Re: Bittorrent - utorrent

["Albert Gonzalez" <incodeblood () gmail com>]

Ove,

Assuming you have a perimeter FW running a variant of Linux you could
use the matching module for iptables called ipp2p[1]. It was created
specifically for this purpose. An excerpt from the homepage says:

"The goal of the IPP2P project is to identify peer-to-peer (P2P) data
in IP traffic. For this purpose we extended the iptables/netfilter
architecture by a new matching module. Thereby IPP2P integrates itself
easily into existing Linux firewalls and it's functionality can be
used by adding appropriate filter rules."

Below is a list of switches that are introduced when iptables is
compiled with ipp2p support.

--edk  eDonkey, eMule, Kademlia  TCP and UDP  very good
--kazaa  KaZaA, FastTrack  TCP and UDP  good
--gnu  Gnutella  TCP and UDP  good
--dc  Direct Connect  TCP only  good
--bit  BitTorrent, extended BT  TCP and UDP  good
--apple  AppleJuice  TCP only  (need feedback)
--winmx  WinMX  TCP only  (need feedback)
--soul  SoulSeek  TCP only  good (need feedback)
--ares  Ares, AresLite  TCP only  moderate (DROP only)

The above switches (for protocols) equipped with the right filter
rules (in the right order) and you should have a strong blocking
mechanism for p2p traffic. Some google queries will provide LOTS of
forum questions regarding ipp2p which should help you get started.

[1] - http://www.ipp2p.org

Hope that helps,
Albert Gonzalez

On 3/19/07, Bourque Daniel <Daniel.Bourque () loto-quebec com> wrote:
> In fact, using netFlow information in the corp network allow you to see thing you didn't know exist.  Running report to 
> find the 100 top stations with the highest number of remote connection is very informative...
>
> -----Message d'origine-----
> De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De la part de David J. Bianco
> Envoyé : 19 mars 2007 10:40
> À : Ove Dalgård Hansen
> Cc : focus-ids () securityfocus com
> Objet : Re: Bittorrent - utorrent
>
> Ove Dalgård Hansen wrote:
> > I am in a bit of trouble,
> >
> > On a network where i am configuring IDS - using ASA5510 + SSM module, we try to deny access to Bittorrent downloads - it 
> consumes quite a bit of bandwith and is not allowed by the company's policy.
> > We try to filter bittorrent which succedes - but the utorrent changes protocol and goes by the SSL port 443 and 
> thereby circumvent the IDS, since its not possible to see the encrypted traffic.
> >
> > Does anyone out there have a good idea of how i am to solve the issue?
> >
>
> Hi, Ove.  I see that you've gotten quite a few responses, but I have to
> say that they all seem pretty impractical.  Decrypting SSL?  Um...
>
> Anyway, it turns out that P2P traffic is actually pretty easy to detect
> if you have the right monitoring tools.  Most of the other posters here
> have been assuming that you'd want to use a signature based IDS like
> snort or some gateway content inspection device, but by now you've already
> figured out that they don't work well for this.
>
> The trick is to look for intrinsic characteristics of P2P traffic.
> Specifically, BitTorrent works by contacting a lot of different peers
> to download small portions of the larger file.  What you need to do is
> to look for individual systems on your network that talk to lots of
> different externals hosts.  The more hosts they talk to, the more likely
> that they're running some P2P application.  Most BitTorrent transfers
> stand out quite clearly when you create a list of your own hosts, sorted
> by the number of external hosts they've talked to in the last 24 hours.
>
> The advantages to this are that it doesn't matter if they use SSL or
> not, since you're not reading the bits, just the session data records.
> Also, they can change ports all they like, since you're only concerned
> with the number of unique IPs they talk to.
>
> There are two disadvantages, though.  First, you have to set up some
> infrastructure to monitor session records.  I'm using Sguil, so I
> already have this information handy in a SQL database, but you could use
> something like NetFlow or SFlow if your routers support it.  There
> are also a number of standalone tools like Argus or SANCP that would
> do the job, albeit with a bit of scripting work on your part.
>
> The second disadvantage is that you can't tell *exactly* what P2P traffic
> you're seeing.  I do sometimes see Skype traffic, for example, that
> looks a bit like BitTorrent when you're just seeing the session records.
> However, for larger transfers (TV shows, movies, ISOs), the BitTorrent
> stands out because it often involves a thousands of unique IPs, more
> than would be expected in a typical Skype session.
>
> Anyway, I hope this helps answer your question.  This is a good example
> of how using the right tool for the job can really simplify things.
> Not all monitoring is done via signature matching!
>
>         David

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------