[OPLINTECH] Bit Torrent traffic managment

Ron Woods woodsro at stclibrary.org
Mon Oct 17 12:53:43 EDT 2016 

Hi,

 

The best solution I have found in dealing with Bit Torrent(no solution is perfect mind you) is placing a Snort sensor “In-line” with your network, and using the Open Source Sourcefire and EmergingThreats.net open rules to only block the “specific” Bit Torrent clients and protocols that are causing you issues while allowing the ones used for legitimate purposes to pass though without issue. 

 

Each type of Bit Torrent client has a specific signature specific to it

 

Example:

 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (BitComet)"; flow:to_server,established; content:"User-Agent|3a| BitComet/"; http_header; reference:url,www.bitcomet.com; reference:url,doc.emergingthreats.net/2011710; classtype:policy-violation; sid:2011710; rev:4;)

 

alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Vuze BT Connection"; flow:established; content:"|00 00|"; depth:2; content:"|05|AZVER|01|"; distance:5; within:7; content:"appid"; within:10; threshold:type limit, track by_src, count 10, seconds 600; reference:url,vuze.com; reference:url,doc.emergingthreats.net/2010139; classtype:policy-violation; sid:2010139; rev:5;)
 

the 1st Snort rule is specific to the BitComet Bittorent Client, and the 2nd rule is specific to Vuze Bittorent Client. 

 

A lot of rules are available, and you can even write your own by sniffing network traffic if your so inclined. This allows you to pick and choose which ones to allow and which ones to not allow. A really easy solution to this is simply setting up a Snort sensor with the OS of your choice(BSD/Linux/Pfsense/Redhat/etc) on a box between your Wi-Fi network and the internet connection that serves your patrons and running a Snort sensor there. 

 

Emerging threat Open/GPL rules can be found here

 

https://rules.emergingthreats.net/

 

Sourcefire Open rules can be found here

 

https://www.snort.org/downloads

 

 

Just remember you want Snort to be watching the “LAN” part of your WI-Fi network NOT your WAN as Bit torrent Network Sigs are sent across your LAN and that’s the point you need Snort sniffing to find them, sniffing WAN traffic is useless for this application as Bittorent will just keep making connections to different WAN IP’s till it slows your network to a crawl. By Sniffing on the LAN the minute they start that download, Snort will cut the connection to the internet completely leaving them nothing but local LAN access and Bit torrent will no longer be able to try and make any more connections.

 

This won’t work for SLL/TLS encrypted Torrents though, however most of all movies and such are not on encrypted torrents. You can also make exceptions for specific patrons pretty easy by simply temporarily suppressing a specific signature for a specific IP or whatnot depending on your platform. I don’t like meddling with encrypted traffic though and I’m simply hands off there. 

 

I have had very few issues with Bit torrent. The ones I had issues with(Bit Torrent clients) were really only used for downloading copyrighted movies and music only and nothing else and I got Snort sigs in place for those specific ones. The other more legit clients I don’t Snort traffic for and they are allowed to pass freely. In cases where it’s a legit use, and its blocked by mistake I make exceptions for those cases very easily and all is well. It was more of a bandwidth issue for me than anything else, making sure plenty of bandwidth is available for everyone else to be able to use the service too as Bit Torrent can be a hog at times.

 

That’s my way of dealing with it, it took me about a year of tuning and writing/modifying rules and such to get it set up how I wanted it to function. Now it just works on its own, and I don’t really have any issues with it. I only see maybe 1-2 Snort alerts per month now concerning Bit Torrent and it’s from the same ones used primarily for downloading music, and the IP’s its connecting to are the standard nodes for downloading such materials, so it’s working as intended here. 

 

Its not perfect, and if someone is connecting to an encrypted torrent there is nothing I can do about it, but im fine with that. If you have the budget Cisco, Juniper, and Fortinet(I think) do make Layer 7 devices that are capable of giving you granular control over all these protocols and such encrypted or not, but they were well out of my price range. YMMV

 

Sincerely

 

Ron Woods

 

 

Ron Woods

Computer Services Manager

St. Clairsville Public Library

(740)-695-2062

http://www.stclibrary.org

 

 

 

 

From: OPLINTECH [mailto:oplintech-bounces at lists.oplin.org] On Behalf Of Technology Coordinator
Sent: Monday, October 17, 2016 11:35 AM
To: oplintech at lists.oplin.org
Subject: [OPLINTECH] Bit Torrent traffic managment

 

How are you curtailing Bit Torrent traffic on your wireless networks? I am using Meraki and am seeing multiple instances of Bit Torrent being used to download copyright protected material by individual devices per MAC address. 

 

Do you block Bit Torrent outright?

 

Enable Bit Torrent for each individual?

 

The sticky wicket is that there is a legitimate use for this protocol so I am resistant to outright blocking it.

 

Thank you,

Mark

-- 

Mark Sanzotta
Technology Coordinator
Ashtabula County District Library
4335 Park Ave.
Ashtabula, Ohio  44004

Cell: 440.969.5486

 


“Google can bring you back 100,000 answers. A librarian can bring you back the right one.” ―  <http://www.goodreads.com/author/show/1221698.Neil_Gaiman> Neil Gaiman


 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20161017/9b445edb/attachment.html>

More information about the OPLINTECH mailing list