741647)

He's paying per MB downloaded . . . it costs him money for them to download their patches using his bandwidth, even if nothing else is going on.

Re:Don't block it, QoS it. (1)

fisted (2295862) | about a year ago | (#45741735)

Then why is he fine with people updating after hours?

Re:Don't block it, QoS it. (1)

msobkow (48369) | about a year ago | (#45741771)

He's dealing with two locations: his home, where he pays for bandwidth, and his work, where the concern is peak hour traffic.

Re:Don't block it, QoS it. (1)

Desler (1608317) | about a year ago | (#45742209)

No, you're actually confusing what they said.

I'm the IT guy who blocks iPads from updating when school is in session because we are in a rural location. 3mbps is the best WAN we can buy. Devices can update after hours just fine.

The person you responded to was correct in saying that his post said they were allowed to update devices after hours. The part about his own devices at home was a completely separate part of the post.

Re:Don't block it, QoS it. (1)

Zocalo (252965) | about a year ago | (#45741815)

The article doesn't actually mention costs at all, so I don't think that's an issue so much as people soaking up the scarce bandwidth when others are trying use the connection for its primary intended purpose; schoolwork. If it were a problem, then I'd have expected the question to have included asking for advice on caching proxies and such like to save bandwidth. If there's no cap, then QoS would be a good part of a solution for this as it lets you make maximum use of your circuit, while avoiding degrading the experience for people just surfing the web.

Re:Don't block it, QoS it. (1)

lesincompetent (2836253) | about a year ago | (#45741755)

He\she only talked about bandwidth, not traffic limitations.
BTW, how effective can QoS really be? I'm a little bit skeptical.

Re:Don't block it, QoS it. (1)

ewieling (90662) | about a year ago | (#45742113)

<blockquote>BTW, how effective can QoS really be? I'm a little bit skeptical.</blockquote>

You can only QoS the transmits. To do it correctly, you must do QoS on both ends of the circuit. You can do some "poorman's QoS" by putting it on the transmit side of your router, but that only helps with TCP, not UDP and relies on TCP's throttling.

Re:Don't block it, QoS it. (1)

Cramer (69040) | about a year ago | (#45742439)

Actually, the router does transmit... to the inside interface. With a bit of buffering, or dropping traffic -- but as it's already crossed the link, you don't want to have to receive it again -- it is entirely possible to rate limit traffic in both directions. Knowing *what* to rate limit is the issue. If he knew what sites were "update" sites, he'd just block them entirely.

Re:Don't block it, QoS it. (0)

Anonymous Coward | about a year ago | (#45742519)

<blockquote>BTW, how effective can QoS really be? I'm a little bit skeptical.</blockquote>

You can only QoS the transmits. To do it correctly, you must do QoS on both ends of the circuit. You can do some "poorman's QoS" by putting it on the transmit side of your router, but that only helps with TCP, not UDP and relies on TCP's throttling.

100% wrong from start to finish.
What QoS is used for in this context is controlling the data flowing between the edge of his network and the end devices on his network.

I'm not going to get into everything wrong with the rest of what you said because there are plenty of books, primers, how-to guides, and other information which can explain the fundamentals of QoS, TCP, and UDP to you. You should probably read up on it.

Re:Don't block it, QoS it. (1)

tlhIngan (30335) | about a year ago | (#45741757)

He's paying per MB downloaded . . . it costs him money for them to download their patches using his bandwidth, even if nothing else is going on.

Except he's fine with them updating after hours, when the demand on the connection is far lower.

Basically, he doesn't want updates to bog down the internet link during school hours and making everyone's experience slow and annoying (especially Apple updates - want a good speed test? Apple seems to push the bits out). But after hours when the link is idle, update away because no one else is likely to notice.

Re:Don't block it, QoS it. (0)

Anonymous Coward | about a year ago | (#45741775)

He's paying per MB downloaded . . . it costs him money for them to download their patches using his bandwidth, even if nothing else is going on.

The QoS suggestion was for the school use case.

