IDS mailing list archives
Re: Bittorrent - utorrent
From: "Albert Gonzalez" <incodeblood () gmail com>
Date: Tue, 20 Mar 2007 14:32:23 -0500
Ove, Assuming you have a perimeter FW running a variant of Linux you could use the matching module for iptables called ipp2p[1]. It was created specifically for this purpose. An excerpt from the homepage says: "The goal of the IPP2P project is to identify peer-to-peer (P2P) data in IP traffic. For this purpose we extended the iptables/netfilter architecture by a new matching module. Thereby IPP2P integrates itself easily into existing Linux firewalls and it's functionality can be used by adding appropriate filter rules." Below is a list of switches that are introduced when iptables is compiled with ipp2p support. --edk eDonkey, eMule, Kademlia TCP and UDP very good --kazaa KaZaA, FastTrack TCP and UDP good --gnu Gnutella TCP and UDP good --dc Direct Connect TCP only good --bit BitTorrent, extended BT TCP and UDP good --apple AppleJuice TCP only (need feedback) --winmx WinMX TCP only (need feedback) --soul SoulSeek TCP only good (need feedback) --ares Ares, AresLite TCP only moderate (DROP only) The above switches (for protocols) equipped with the right filter rules (in the right order) and you should have a strong blocking mechanism for p2p traffic. Some google queries will provide LOTS of forum questions regarding ipp2p which should help you get started. [1] - http://www.ipp2p.org Hope that helps, Albert Gonzalez On 3/19/07, Bourque Daniel <Daniel.Bourque () loto-quebec com> wrote:
In fact, using netFlow information in the corp network allow you to see thing you didn't know exist. Running report to find the 100 top stations with the highest number of remote connection is very informative... -----Message d'origine----- De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De la part de David J. Bianco Envoyé : 19 mars 2007 10:40 À : Ove Dalgård Hansen Cc : focus-ids () securityfocus com Objet : Re: Bittorrent - utorrent Ove Dalgård Hansen wrote: > I am in a bit of trouble, > > On a network where i am configuring IDS - using ASA5510 + SSM module, we try to deny access to Bittorrent downloads - it consumes quite a bit of bandwith and is not allowed by the company's policy. > We try to filter bittorrent which succedes - but the utorrent changes protocol and goes by the SSL port 443 and thereby circumvent the IDS, since its not possible to see the encrypted traffic. > > Does anyone out there have a good idea of how i am to solve the issue? > Hi, Ove. I see that you've gotten quite a few responses, but I have to say that they all seem pretty impractical. Decrypting SSL? Um... Anyway, it turns out that P2P traffic is actually pretty easy to detect if you have the right monitoring tools. Most of the other posters here have been assuming that you'd want to use a signature based IDS like snort or some gateway content inspection device, but by now you've already figured out that they don't work well for this. The trick is to look for intrinsic characteristics of P2P traffic. Specifically, BitTorrent works by contacting a lot of different peers to download small portions of the larger file. What you need to do is to look for individual systems on your network that talk to lots of different externals hosts. The more hosts they talk to, the more likely that they're running some P2P application. Most BitTorrent transfers stand out quite clearly when you create a list of your own hosts, sorted by the number of external hosts they've talked to in the last 24 hours. The advantages to this are that it doesn't matter if they use SSL or not, since you're not reading the bits, just the session data records. Also, they can change ports all they like, since you're only concerned with the number of unique IPs they talk to. There are two disadvantages, though. First, you have to set up some infrastructure to monitor session records. I'm using Sguil, so I already have this information handy in a SQL database, but you could use something like NetFlow or SFlow if your routers support it. There are also a number of standalone tools like Argus or SANCP that would do the job, albeit with a bit of scripting work on your part. The second disadvantage is that you can't tell *exactly* what P2P traffic you're seeing. I do sometimes see Skype traffic, for example, that looks a bit like BitTorrent when you're just seeing the session records. However, for larger transfers (TV shows, movies, ISOs), the BitTorrent stands out because it often involves a thousands of unique IPs, more than would be expected in a typical Skype session. Anyway, I hope this helps answer your question. This is a good example of how using the right tool for the job can really simplify things. Not all monitoring is done via signature matching! David
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- RE: Bittorrent - utorrent, (continued)
- RE: Bittorrent - utorrent Erick Jensen (Mar 09)
- Re: Bittorrent - utorrent Tremaine Lea (Mar 12)
- Re: Bittorrent - utorrent Stephen Clowater (Mar 12)
- RE: Bittorrent - utorrent Velasquez Venegas Jaime Omar (Mar 12)
- Re: Bittorrent - utorrent Jex (Mar 12)
- Re: Bittorrent - utorrent David J. Bianco (Mar 19)
- Re: Bittorrent - utorrent Tremaine Lea (Mar 19)
- Re: Bittorrent - utorrent David J. Bianco (Mar 19)
- Re: Bittorrent - utorrent Rocky (Mar 29)
- Re: Bittorrent - utorrent Tremaine Lea (Mar 19)
- RE: Bittorrent - utorrent Bourque Daniel (Mar 19)
- Re: Bittorrent - utorrent Albert Gonzalez (Mar 20)
- RE: Bittorrent - utorrent Erick Jensen (Mar 20)
- RE: Bittorrent - utorrent Joshua Barnes (Mar 21)
- Re: Bittorrent - utorrent scott (Mar 22)
- Re: Bittorrent - utorrent Yan Zhai (Mar 26)
- RE: Bittorrent - utorrent Erick Jensen (Mar 09)