Reply
Member
Posts: 235
Registered: ‎07-05-2011
Kudos: 24
Accepted Solution

Block bittorrent and P2P

I performed the small office setup guide in the wiki . And it works . Now here is my question

 

 

 

I saw in the firewall rules that we have the option to triger p2p  bitorent etc . any idies how to configure it ?

 

or would and could we do it using iptables instead ?

 

thnx


Accepted Solutions
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3113
Solutions: 945
Contributions: 16

Re: Block bittorrent and P2P

When creating a firewall rule, look on the "advanced" tab:

 

p2p.png

Note: dropping all p2p can be difficult, but this will drop some of it.
EdgeMAX Router Software Development

View solution in original post


All Replies
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3113
Solutions: 945
Contributions: 16

Re: Block bittorrent and P2P

When creating a firewall rule, look on the "advanced" tab:

 

p2p.png

Note: dropping all p2p can be difficult, but this will drop some of it.
EdgeMAX Router Software Development
Member
Posts: 235
Registered: ‎07-05-2011
Kudos: 24

Re: Block bittorrent and P2P

So if i just add it to my current Wan_in and Wan_out i sjould be good ?

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5447
Solutions: 1656
Contributions: 2

Re: Block bittorrent and P2P

You could try that, but it may be more effective if you use CONNMARK/MARK together the P2P match. Note that the "ipp2p" match module that is used for the P2P match is quite old by now so you might want to test it first to see if it is effective for your purpose. If you are familiar with iptables, it might be easier to use iptables directly and do some effectiveness testing, for example, you can try the examples on the ipp2p Web site.

Member
Posts: 235
Registered: ‎07-05-2011
Kudos: 24

Re: Block bittorrent and P2P

[ Edited ]

deleted

 

 

Senior Member
Posts: 2,583
Registered: ‎05-19-2013
Kudos: 1097
Solutions: 23

Re: Block bittorrent and P2P

I still live in the era where only high end devices capable of deep packet inspection to effectively block p2p traffic. Learning something new (to me) today... Didn't know even a low end router can quite effectively block off some p2p traffic nowadays.
Member
Posts: 235
Registered: ‎07-05-2011
Kudos: 24

Re: Block bittorrent and P2P

Nevermind its dosent work . It was the dns filtering the p2p . Once dns was removed I was able to connect so scrap that idie Man Sad.

SuperUser
Posts: 21,761
Registered: ‎11-20-2011
Kudos: 7896
Solutions: 233

Re: Block bittorrent and P2P

blocking p2p is not trivial in any way, especially with services like BTGuard and similar


isp builder | linux sorcerer | datacenter automation conjurer | blog: blog.engineered.online
link to our slack channel on the blog
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5447
Solutions: 1656
Contributions: 2

Re: Block bittorrent and P2P

Yeah as mentioned the "ipp2p" module is quite old by now so it may not be very effective with certain (especially newer) apps. Did you try using iptables directly with CONNMARK/MARK as described on their Web site mentioned above, which may be somewhat more effective?

Established Member
Posts: 1,211
Registered: ‎06-14-2012
Kudos: 1008
Solutions: 80
Contributions: 9

Re: Block bittorrent and P2P


Josh_Performant wrote:
blocking p2p is not trivial in any way, especially with services like BTGuard and similar

Actually, with a L7 firewall, it is quite easy.  Just not cheap. Man Wink

 

But the simple way to limit it is to set the firewall policy to default deny and only allow what you need through.  It isn't perfect, but it will inhibit the majority of it.

Highlighted
SuperUser
Posts: 1,965
Registered: ‎01-28-2010
Kudos: 590
Solutions: 8

Re: Block bittorrent and P2P

Most modern P2P will automatically encrypt their data and run on port 80 if they detect that the traffic is being blocked.  This makes dpi ineffective.  We use a very expensive device (Ipoque PRX traffic shaper) that also looks at traffic patterns in order to identify encrypted P2P.

Do a Great Thing.
SuperUser
Posts: 21,761
Registered: ‎11-20-2011
Kudos: 7896
Solutions: 233

Re: Block bittorrent and P2P

please explain to me how you are going to detect a torrent stream proxy'd and encrypted to a different country with a single endpoint :/


isp builder | linux sorcerer | datacenter automation conjurer | blog: blog.engineered.online
link to our slack channel on the blog
Member
Posts: 158
Registered: ‎10-13-2012
Kudos: 44

Re: Block bittorrent and P2P

we uses Junipers IDP solution in our srx 240s and 480s... again not cheep, but very effictive, does a killer job keeping other problems out as well

 

but your talking 5k for the 240, and 9k for the 480s and IDP stuff.

 

most small and startups can't drop that kind of money into just a router. the ubnt router seems to stop a decent amount for the $$$. I'm sure a small amount gets past our J.OS toys as well. nothing is perfect.