The "just disable them from automatically updating." suggestion was for his home use.

Re:Don't block it, QoS it. (1)

jones_supa (887896) | about a year ago | (#45741783)

He's paying per MB downloaded

You made that up. He didn't say that.

Re:Don't block it, QoS it. (0)

Anonymous Coward | about a year ago | (#45741677)

At home you have control over the devices and can just disable them from automatically updating.

Apparently you missed the part where he wanted to disable updates for his guests. Apparently he lets them connect to his 4G device at home. Also apparently they don't have internet at home and come to his place to do updates. Otherwise, I can't see how he would begrudge these visitors their odd A/V signature update or what have you.

Re:Don't block it, QoS it. (0)

Anonymous Coward | about a year ago | (#45741913)

Most any linux router can do this with tc and iptables, or sometimes with less configurability through their GUI's.

DD-WRT can do it. The questioner says he's already using it. It worked for me (Netflix vs USENET).

Re:Don't block it, QoS it. (1)

girlintraining (1395911) | about a year ago | (#45742713)

There's no reason to avoid using your bandwidth when you can use QoS

You seem to forget that many ISPs sport bandwidth caps, which is a misnomer; they're actually limiting the amount of data transferred during a given timeframe. QoS doesn't stop a fat bill from showing up the next month showing you used up 1.5TB on an account purchased at a 200GB level.

Re:Don't block it, QoS it. (1)

AmiMoJo (196126) | about a year ago | (#45743309)

QoS can only do so much when a number of clients are trying to use a slow connection at the same time because it can only control outgoing packets. Incoming packets are queued at the ISP and sent to the modem at its maximum speed in the order they arrived. Worse still many servers cheat and ignore tcp/ip rate limiting.

why give them wifi? (0)

Anonymous Coward | about a year ago | (#45741611)

If someone is at school shouldn't they be learning rather that doing something on their phone?

Re:why give them wifi? (0)

Anonymous Coward | about a year ago | (#45741801)

Buy a pair of scissors right? Ok, has enough time passed?

Re:why give them wifi? (1)

Cramer (69040) | about a year ago | (#45742447)

a) "school" now includes "internet" (unlike when I was a child and we learned from books)
b) devices do this shit entirely on their own with zero user interaction.

Log and block (0)

Anonymous Coward | about a year ago | (#45741613)

suggest you enable logging on the proxy/router, monitor for addresses/ip related to updates and block them. You'll want to block application updates like Adobe, etc also I would presume.

Consider caching instead (5, Informative)

nemesisrocks (1464705) | about a year ago | (#45741685)

Since you're in such a remote area, your visitors very likely also have slow connections at home too. Why not cache the updates instead? You'll be contributing towards a safer, more secure internet.

The first person who downloads them would cause a drain on the network, but at least all future attempts would be served up from your cache. You could even have a spare machine downloading the updates overnight, pre-populating the cache for your visitors, to reduce the burden updates cause during the day.

I've used the instructions here with great success on Squid: http://wiki.squid-cache.org/SquidFaq/WindowsUpdate [squid-cache.org]

Apparently Apple iOS updates can be cached too, e.g.: http://lkrms.org/caching-ios-updates-on-a-squid-proxy-server/ [lkrms.org]

Re:Consider caching instead (1)

Enry (630) | about a year ago | (#45741813)

Between this and QoS it should take care of the problem.

Re:Consider caching instead (1)

Sez Zero (586611) | about a year ago | (#45742201)

Caching helped me a bunch. We have a little Mac mini and I turned on Caching service on OS X server. Works great for software updates, App Store purchases, for local Mac and iOS devices. It works much better since iOS 7, keeping those iPhones in check.

OT: can you bond multiple pipes? (0)

Anonymous Coward | about a year ago | (#45741687)

Back in dialup days some providers let you "bond" 2, 3, or even dozen(s?) of modems together.

Ask your ISP if they have that capability with the existing lines.

If not, consider adding a satellite connection and QOS bulk incoming data through that pipe.

