|
Help blocking torrentsHello.
Our network has experienced a slow down as late, I noticed people are downloading stuff with bittorrent and other torrent clients. I would like to know how to block these or throttle them. I don't know what ports are used by these clients. I've searched on google but, no luck on finding which ports are used by the torrent clients.
Please help. thanks. |
|
Mad DawgMad Dawg Premium Member join:2006-03-19 1 edit |
Mad Dawg
Premium Member
2009-Apr-13 4:48 pm
Its almost a loosing battle now with the encrytion techniques and dynamic ports even layer 7 filtering is not really effective you could block all dynamic ports and the known default ranges of the typical programs ie
Limewire 6346/6347 TCP/UDP Morpheus 6346/6347 TCP/UDP BearShare default 6346 TCP/UDP Edonkey 4662/TCP EMule 4662/TCP 4672/UDP Bittorrent 6881-6889 TCP/UDP WinMx 6699/TCP 6257/UDP
alternatively you can block everything except for the ports you want ie 53,80 ,25.443 ect...
Any savy P2P users will easily get around either method by using port 80 or 53
I find the most effective/cheap method for me is connection limiting and flow control (after x amount of data that use goes into a lower que)
There are many ways to try and combat this but most of the better solutions cost too much for me or are to complicated to configure |
|
|
to landysaccoun
Yeah, like Mad Dawg I've had the most success with connection limiting. Limit each user to 25-50 connections total for all ports. Then also place a limit of 5-10 connections total for ports 1024+. We run linux routers, so I use iptables connlimit module for this and it has worked out well. If it would help anyone I can paste the lines.
I think if you use NAT instead of giving each host a public IP address this would also help, wouldn't it? Hosts would not be able to open up whatever port they wanted, etc, they'd have to masquerade across the router. Really could only help with outgoing traffic though, not incoming traffic. |
|
|
Yes, please post some sample lines since, I'm also running a Linux router.
I'm actually thinking of just throttle the traffic for those ports. |
|
InssomniakThe Glitch Premium Member join:2005-04-06 Cayuga, ON |
to landysaccoun
I started using other techniques for limiting p2p usage or heavy downloaders.. I cant stop the ones that use encryption, TCP connection limiting just resulted in phone calls., so I started changing the priority and speeds of users that are downloading and uploading large files. Say after 20 megs of downloads the priority gets dropped, and the speed is slowed, 50 megs its priority is dropped again and speed slowed even more. same for uploads. This works really well so far...This combined with some other QoS work has greatly improved my network.. |
|
1 edit |
to landysaccoun
Here's the sample lines for connection limiting, where br0 is the internal LAN: # only allow 25 connections per host total, only 5 # of which can be above port 1024
/usr/sbin/iptables -I FORWARD -i br0 -p tcp --syn --dport 1: -m connlimit --connlimit-above 25 -j REJECT /usr/sbin/iptables -I FORWARD -i br0 -p tcp --syn --dport 1024: -m connlimit --connlimit-above 5 -j REJECT /usr/sbin/iptables -I FORWARD -i br0 -p udp --dport 1: -m connlimit --connlimit-above 25 -j REJECT /usr/sbin/iptables -I FORWARD -i br0 -p udp --dport 1024: -m connlimit --connlimit-above 5 -j REJECT
You'll also want: # filter out bad/corrupted p2p traffic
iptables -I PREROUTING -t mangle -m conntrack --ctstate INVALID -j DROP
# block Blobster and Piolet from downloading the initial peer list
iptables -I FORWARD -i br0 -p tcp --dport 80 -d 128.121.0.0/16 -j REJECT
And then to block the specific apps that MD was talking about above: # block eDonkey
iptables -I FORWARD -i br0 -p tcp --dport 4662 -j REJECT iptables -I FORWARD -i br0 -p tcp --sport 4662 -j REJECT
# block Limewire, Morpheus, Bearshare
iptables -I FORWARD -i br0 -p tcp --dport 6346:6347 -j REJECT iptables -I FORWARD -i br0 -p tcp --sport 6346:6347 -j REJECT iptables -I FORWARD -i br0 -p udp --dport 6346:6347 -j REJECT iptables -I FORWARD -i br0 -p udp --sport 6346:6347 -j REJECT
# block eMule
iptables -I FORWARD -i br0 -p udp --dport 4672 -j REJECT iptables -I FORWARD -i br0 -p udp --sport 4672 -j REJECT
# block BitTorrent
iptables -I FORWARD -i br0 -p tcp --dport 6881:6889 -j REJECT iptables -I FORWARD -i br0 -p tcp --sport 6881:6889 -j REJECT iptables -I FORWARD -i br0 -p udp --dport 6881:6889 -j REJECT iptables -I FORWARD -i br0 -p udp --sport 6881:6889 -j REJECT
# block WinMx
iptables -I FORWARD -i br0 -p tcp --dport 6699 -j REJECT iptables -I FORWARD -i br0 -p tcp --sport 6699 -j REJECT iptables -I FORWARD -i br0 -p udp --dport 6699 -j REJECT iptables -I FORWARD -i br0 -p udp --sport 6699 -j REJECT
All of this would go in an /etc/init.d startup file, etc. |
|
dr mongolia |
to Inssomniak
Inssomniak -- I'm just curious, what do users usually say when they're getting hit by a connection limit? "I can't download more than a few things at a time", etc? Thanks |
|
mtroupMarty Premium Member join:2007-06-28 Hermitage, AR |
mtroup
Premium Member
2009-Apr-13 11:41 pm
said by dr mongolia:Inssomniak -- I'm just curious, what do users usually say when they're getting hit by a connection limit? "I can't download more than a few things at a time", etc? Thanks I had to change this as well.. I experienced it myself on my office computer but it acted like there were DNS issues. Sites would timeout, etc. It was because halfway thru loading a page the connection would drop. I set mine at 35 (or 45.. not at the office atm) only for users after p2p was detected and only for 12 hours from that time using dynamic address lists.. |
|
Equis Premium Member join:2005-03-18 Australia |
to Inssomniak
Hey Inssomniak, would you share your qos config?
