<div dir="ltr"><div>I have not seen Bittorrent traffic.<br><br>But what I am seeing recently on many sites is that comment spammers coming in over HTTP via Tor exit nodes, trying to register users and/or post SEO comments.<br><br></div><div>Makes it very hard to do anything about them. Depending on the site we either just let it be, as long as it is not too much of a resource drain, or block the IP address, and then they pop in back after a few days on a new one.<br><br></div><div>An arms race causing a whack-a-mole scenario ...<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Nov 16, 2015 at 8:41 PM, Paul Nijjar <span dir="ltr"><<a href="mailto:paul_nijjar@yahoo.ca" target="_blank">paul_nijjar@yahoo.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
Once again, I have found myself on Santa's naughty list, and I am<br>
tired of it. Thus I have decided to transition into full-blown evil.<br>
(The consequences for both Christmas presents and Judgement Day appear<br>
to be similar, and it is not as if I am going to make any progress<br>
going the other way.) Thus, I would like to become a mini-Rogers and block<br>
bittorrent on our network.<br>
<br>
The firewall is pfSense.<br>
<br>
pfSense has layer-7 filtering, but it only works for unencrypted<br>
traffic, so unless I can implement a MITM attack I am probably not<br>
going to be able to use it to block Bittorrent.<br>
<br>
You can't block bittorrent based on ports, because Bittorrent can use<br>
many different ports.<br>
<br>
You can't block it based on IP address.<br>
<br>
I can sometimes identify likely torrent traffic by looking at the<br>
incoming connections that are blocked by the firewall. A lot of<br>
incoming connections to the same port often indicates torrent traffic,<br>
but does not help me block people from making incoming torrent<br>
connections.<br>
<br>
I could take a page out of Rogers's playbook and attempt to slow down<br>
all encrypted traffic (or even block it all, which is pretty evil but<br>
would make web surfing and SSH inconvenient). I am not sure whether<br>
pfSense could even identify encrypted traffic, but some L7 filtering<br>
might make it possible. I could potentially allow encrypted traffic<br>
over a few ports (22, 443, whatever SMTP uses) but then Bittorrent<br>
just will use 443 again.<br>
<br>
Maybe I could flag computers that make a lot of simultaneous<br>
connections? But then if Khalid ever visits TWC (as he will this<br>
Thursday, when the local Drupal group is having a Drupal release<br>
party) then he will be flagged, because he always has some ridiculous<br>
number of tabs open in his web browser.<br>
<br>
I have been poking around on the Internet, but have not found any good<br>
suggestions thus far. Can you help me be evil?<br>
<span class="HOEnZb"><font color="#888888"><br>
- Paul<br>
<br>
--<br>
<a href="http://pnijjar.freeshell.org" rel="noreferrer" target="_blank">http://pnijjar.freeshell.org</a><br>
<br>
<br>
_______________________________________________<br>
kwlug-disc mailing list<br>
<a href="mailto:kwlug-disc@kwlug.org">kwlug-disc@kwlug.org</a><br>
<a href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org" rel="noreferrer" target="_blank">http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org</a><br>
<br>
</font></span></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature">Khalid M. Baheyeldin<br><a href="http://2bits.com" target="_blank">2bits.com</a>, Inc.<br>Fast Reliable Drupal<br>Drupal optimization, development, customization and consulting.<br>Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra<br>Simplicity is the ultimate sophistication. -- Leonardo da Vinci<br>For every complex problem, there is an answer that is clear, simple, and wrong." -- H.L. Mencken<br></div>
</div>