Government Security
Network Security Resources

Jump to content

Photo

P2p Blocking

- - - - - network router
  • Please log in to reply
16 replies to this topic

#1 strohunter

strohunter

    Sergeant

  • Members
  • 208 posts

Posted 01 November 2004 - 07:20 AM

Does someone here know how to block some P2P traffic (edonkey, kazaa etc...)

each computer in the network access to internet through a router (it could be a real physical routeur, or a dedicated computer i don't care) and i want to block/filter unwanted traffic (p2p)

any idea ? ^^

thanks.
regards.

#2 tnp

tnp

    Private First Class

  • Members
  • 38 posts

Posted 01 November 2004 - 07:25 AM

mhmm all p2p ports? or lock multiple connections?

#3 Guest_sk3tch_*

Guest_sk3tch_*
  • Guests

Posted 01 November 2004 - 07:39 AM

P2P is tough tough tough to block. Kind of like IM.

One "security by obscurity" type of solution would be to use a stand-alone proxy (versus a transparent one) at some random IP in your network. Then set your firewall to block all outgoing traffic (or at least your workstation netblock).

That way, your average user will have extract their proxy settings from their web browser and input that into their P2P app. This will stop 75%+ of your users right there.

If they get past that level, you could put some kind of filters into your proxy to block traffic to known P2P IP addresses/URLs.

Then, after that level, you could put in some kind of scanning/filtering mechanisms for the actual traffic.

Anyway..it is a tough problem. You'll need a wholistic strategy for your entire network. I.E. lockdown desktops so users can't install them, set security policies so users will "get in trouble" for using/installing them, educate users on why not to use them, and finally using your network layers to disallow.

#4 strohunter

strohunter

    Sergeant

  • Members
  • 208 posts

Posted 01 November 2004 - 07:40 AM

p2p ports can be easily modified, and restricting multiple connections is not good solutions since a computer can need multiple connection (ip scanner for example)

however,i found this:
http://l7-filter.sourceforge.net/

it seems good, i'm already compiling ^^

#5 AgentOrange

AgentOrange

    Staff Sergeant

  • Members
  • 284 posts

Posted 01 November 2004 - 10:03 AM

p2p apps are simple to modify to evaide any kind of lock down. You would have to lock down all .exe's and that would make the comptuers useless. I was selling modified copies of Kazaa Lite at the local U. A few times my copy got leeked to the fuzz, but then i just got another $5 from everyone. It was awesome.

Edonkey is simple to block, just block all outgoing connections to addresses on this list:
hxxp://ed2k.2x4u.de/index.html

For kazaa block out going connections to port tcp 1214 i think.

For Gnutella block all the Gnutella Web Caches

For DC, block DC hubs.

If all that sounds like too much work there are countless p2p apps to be found on zeropaid.com

For Freenet and Mute, unplug your internet connection ;p .

Then what about IRC?

All a person has to do is use a proxy server and all your work would be for nothing. IF you stop Edonkey, FastTrack and Gnutella you would be stoping like 80% of p2p traffic, but people will get wise to the other networks soon enough. Eventually they will use a network that you won't be able to filter. You really can't stop p2p, and you shouldn't. Let me tell you a story. I once had a dedicated box in Malayasia. We had a 100mbit to the net and we hosted an IRCD with a bunch of xdcc bots spewing out pirated matieral all over the globe. In Malaysia it is legal to share files, however the MPAA BRIBED the local police to ARREST AND BEAT the owner of our ISP. Needlesss to say our server went down randomly and we where pissed, then we just moved hosting to china.

Now the MPAA is sending out countless letters to people shareing movies telling htem that they will sue. The MPAA has yet to sue one file swapper, they are just being asswholes.

The moral to the story is that these asswholes are trying to keep knowlage from being free. They are stealing form the artests and stealing from you. You should grow some balls and tell these Nazi mother truckers to go truck them selfs.

There is light at the end of the tunnel. In South Korea where you can get a 49/3mbit line for 13USD things are like how they will be in the US. In the past 5 years 95% of record stores have closed down. So these nazi's are dieing and soon we will be free from them.