Captha: obsolete

DPI. deep packet inspection (1)

sgt scrub (869860) | about a year ago | (#45741719)

You can put snort on DDWRT. There are signatures that can be added and removed via script and cron. The signatures are able to block Microsoft Updates, normal and BITS, as well as specific services on iTunes.

Why just device updates? (3, Informative)

ChaseTec (447725) | about a year ago | (#45741749)

Any particular reason you've singled out device updates? Seems like you'd be want to block or QoS all large or multi-range binary transfers. You should have a transparent caching proxy server in place (which is where you'll be able to inspect and block large transfers).

Re:Why just device updates? (1)

forkazoo (138186) | about a year ago | (#45742661)

Well, if he has identified it as taking up a large amount of the available bandwidth, then it certainly makes sense to consider it a target for reductions. Perhaps more importantly, users tend not to care about updates like that. A user actively downloading a file from some source is probably more important than some automated process the user doesn't care about, and can be deferred until the user gets home without them noticing anything.

That said, I've been saying for a while that there needs to be some sort of bandwidth discovery protocol. My original thought process was driven by apps on mobile phones, but this seems like it would benefit for the same reasons. Wireless oeprators are always concerned about using scarce bandwidth resources so we get plans with low data caps and such. Imagine if there was a completely standardised way for an application (say an email app on a phone) to "ping" bandwidthdiscovery://mail.foo.com with some sort of priority metric. If nothing responded back, it would act normally, so the system would be completely backwards compatible. If something did respond back along the route (for example, the wireless ISP you are connected to, but it could theoretically be something local or distant. The school's DDWRT router in the OP example.) it could reject the session, or encourage a delay. That way an email app set to check every 5 minutes could occasionally get a polite rejection from the ISP asking the app to hold off since circuits are overloaded. The phone would then wait a few minutes before trying again. Eventually the phone would download new email, but at high traffic times, it might wind up going 15 minutes instead of 5, saving the network some trouble. Software updates might defer a download for days or weeks if there is a continual rejection.

My Android phone lets me set software updates and podcast downloads to only happen over wifi, under the assumption that cellular data is expensive, but wifi data is unlimited. But, if I connect to a Mifi access point connected to a cellular connection, my phone currently has no way to discover that it is actually using (limited) cellular data. With a bandwidth discovery protocol, it would get the same rejections from the ISP that it would get if it had directly connected to the cellular data itself. And, local admins could easily set up rejection rules like the OP would be interested in, while still allowing the possibility of user overrides in cases where the school IT guy really wants to manually update the school's computer systems and whatnot. Think of it as a sort of queryable QoS.

And because any intermediate system on the route can let apps know to reduce bandwidth usage, a server being slashdotted can have some queries be rejected, rather than everything being on the link local side near the user. Obviously, none of this helps the admin in the immeadiate term. But, it would seem like that's how it ought to work.

It's not the updates, it's the cloud sync (2)

whoever57 (658626) | about a year ago | (#45741765)

On our network, we have seen one Apple machine running at 20Mbps to the Internet for hours on end. I believe this is a cloud sync. Looking at QoS to throttle this, but the external IP addresses appear to be a disparate and unknown set, so will have to throttle the firewall -> LAN IP connection.

Re:It's not the updates, it's the cloud sync (0)

Anonymous Coward | about a year ago | (#45742029)

Torrenting is called "cloud syncing" now? Jeez.

Re:It's not the updates, it's the cloud sync (1)

chromas (1085949) | about a year ago | (#45743091)

It's not just any cloud; p2p is cumulonimbus. Huge swarms of nodes all over the world and you don't have to care where they are to get what you want. Also, some of its usage may be legally cloudy. Cloud cloud cloud!

use a decent firewall (0)

Anonymous Coward | about a year ago | (#45741819)

https://www.paloaltonetworks.com/products/platforms/firewalls/pa-200/overview.html

This will do everything you could ever think of for control on your WAN link

Get a demo in your environment for few weeks.

