dslreports logo
spacer Home Reviews Speed Test Tools News Forums Info About Join  
 
    All Forums Hot Topics Gallery
spc

Search similar:
ForumsEquipment SupportHardware By Brand

CiscoHow to limit p2p packets that blocks upload

 uniqs
15661
Share
« [Config] Portfowarding on Cisco 1800Backup dialer interface on cisco router 1841 and 2811 »

AragornX
@internetdsl.tpnet.pl

AragornX

Anon

2008-Aug-26 5:54 am

How to limit p2p packets that blocks upload

Hi
We have small company - we use cisco asa 5505 as gateway and firewall. We have asynch. broadband 8mb/640kb. We have problem witht p2p packets that blocks upload. One cannot send emails, upload files onto ftp server, etc. Is there any way to block or reserve max bandwidth to p2p?
Regards. Aragornx
aragornx@poczta.fm
actions · 2008-Aug-26 5:54 am ·
Manta
Premium Member
join:2003-11-04
UK

Manta

Premium Member

2008-Aug-26 2:18 pm

You can use QoS to shape traffic but if the offending traffic is p2p you'll often find that it is difficult to classify. According to Cisco's TAC, if you have their IPS module in the ASA, it's a lot easier to classify p2p traffic and shape/block accordingly. Otherwise you may get on better by prioritising everything that's important to you and letting p2p get lumped in as 'the rest' and get the remaining bandwidth. I believe this can be done with Service Policies on an ASA.

Blocking p2p protocols like BitTorrents is quite hard because they are deliberately difficult to pin down. I've had some success with an ASA by blocking communication with trackers. The following will give you an idea of how to block tracker traffic but BitTorrents will also use DHT so we also blocked all UDP traffic with exceptions as we needed them.

Hope this is of some help.

Gareth

regex bit-torrent-tracker ".*[Ii][Nn][Ff][Oo]_[Hh][Aa][Ss][Hh]=.*"
 
object-group service BitTorrent-Tracker tcp
 description TCP Ports used by Bit Torrent for tracker communication
 port-object eq 2710
 port-object eq 6969
object-group service Blocked-UDP-Ports udp
 description All ports blocked for Bit Torrent UDP DHT (all ephemeral ports except VPN encapsulation)
 port-object range 10001 65535
 port-object range 1024 9999
 
class-map type inspect http match-all bit-torrent-tracker
 description Bit Torrent Tracker communication
 match request args regex bit-torrent-tracker
 match request method get
 
policy-map type inspect http Drop-P2P
 description Drop protocol violations, Kazaa, gator and Bit Torrent Tracker traffic
 parameters
  protocol-violation action log
 class _default_gator
  drop-connection log
 class _default_kazaa
  drop-connection log
 class bit-torrent-tracker
  drop-connection log
 
policy-map global_policy
 class inspection_default
  inspect http Drop-P2P
actions · 2008-Aug-26 2:18 pm ·

cyberpost
join:2004-05-15
Osgoode, ON

cyberpost

Member

2008-Aug-26 4:12 pm

This is an excellent post. It is very difficult to find good, well-researched information about how to control the P2P scourge called Bittorrent!

I have an asymmetric DSL line at home and have found Bittorrent to be a bit of a moving target. Some of the problem is my own lack familiarity with all the adaptive mechanisms that the protocol can employ to get around my defensives and QoS configuration. I will try your suggestions (the REGEX is particularly cool!) and post my results back on this board.

/Eric
actions · 2008-Aug-26 4:12 pm ·

aRAGORNx
@acn.waw.pl

aRAGORNx to AragornX

Anon

2008-Aug-26 4:31 pm

to AragornX
Thank you - i will try to use method with regular expr.
actions · 2008-Aug-26 4:31 pm ·
Manta
Premium Member
join:2003-11-04
UK

Manta to AragornX

Premium Member

2008-Aug-27 5:26 am

to AragornX
The basic idea is to starve the BitTorrent client of peers. It's hard to block all the torrent traffic because it can be on any port so you'd have to do deep packet inspection on every port. Even then, with BitTorrent's protocol encryption it's another story. If you can stop the client obtaining any peers though, it won't have anybody to talk to. I blocked some of the common tcp ports that trackers use (2710 and 6969) for starters and then the regex identifies any tracker communication on port 80.

BitTorrent clients will use DHT (Distributed Hash Table) to obtain peers though and in doing so they'll hammer your NAT table with hundreds or thousands of entries. I've seen this alone bring some routers to their knees. Communication here is done on random UDP ports above 1024 (ephemeral ports) - just to make life easy for you. Assuming you don't need UDP traffic - or you can specify what's allowed - the easiest way of dealing with it is to block all outbound UDP traffic. It's harsh but for this site, they only needed udp traffic for some dial-in VPNs - hence allowing UDP port 10000 and blocking all the rest.

Hope this helps you and makes it a bit clearer to adapt it to your situation.

Gareth
actions · 2008-Aug-27 5:26 am ·
aryoba
MVM
join:2002-08-22

aryoba to Manta

MVM

2008-Aug-27 8:48 am

to Manta
said by Manta:

You can use QoS to shape traffic but if the offending traffic is p2p you'll often find that it is difficult to classify. According to Cisco's TAC, if you have their IPS module in the ASA, it's a lot easier to classify p2p traffic and shape/block accordingly.

The basic idea is to starve the BitTorrent client of peers. It's hard to block all the torrent traffic because it can be on any port so you'd have to do deep packet inspection on every port. Even then, with BitTorrent's protocol encryption it's another story. If you can stop the client obtaining any peers though, it won't have anybody to talk to. I blocked some of the common tcp ports that trackers use (2710 and 6969) for starters and then the regex identifies any tracker communication on port 80.
With regularly updated IPS database on dedicated IPS module or IPS 4200 Sensor series, yes it is more convenient to pin down P2P traffic such as Bit Torrent.
said by Manta:

Assuming you don't need UDP traffic - or you can specify what's allowed - the easiest way of dealing with it is to block all outbound UDP traffic. It's harsh but for this site, they only needed udp traffic for some dial-in VPNs - hence allowing UDP port 10000 and blocking all the rest.
You definitely don't want to block UDP port 53 unless you don't need DNS functionality
actions · 2008-Aug-27 8:48 am ·
Manta
Premium Member
join:2003-11-04
UK

Manta to AragornX

Premium Member

2008-Aug-27 12:29 pm

to AragornX
Ah, whadya need DNS for anyway?!
That's a very fair point Aryoba. Fortunately BitTorrent - at least when I monitored it - only uses ports higher than 1024 and the port-object range in the code only blocks UDP 1024-9999 and 10001-65535.
actions · 2008-Aug-27 12:29 pm ·

cyberpost
join:2004-05-15
Osgoode, ON

cyberpost

Member

2008-Aug-29 10:20 am

Manta,
Your use of REGEXs got me thinking. I wonder if I can look in my SNORT IDS rules and see what REGEXs they use for matching BitTorrent traffic. I could then create an inspect class map which looks for the BitTorrent traffic both tunneled inside HTTP and native. I'm also thinking I might create my own rule on my Cisco IOS IPS in my 871 perimeter router. It's not as much an emergency now with my BitTorrenting daughter going to university, but still...it would be an interesting exercise and perhaps very useful since I do a lot of work with Cisco gear in big enterprises and the knowledge should be trasferable.

/Eric
actions · 2008-Aug-29 10:20 am ·
ForumsEquipment SupportHardware By BrandCisco
« [Config] Portfowarding on Cisco 1800Backup dialer interface on cisco router 1841 and 2811 »