[kwlug-disc] Blocking Bittorrrent

Raymond Chen raymondchen625 at gmail.com
Mon Nov 16 21:26:57 EST 2015


What is the purpose of doing this? To enforce fairness on bandwidth usage?
Can you apply bandwidth limit for each IP? Or even make it smarter, enforce
it only when bandwidth usage is almost full.

On Monday, 16 November 2015, <bbierman42 at gmail.com> wrote:

> You can block UDP on your network except DNS. Bittorrent uses UDP to send
> the packets.
>
> I'm not a PF sense admin, but there are good snort signatures that it can
> block a bunch of the traffic. ‎If you can turn on IPS mode on the F/W you
> can block there.
>
> As far as the encrypted traffic, you have to do MITM to inspect it. ‎No
> way around it.
>
> The last thing is find the trackers that people are using and blackhole
> the DNS resolutions. ‎Set DNS entries in your F/W that resolve to 127.0.0.1
> for the trackers. This is playing whack-a-mole though.
>
>   Original Message
> From: Paul Nijjar
> Sent: Monday, November 16, 2015 20:43
> To: kwlug-disc at kwlug.org <javascript:;>
> Reply To: KWLUG discussion
> Subject: [kwlug-disc] Blocking Bittorrrent
>
>
> Once again, I have found myself on Santa's naughty list, and I am
> tired of it. Thus I have decided to transition into full-blown evil.
> (The consequences for both Christmas presents and Judgement Day appear
> to be similar, and it is not as if I am going to make any progress
> going the other way.) Thus, I would like to become a mini-Rogers and block
> bittorrent on our network.
>
> The firewall is pfSense.
>
> pfSense has layer-7 filtering, but it only works for unencrypted
> traffic, so unless I can implement a MITM attack I am probably not
> going to be able to use it to block Bittorrent.
>
> You can't block bittorrent based on ports, because Bittorrent can use
> many different ports.
>
> You can't block it based on IP address.
>
> I can sometimes identify likely torrent traffic by looking at the
> incoming connections that are blocked by the firewall. A lot of
> incoming connections to the same port often indicates torrent traffic,
> but does not help me block people from making incoming torrent
> connections.
>
> I could take a page out of Rogers's playbook and attempt to slow down
> all encrypted traffic (or even block it all, which is pretty evil but
> would make web surfing and SSH inconvenient). I am not sure whether
> pfSense could even identify encrypted traffic, but some L7 filtering
> might make it possible. I could potentially allow encrypted traffic
> over a few ports (22, 443, whatever SMTP uses) but then Bittorrent
> just will use 443 again.
>
> Maybe I could flag computers that make a lot of simultaneous
> connections? But then if Khalid ever visits TWC (as he will this
> Thursday, when the local Drupal group is having a Drupal release
> party) then he will be flagged, because he always has some ridiculous
> number of tabs open in his web browser.
>
> I have been poking around on the Internet, but have not found any good
> suggestions thus far. Can you help me be evil?
>
> - Paul
>
> --
> http://pnijjar.freeshell.org
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org <javascript:;>
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org <javascript:;>
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20151116/a16d6df9/attachment.htm>


More information about the kwlug-disc mailing list