Other vendors have similar products.

Unintended consequences (1)

Kardos (1348077) | about a year ago | (#45741827)

If you block updates, windows particularly, then you'll have higher chances of infected systems that may be used for DDoS etc.

Re:Unintended consequences (1)

jones_supa (887896) | about a year ago | (#45742297)

Eh. You're stretching it a bit. I think those machines will soon enough find some other time or other network to get the updates in. The update check interval for Windows is 20 hours anyway.

Why do you let them on your home network? (1)

Anonymous Coward | about a year ago | (#45741893)

Blocking these types of downloads at a school I can understand, not a lot of schools have funding for high bandwidth connections.

At home that's another story, if you don't trust them, don't let them on. Why would you let them on your home network if you don't trust them. I consider letting them use my home network for phone and app updates be a good host. Overall my initial reaction to reading the question posed, was the thought that your are very much on the verge of being a control freak

Don't block them (0)

Anonymous Coward | about a year ago | (#45741925)

shape them using QOS. Updates are important.

what? (1)

Anonymous Coward | about a year ago | (#45741927)

I'm in Juneau Alaska. The only way in and out of town is via plane or boat ... we are WORSE than rural. ... As of noon today, we just got 100Mb ..... something is wrong there.

Re:what? (0)

Anonymous Coward | about a year ago | (#45742239)

more dire in Sitka, at least you guys are connected to the continent.

Re:what? (1)

PopeRatzo (965947) | about a year ago | (#45742249)

I'm in Juneau Alaska. The only way in and out of town is via plane or boat ... we are WORSE than rural. ... As of noon today, we just got 100Mb ..... something is wrong there.

100Mb? But we're talking about network connections, not the size of your flash drives.

Re:what? (0)

Anonymous Coward | about a year ago | (#45742865)

I'm surprised you don't have faster in Juneau, the seat of AK gubment.

Re:what? (0)

Anonymous Coward | about a year ago | (#45743007)

I'm in Juneau Alaska. The only way in and out of town is via plane or boat ... we are WORSE than rural. ... As of noon today, we just got 100Mb ..... something is wrong there.

If you used a few flashdrives instead of floppies your penguin could carry much more than 12MB.

Caching server (0)

Anonymous Coward | about a year ago | (#45742033)

The caching service in OS X Mavericks server will take care if this for iOS and OS X.

Wide scale blocking. (3, Interesting)

Lumpy (12016) | about a year ago | (#45742163)

I strongly suggest you also block all the common advert servers such as doubleclick as they consume far more bandwidth than the updates do.

Local update server (2)

_Ludwig (86077) | about a year ago | (#45742167)

Mavericks Server has Caching Server 2, which I haven't personally used but their blurb [apple.com] for it sounds like exactly what you want, at least as far as Apple devices.

Re:Local update server (1)

Anonymous Coward | about a year ago | (#45743219)

Caching Server 2 works great for OTA updates and Apps to iOS , so long as you have 1 pipe out to the internet.

It won't help you 6->7 because 6 doesn't know it exists.

If you disable "local networks only" anything inside your private LAN (as opposed to just the subnet the caching server is on) will use it, including iTunes on desktops.

Its pretty neat all in all - pretty much any Mac capable of running Mavericks sitting in a wiring closet or machine room somewhere can do this readily.

Caching Service (0)

Anonymous Coward | about a year ago | (#45742197)

OS X Server has Caching Service [apple.com] to alleviate this exact problem.

Install the OS X Server package on any Mac running the latest OS X and turn on Caching Service. Then any iOS devices and Macs on the same subnet will automatically download updates from the Caching Service if available. Basically zero configuration and it takes care of a bunch of devices for you.