that's a great idea! |
|
gmcintireGraham Premium Member join:2005-08-09 Blue Ridge, TX |
to landysaccoun
I had set a hard connection limit in the past and it ended up being a support nightmare. Customers would start a torrent and everything else would stop working. They were never quite able to get it through their heads that the two were related.
I had implemented a system in the past that would basically tarpit connections over a specified limit (i'd have to look through my history to find it.) I've since just used the p2p filtering on mikrotik and have a throughput limit on it. It's been working that way for over a year without any issues on my network. |
|
|
to mtroup
said by mtroup:said by dr mongolia:Inssomniak -- I'm just curious, what do users usually say when they're getting hit by a connection limit? "I can't download more than a few things at a time", etc? Thanks I had to change this as well.. I experienced it myself on my office computer but it acted like there were DNS issues. Sites would timeout, etc. It was because halfway thru loading a page the connection would drop. I set mine at 35 (or 45.. not at the office atm) only for users after p2p was detected and only for 12 hours from that time using dynamic address lists.. Ah, sounds like packets were dropped instead of rejected under this implementation? Also if connections were being dropped in the middle of activity the filter might not have been accurately checking TCP states? |
|
CMack join:2004-07-30 canada |
to landysaccoun
We set all our connection limits to 30 in and 30 out, we've only had a few calls due to this usually PTP or torrent hogs. After we explain what's going on and how they can avoid this (properly configuring software), they are happy. Out of our 3500+ customers I bet we have only had to deal with 6 customers maxing out their connection limits. I don't think blocking torrent is the answer, customers should be able to do what they want on our network, just not abuse it. |
|
|
|
to landysaccoun
Got an idea for you guys... » fsckvps.comGive torrenters a tutorial on how to set up Ubuntu Desktop and they can use whatever high-bandwidth activitie sthey want on there. I'm now using it for random mesing around, plus BitTorrent. Honestly the best way to keep BitTorrent from affecting your network is to, well, get it off your network |
|
|
to landysaccoun
said by landysaccoun:Hello. Our network has experienced a slow down as late, I noticed people are downloading stuff with bittorrent and other torrent clients. I would like to know how to block these or throttle them. I don't know what ports are used by these clients. I've searched on google but, no luck on finding which ports are used by the torrent clients. Please help. thanks. my solution: Connection limiting with timed implementation on MT routers(or router of your choice), 30in 30 out for Residential, 80/80 for business. wide open(let your torrenters know this) from 2am till 6am. Easy to implement and effective. |
|
openbox9 Premium Member join:2004-01-26 71144 |
to iansltx
said by iansltx:Got an idea for you guys... » fsckvps.comGive torrenters a tutorial on how to set up Ubuntu Desktop and they can use whatever high-bandwidth activitie sthey want on there. Did you read the ToS? You shall not use the services or the servers provided by the Supplier to: .... - use any peer to peer programs. |
|
|
Apparently I didn't.
However you might be able to work with them on something...
Alternately, there are *some* VPS providers that would allow their servers to be used for seedboxes. Alternately, set up one on your own; it might be a small profit center and would take the heavy torrent load off your network. NetDepot has some inexpensive servers that would serve that purpose. |
|
Jerm join:2000-04-10 Richland, WA ·Ziply Fiber
2 edits |
to landysaccoun
Good thoughts... but...I really like the idea of putting ports > 1024 with a limit of something like 75% of total connections. That keeps a few extra connections so web pages will still load while torrents or whatever else are running. Thats the main thing I've noticed as others have said about having a low connection limit - page timeouts.
But only 30 connections? That just seems pretty low to me. Most Linksys routers seem to handle 400 or so connections just fine.
I know WISPs are in unique situations versus Cable or DSL, but I mean a more reasonable limit of at least 50 or 100 seems a bit better to me.