 

Good Job yet again UBNT Man Happy

SuperUser
Posts: 1,965
Registered: ‎01-28-2010
Kudos: 590
Solutions: 8

Re: Block bittorrent and P2P

[ Edited ]

Josh_Performant wrote:
please explain to me how you are going to detect a torrent stream proxy'd and encrypted to a different country with a single endpoint :/

I don't know of any solution that would stop it if it was both encrypted and to a single point.  Like a proxy or a vpn.  But I'm also not aware of any P2P app that will utilize either of those 2 techniques on it's own.

Do a Great Thing.
SuperUser
Posts: 21,761
Registered: ‎11-20-2011
Kudos: 7896
Solutions: 233

Re: Block bittorrent and P2P


SPITwSPOTS wrote:

Josh_Performant wrote:
please explain to me how you are going to detect a torrent stream proxy'd and encrypted to a different country with a single endpoint :/

I don't know of any solution that would stop it if it was both encrypted and to a single point.  Like a proxy or a vpn.  But I'm also not aware of any P2P app that will utilize either of those 2 techniques on it's own.


https://www.google.com/search?q=torrent+proxy&rlz=1C1LENP_enUS541US541&oq=torrent+proxy&aqs=chrome.0...



isp builder | linux sorcerer | datacenter automation conjurer | blog: blog.engineered.online
link to our slack channel on the blog
SuperUser
Posts: 1,965
Registered: ‎01-28-2010
Kudos: 590
Solutions: 8

Re: Block bittorrent and P2P


Josh_Performant wrote:

SPITwSPOTS wrote:

Josh_Performant wrote:
please explain to me how you are going to detect a torrent stream proxy'd and encrypted to a different country with a single endpoint :/

I don't know of any solution that would stop it if it was both encrypted and to a single point.  Like a proxy or a vpn.  But I'm also not aware of any P2P app that will utilize either of those 2 techniques on it's own.


https://www.google.com/search?q=torrent+proxy&rlz=1C1LENP_enUS541US541&oq=torrent+proxy&aqs=chrome.0...


I should have phrased that better.  I am aware of proxy and vpn services that are used by people who want to run p2p in environments where it is restricted.   But I don't know of any p2p client that will automatically use one of these services on it's own.  Usually the user has to set those up themselves.  Which means that of course some users will use them and get around the attempt to restrict those programs but most users won't.  Whereas on the other hand when it come to simple dpi most p2p apps will automatically encrypt and switch ports without any intervention from the user.

Do a Great Thing.
SuperUser
Posts: 21,761
Registered: ‎11-20-2011
Kudos: 7896
Solutions: 233

Re: Block bittorrent and P2P

Man Happy


isp builder | linux sorcerer | datacenter automation conjurer | blog: blog.engineered.online
link to our slack channel on the blog
Established Member
Posts: 1,211
Registered: ‎06-14-2012
Kudos: 1008
Solutions: 80
Contributions: 9

Re: Block bittorrent and P2P

[ Edited ]

Well.. for starters, if you have a L7 aware firewall, you can restrict the applications leaving on port 80 to HTTP.  Anything not decoded as HTTP would be blocked.  So that stops encyrption over 80.  More importantly, BT and encrypted BT traffic have deterministic characteristics and flow behavior that allows the traffic to be ID'ed as such.  This isn't wishful thinking or difficult, it is just expensive.

 

Source: I do this at work.  

 

Edit:  You can poke around in here to get an idea of the kinds of things that are reliably detected.  http://apps.paloaltonetworks.com/applipedia/

SuperUser
Posts: 21,761
Registered: ‎11-20-2011
Kudos: 7896
Solutions: 233

Re: Block bittorrent and P2P


mrjester wrote:

Well.. for starters, if you have a L7 aware firewall, you can restrict the applications leaving on port 80 to HTTP.  Anything not decoded as HTTP would be blocked.  So that stops encyrption over 80.  More importantly, BT and encrypted BT traffic have deterministic characteristics and flow behavior that allows the traffic to be ID'ed as such.  This isn't wishful thinking or difficult, it is just expensive.

 

Source: I do this at work.  

 

Edit:  You can poke around in here to get an idea of the kinds of things that are reliably detected.  http://apps.paloaltonetworks.com/applipedia/


What happens if the traffic is found to be double-encrypted, or encapsulated? Ex: traffic on 443 that is SSL encrypted, with another layer of non-SSL based encryption underneath (say, AES256).

 

Does the initial DPI catch this?



isp builder | linux sorcerer | datacenter automation conjurer | blog: blog.engineered.online
link to our slack channel on the blog
Established Member
Posts: 1,211
Registered: ‎06-14-2012
Kudos: 1008
Solutions: 80
Contributions: 9

Re: Block bittorrent and P2P

[ Edited ]

The L7 application identification doesn't decrypt by default. It uses the behavior and composition of the packets to identify the traffic.  It would never know it is double encrypted.

 

I will add, we have the ability to decrypt some SSL and SSH via MITM and anything inside would be then IDed. There are of course limitations to that.  Such as 2-way PKI with authentication can't be MITM'd without significant resources.

Reply