Ditch the WRT (4, Informative)

kroby (1391819) | about a year ago | (#45742269)

WRT is great for tinkering and home users, but good god, please don't put it in a production network. Get something like a SonicWALL or a FortiGate, learn to use it, and thank me later. QoS will get you nothing, there is no such thing as QoS on the internet. However, bandwidth management and throttling could help a lot. Before you can prioritize traffic you need to be able to identify it, and this is where life becomes much easier with a UTM appliance. You can prioritize by device type (MAC address), source, destination, protocol, or application. With application awareness you can easily see what is sucking up the most bandwidth, and it classifies all the traffic for you automagically based on signatures ran against deep packet inspection. A caching proxy, as mentioned in other posts, would help speed up the internet and reduce bandwidth consumption. Something like Squid would work here, or you could go the appliance route. Bonus, with a UTM device you also get IDS/IPS, botnet filtering, gateway antivirus, spam filtering, RBL filter, content filtering, application control, SSL VPN, wireless controller, and more. They cost money, but you will not find these features for free, and if you do it is going to be a nightmare to manage.

Linux (1)

jones_supa (887896) | about a year ago | (#45742327)

For Linux you will have to make rules for each distro. Ubuntu can be blocked with *.archive.ubuntu.com. Get the most popular distros covered, and you should be off pretty good.

Caching Servers (1)

jtara (133429) | about a year ago | (#45742407)

Somebody else posted this suggestion, and it got promptly shot down (in typical Slashdot fashion) by people who know nothing about the subject...

For at least Apple and Microsoft products, you can install a caching server that will cache the first download of any given update and then deliver from the cache on subsequent updates.

This is not the same as a caching HTTP server. (That what was shot-down...) These are specific servers made available by Apple and Microsoft, and meant specifically for caching software updates.

In fact, I have the Apple server installed on my Mac Mini. (It comes bundled with Mavericks Server, which is now just an optional package that installs on top of OSX.) It caches both iOS and OSX updates. I did an Xcode update (>1GB) on my Macbook in 2 minutes flat.

This would improve performance for your own updates, and would also permit you to offer updates to guests with little overhead, if you so choose.

Linux is more difficult, as there are quite a number of distributions with different update schemes. But I have to assume that a similar solution is available in most to all cases.

pfsense...but... (0)

Anonymous Coward | about a year ago | (#45742851)

After months of wrangling with linux routers then pfsense I found a quan wan router by tp-link for £30. Whilst I rarely use more than one wan on it but the timed fallbacks and routing policies are exactly what you need. A squid cache (forward port 80 on cache box to save having to set clients) helps but also maybe a samba share with common stuff. The router is dirt cheap considering the time you can lose on (although amazing) pfsense and the cache/share will run on any old crap - I often pick a client that will be on alot to serve these functions.

Mainly, good luck
- a sysadmin for a school with a 2mbps (notice lower case) for 40 pcs.

In Soviet Russia, Windows phases out YOU! (1)

Thor Ablestar (321949) | about a year ago | (#45742893)

My own personal solution to this problem is to phase out every and each program, OS and everything other that downloads upgrades without owner's intervention, and there would be a really serious need in order to leave such a program, with specific traffic shaping crafted specifically for it. You understand what I mean.

Also, when I was a sysadmin I just installed a very complicated firewall (ipfw on FreeBSD) that limited speed of every separate group of users so the bandwidth hog would affect his own group only. And the sniffer was installed so that I could see the update sources and limit them accordingly.

Palo Alto Networks (0)

Anonymous Coward | about a year ago | (#45743037)

Pretty simple - just leverage application controls and apply best-effort QoS that's guaranteed no bandwidth.

Cache It (0)

Anonymous Coward | about a year ago | (#45743059)

Sounds like your user base might face even grimmer WAN circumstances wherever they are head after hours. I like suggestions involving pfSense: though that is just one of many open and closed source solutions that could help you accomplish this.

However, perhaps there are some old hard drives that could be salvaged so as to cache these popular update files.

You'd win long term because:
      *your network population is patched
      *you may be able to cache other popular resources, like WikiPedia, better utilizing the limited WAN connectivity
      *you will tax the router less as it will divert once rather than block time after time
      *you teach good equipment maintenance (thanks to Apple and MS people have come to fear the updates they so desperately need)

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?