Peace out

#6 strohunter

strohunter

    Sergeant

  • Members
  • 208 posts

Posted 01 November 2004 - 12:38 PM

Wow l7-filter works perfectly, it determines packet with pattern maching, so you can change the port or modifty the exe, it catch it anyway ^^

#7 gengw2000

gengw2000

    Private

  • Members
  • 1 posts

Posted 06 December 2006 - 02:17 AM

I also found a commercial software can block certain P2P softwares. It seems support a lot of P2P protocols. Most important is it can be installed in a windows system while I have no linux gateway.
http://www.imfirewall.com/en

Wow l7-filter works perfectly, it determines packet with pattern maching, so you can change the port or modifty the exe, it catch it anyway ^^



#8 GhostShell

GhostShell

    Staff Sergeant

  • Members
  • 345 posts

Posted 06 December 2006 - 04:59 AM

Google the popular file sharing ports and then block them all. It shouldn't be too hard if my school did it.
http://pcsubject.com/ <- My new Blog

"As a young boy, I was taught in high school that hacking was cool." -Kevin Mitnick

"It's easy to point and click programs, but thats not real hacking." -illwill

#9 Jeffrey

Jeffrey

    Specialist

  • Sergeant Major
  • 1,109 posts

Posted 06 December 2006 - 10:00 AM

Hmmm how about this? Disable all traffic except those that you know that are not P2P traffic? Also an application level firewall would be helpful as well...

1) Disable the traffic by port
2) Implement a protocol based recognition filter

;)

#10 packet

packet

    Specialist

  • Sergeant Major
  • 649 posts

Posted 06 December 2006 - 09:18 PM

Port blocking can stop a little but really the layer 7 analysis is needed to actually stop them. There are many commercial options out there like Websense, Surfcontrol, or Bluecoat that can stop P2P traffic flowing through their proxies and some open source ones mentioned before. There are also url lists to help generic proxies try to block the traffic. Also IDP systems can stop most P2P traffic like Snort, Sourcefire, Juniper, etc...

And I have to respond to AgentOrange even though it sounded a little "troll like", in a corporate environment it is not your network, bandwidth, or system to use as you feel like. If corporate policy says you cant A: you just shouldn't and B: I can do anything I want to stop you (including firing you). Go home and get your dose of free speech and porn, just use your own machine and your own bandwidth.

Plus think of all the virus and other malicious files that exist on file sharing networks, yet another way to get bad stuff into the corporate network.

Now at a university its a little different as you are paying for that Internet connection either through tuition or outright "tech" fees. In any case all I can say is as long as you don't hog the bandwidth I don't see a huge issue so time to whip out the packeteer and rate limit your massive porn downloads.

--P>G>>
Abusus non tolit usum
The gopher is back!

#11 drygol

drygol

    Corporal

  • Members
  • 153 posts

Posted 06 December 2006 - 11:27 PM

Yup , only content filtering firewall/router is able to stop all that p2p traffic.
I used to fight it ( in times of kazza glory - so kinda long time ago ) with squid + header matching based on iptables but its endless deathmatch :/
New p2p soft is released far too often to catch on it.

#12 Jeffrey

Jeffrey

    Specialist

  • Sergeant Major
  • 1,109 posts

Posted 07 December 2006 - 01:39 PM

The best way to recognize something that shouldn't be there is to know what should. In my classes I have not gotten to the network layers yet, but it seems smart to me to only allow what you know is what you want and disallow everything else. And then from there you filter based on protocol detection because like said previously, there are too many new P2P softwares coming out and you cannot get a signature on all of them. What you need is a protocol analysis that only lets through a valid protocol packet for the protocol that is supposed to be on that port. I don't know much about the software used in these techniques, so I cant mention any of them ;)

#13 Glyph

Glyph

    General of the Army

  • GSO Management
  • 1,602 posts

Posted 08 December 2006 - 06:28 AM

Most of the bandwidth 'shaping' appliances understand the p2p protocol very well.
Simply tune the bandwidth allowed to 0, thus effectively disabling p2p altogether.

:ph34r:

#14 Jeffrey

Jeffrey

    Specialist

  • Sergeant Major
  • 1,109 posts

Posted 08 December 2006 - 11:34 AM

Most of the bandwidth 'shaping' appliances understand the p2p protocol very well.
Simply tune the bandwidth allowed to 0, thus effectively disabling p2p altogether.

:ph34r:


I am not following you...so you are saying that you can detect a P2P protocol by the amount of bandwidth that is used? Considering that some of the Gnutella protocol is similiar to HTTP traffic. I would have to see it to believe it....there is not just "one" protocol that is used....I could make up my own if I wanted to. I could make it any size I wanted with packing.

#15 packet

packet

    Specialist

  • Sergeant Major
  • 649 posts

Posted 08 December 2006 - 11:53 AM

Nope, the bandwidth shaping applications are doing a full layer 7 analysis of the traffic to classify it. In fact they are one of the most accurate I've seen for classification of traffic types. Once they had identified the traffic then policies can be applied to how much bandwidth they will dedicate per session, per user, or total allowed. Dropping it to 0 blocks it, normally folks put it at 2k so you are allowed to connect but you are never able to transfer any data.

The best way to use these devices is to setup groups of applications starting with normal should be allowed as much as possible, then ones that are OK but shouldn't take precedence like realplayer, then dump everything else into the crap bin and limit it down.

--P>G>>
Abusus non tolit usum
The gopher is back!





Also tagged with one or more of these keywords: network, router