IDS mailing list archives

Re: Bittorrent - utorrent

From: Tremaine Lea <focus-ids () ddiction com>
Date: Mon, 19 Mar 2007 14:03:30 -0600


On 19-Mar-07, at 8:39 AM, David J. Bianco wrote:

Ove Dalgård Hansen wrote:
I am in a bit of trouble,
On a network where i am configuring IDS - using ASA5510 + SSMmodule, we try to deny access to Bittorrent downloads - itconsumes quite a bit of bandwith and is not allowed by thecompany's policy.We try to filter bittorrent which succedes - but the utorrentchanges protocol and goes by the SSL port 443 and therebycircumvent the IDS, since its not possible to see the encryptedtraffic.
Does anyone out there have a good idea of how i am to solve theissue?
Hi, Ove. I see that you've gotten quite a few responses, but Ihave to
say that they all seem pretty impractical.  Decrypting SSL?  Um...

Uhm what? I think I've provided a pretty clear description of howit's done, and it provides a lot more benefit to the administratorthan just looking for encrypted P2P traffic.

Anyway, it turns out that P2P traffic is actually pretty easy todetectif you have the right monitoring tools. Most of the other postershere
have been assuming that you'd want to use a signature based IDS like
snort or some gateway content inspection device, but by now you'vealready
figured out that they don't work well for this.

Snort or a similar IDS/IPS would indeed be a poor choice for dealingwith is particular problem. A content inspection appliance howeveris a different story and is ideally suited to this.

The trick is to look for intrinsic characteristics of P2P traffic.
Specifically, BitTorrent works by contacting a lot of different peers
to download small portions of the larger file.  What you need to do is
to look for individual systems on your network that talk to lots of

different externals hosts. The more hosts they talk to, the morelikely

that they're running some P2P application.  Most BitTorrent transfers

stand out quite clearly when you create a list of your own hosts,sortedby the number of external hosts they've talked to in the last 24hours.


The advantages to this are that it doesn't matter if they use SSL or
not, since you're not reading the bits, just the session data records.
Also, they can change ports all they like, since you're only concerned
with the number of unique IPs they talk to.

There are two disadvantages, though.  First, you have to set up some
infrastructure to monitor session records.  I'm using Sguil, so I

already have this information handy in a SQL database, but youcould use

something like NetFlow or SFlow if your routers support it.  There
are also a number of standalone tools like Argus or SANCP that would
do the job, albeit with a bit of scripting work on your part.

The second disadvantage is that you can't tell *exactly* what P2Ptraffic

you're seeing.  I do sometimes see Skype traffic, for example, that

looks a bit like BitTorrent when you're just seeing the sessionrecords.

However, for larger transfers (TV shows, movies, ISOs), the BitTorrent
stands out because it often involves a thousands of unique IPs, more
than would be expected in a typical Skype session.

Those are not insignificant disadvantages, and is certainly notscalable. If you deal with a small network this may work just fine.If you have ~10,000 users and a lot of infrastructure it's not nearlyso feasible.

Anyway, I hope this helps answer your question. This is a goodexample
of how using the right tool for the job can really simplify things.
Not all monitoring is done via signature matching!

        David

Effective monitoring that results in an audit trail you can take toHR requires more than a 'best guess' or 'highly educated guess'.You need to be able to prove it. You also need to be able to preventit. A combination of a technical solution and an enforceable userpolicy should be preferred.

I could make some pretty educated guesses about traffic patterns onmy network using Peakflow and similar tools. And they are often agood starting point for a lot of things. Ultimately though, we wantto be able to see inside *all* of the traffic on the network weadministrate.

If the traffic can't be inspected and isn't part of an otherwiseauthorized connection, it should be dropped.


Tremaine Lea
Network Security Consultant
------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

Current thread:

Re: Bittorrent - utorrent, (continued)
- Re: Bittorrent - utorrent Christian Kreibich (Mar 09)
- Re: Bittorrent - utorrent Tremaine Lea (Mar 09)
- Re: Bittorrent - utorrent Michał Melewski (Mar 09)
- RE: Bittorrent - utorrent Goran Pizent (Mar 09)
- RE: Bittorrent - utorrent Erick Jensen (Mar 09)
  - Re: Bittorrent - utorrent Tremaine Lea (Mar 12)
  - Re: Bittorrent - utorrent Stephen Clowater (Mar 12)
  - RE: Bittorrent - utorrent Velasquez Venegas Jaime Omar (Mar 12)
- Re: Bittorrent - utorrent Jex (Mar 12)
- Re: Bittorrent - utorrent David J. Bianco (Mar 19)
  - Re: Bittorrent - utorrent Tremaine Lea (Mar 19)
    - Re: Bittorrent - utorrent David J. Bianco (Mar 19)
    - Re: Bittorrent - utorrent Rocky (Mar 29)
  - RE: Bittorrent - utorrent Bourque Daniel (Mar 19)
    - Re: Bittorrent - utorrent Albert Gonzalez (Mar 20)
  - RE: Bittorrent - utorrent Erick Jensen (Mar 20)
    - RE: Bittorrent - utorrent Joshua Barnes (Mar 21)
    - Re: Bittorrent - utorrent scott (Mar 22)
    - Re: Bittorrent - utorrent Yan Zhai (Mar 26)
- RE: Bittorrent - utorrent jay.tomas (Mar 09)
- RE: Bittorrent - utorrent Giovanni Davide Sacca' (Mar 12)

(Thread continues...)