AragornX
@tpnet.pl
| How to limit p2p packets that blocks upload
Hi
We have small company - we use cisco asa 5505 as gateway and firewall. We have asynch. broadband 8mb/640kb. We have problem witht p2p packets that blocks upload. One cannot send emails, upload files onto ftp server, etc. Is there any way to block or reserve max bandwidth to p2p?
Regards. Aragornx
aragornx@poczta.fm |
|
Manta
Premium
join:2003-11-04
UK
| You can use QoS to shape traffic but if the offending traffic is p2p you'll often find that it is difficult to classify. According to Cisco's TAC, if you have their IPS module in the ASA, it's a lot easier to classify p2p traffic and shape/block accordingly. Otherwise you may get on better by prioritising everything that's important to you and letting p2p get lumped in as 'the rest' and get the remaining bandwidth. I believe this can be done with Service Policies on an ASA.
Blocking p2p protocols like BitTorrents is quite hard because they are deliberately difficult to pin down. I've had some success with an ASA by blocking communication with trackers. The following will give you an idea of how to block tracker traffic but BitTorrents will also use DHT so we also blocked all UDP traffic with exceptions as we needed them.
Hope this is of some help.
Gareth
|
|
MSN
join:2004-05-15
Osgoode, ON
| This is an excellent post. It is very difficult to find good, well-researched information about how to control the P2P scourge called Bittorrent! 
I have an asymmetric DSL line at home and have found Bittorrent to be a bit of a moving target. Some of the problem is my own lack familiarity with all the adaptive mechanisms that the protocol can employ to get around my defensives and QoS configuration. I will try your suggestions (the REGEX is particularly cool!) and post my results back on this board.
/Eric |
|
aRAGORNx
@waw.pl | reply to AragornX
Thank you - i will try to use method with regular expr. |
|
Manta
Premium
join:2003-11-04
UK
| reply to AragornX
The basic idea is to starve the BitTorrent client of peers. It's hard to block all the torrent traffic because it can be on any port so you'd have to do deep packet inspection on every port. Even then, with BitTorrent's protocol encryption it's another story. If you can stop the client obtaining any peers though, it won't have anybody to talk to. I blocked some of the common tcp ports that trackers use (2710 and 6969) for starters and then the regex identifies any tracker communication on port 80.
BitTorrent clients will use DHT (Distributed Hash Table) to obtain peers though and in doing so they'll hammer your NAT table with hundreds or thousands of entries. I've seen this alone bring some routers to their knees. Communication here is done on random UDP ports above 1024 (ephemeral ports) - just to make life easy for you. Assuming you don't need UDP traffic - or you can specify what's allowed - the easiest way of dealing with it is to block all outbound UDP traffic. It's harsh but for this site, they only needed udp traffic for some dial-in VPNs - hence allowing UDP port 10000 and blocking all the rest.
Hope this helps you and makes it a bit clearer to adapt it to your situation.
Gareth |
|
aryoba
Premium,MVM
join:2002-08-22
| reply to Manta
said by Manta  :You can use QoS to shape traffic but if the offending traffic is p2p you'll often find that it is difficult to classify. According to Cisco's TAC, if you have their IPS module in the ASA, it's a lot easier to classify p2p traffic and shape/block accordingly. The basic idea is to starve the BitTorrent client of peers. It's hard to block all the torrent traffic because it can be on any port so you'd have to do deep packet inspection on every port. Even then, with BitTorrent's protocol encryption it's another story. If you can stop the client obtaining any peers though, it won't have anybody to talk to. I blocked some of the common tcp ports that trackers use (2710 and 6969) for starters and then the regex identifies any tracker communication on port 80. With regularly updated IPS database on dedicated IPS module or IPS 4200 Sensor series, yes it is more convenient to pin down P2P traffic such as Bit Torrent.
said by Manta :Assuming you don't need UDP traffic - or you can specify what's allowed - the easiest way of dealing with it is to block all outbound UDP traffic. It's harsh but for this site, they only needed udp traffic for some dial-in VPNs - hence allowing UDP port 10000 and blocking all the rest. You definitely don't want to block UDP port 53 unless you don't need DNS functionality  |
|
Manta
Premium
join:2003-11-04
UK | reply to AragornX
Ah, whadya need DNS for anyway?!
That's a very fair point Aryoba. Fortunately BitTorrent - at least when I monitored it - only uses ports higher than 1024 and the port-object range in the code only blocks UDP 1024-9999 and 10001-65535. |
|
MSN
join:2004-05-15
Osgoode, ON
| Manta,
Your use of REGEXs got me thinking. I wonder if I can look in my SNORT IDS rules and see what REGEXs they use for matching BitTorrent traffic. I could then create an inspect class map which looks for the BitTorrent traffic both tunneled inside HTTP and native. I'm also thinking I might create my own rule on my Cisco IOS IPS in my 871 perimeter router. It's not as much an emergency now with my BitTorrenting daughter going to university, but still...it would be an interesting exercise and perhaps very useful since I do a lot of work with Cisco gear in big enterprises and the knowledge should be trasferable.
/Eric |
|