Just for the sake of argument to illustrate why more than just a few connections are needed: doing a full refresh of all Call of Duty (game) servers can open 10,000 - 15,000 connections alone! |
|
InssomniakThe Glitch Premium Member join:2005-04-06 Cayuga, ON |
to dr mongolia
Re: Help blocking torrentssaid by dr mongolia:Inssomniak -- I'm just curious, what do users usually say when they're getting hit by a connection limit? "I can't download more than a few things at a time", etc? Thanks Well the problem was they couldnt surf once their p2p program sucked up the connections so they would think their internet is down when connection number 53 tried to open. |
|
Mad DawgMad Dawg Premium Member join:2006-03-19 2 edits |
Mad Dawg
Premium Member
2009-Apr-14 7:13 pm
I use a limit of 60 TCP sessions and 60 UDP sessions for a total of 120 simultainious connections that in tandem with flow controls at each towerand a que ing system at my head end
I dont see any problems with it if 120 connections isnt enough as far as I am concerned it is likely p2p usage mind you if there were some compelling business client or reason someone needed more I would be willing to adjust that for them no problem
I have had only a few complaints about the speed slowing down
After I explain how it works about the 120 connections being a fairer system and that they can use them however they want its up to them to manage how they get used....they understand the situation completely Usually after they check their kids computer and turn off lime wire ...the problem seems to amazingly go away dad never has to call a second time |
|
|
Well, I tried to test connlimit with iptables but, I'm getting errors. I guess I need a patch and recompile a new kernel which I don't have the time to do.
I currently have my network closed except for a some users that find a need to use torrents, web cam, and voip. These are the users that are consuming all the bandwidth. Since I opened up all the ports for these users I've experienced a drop in the speed. I only have a 1.5m / 768k connection. For example today I did a speed test and noticed the speed at 150k. That's too low.
Since the connlimit is not working for me right now, I was thinking of just throttling or assign those users certain amount of bandwidth for ei. 150k for what ever they want. I don't know if is too low but, I guess I'll just test with that and raise it if someone complaints. I don't know that's just an idea. What you think? any input? |
|
mtroupMarty Premium Member join:2007-06-28 Hermitage, AR |
mtroup
Premium Member
2009-Apr-14 11:53 pm
I would say most users are going to complain if they have anything less than 256/256 and if they're used to it being faster, they'll complain about that. |
|
2 edits |
to Jerm
Re: Good thoughts... but...said by Jerm But only 30 connections? That just seems pretty low to me. Most Linksys routers seem to handle 400 or so connections just fine.... Just for the sake of argument to illustrate why more than just a few connections are needed: doing a full refresh of all Call of Duty (game) servers can open 10,000 - 15,000 connections alone! Well, it sounds like our networks are a bit different than yours, in that: 1) Every connected client is an actual PC or desktop, not a router. So the connection limit applies to individual clients. All clients are NATed at our router and masquerade using our router's public IP. 2) We do not support server applications at all. Residential connection only, etc. So, no one would be running a call of duty server or any other server on the connection (they don't have their own public IP address anyway). I guess it all depends on the terms of service, etc. |
|
dr mongolia |
to landysaccoun
Re: Help blocking torrentsIt shouldn't take more than an hour max to get setup with a new kernel. You just need kernel 2.6.24+ and iptables 1.4+. A lot of linux routers run debian etch -- if yours is an etch you can fix this just by using the apt-get command to get the "2.6.24-etchnhalf" kernel for your processor type. If you don't want to go the connlimit route, I'd just throttle those specific users as you mentioned. Or setup priority queues and drop them into a lower queue. Check out » www.lartc.org -- Linux Advanced Routing & Traffic Control HOWTO. They even have a mailing list with tons of examples, etc. You'll probably find that the ultimate solution to your problem would involve connection limiting via connlimit and then applying Stochastic Fairness Queuing (SFQ) on top, which is discussed in the above HOWTO and mailing list. SFQ provides fair queuing based on each individual connection coming across the router, so it works great alongside connlimit. |
|
1 edit |
I need something that is not too time consuming. I'm actually running Debian Etch with 2.6.18 kernel that comes with the install. I'll try to compile a new kernel and the newer iptables sometime in the near future.
I'll use tc and HTB.
Now, do you think that by assigning 250kbs to those clients that like to use all the services would be enough for them to do whatever they want?
This way they will learn and adjust to what they have and surf and user their internet connection wisely. I don't want to control users but, I have no choice if I want to keep everyone happy.
Your thoughts... |
|
wierdo join:2001-02-16 Miami, FL |
to dr mongolia
Re: Good thoughts... but...said by dr mongolia:2) We do not support server applications at all. Residential connection only, etc. So, no one would be running a call of duty server or any other server on the connection (they don't have their own public IP address anyway). He wasn't talking about running a server, he was talking about the game presenting you a list of all the available servers. |
|
CMack join:2004-07-30 canada |
to landysaccoun
Re: Help blocking torrentsGet a NetEq plain and simple, install configure, walk away happy. it might cost a few sheckles, but you will never regret it. |
|