[kwlug-disc] Blocking Bittorrrent

bbierman42 at gmail.com bbierman42 at gmail.com
Mon Nov 16 21:03:26 EST 2015 

You can block UDP on your network except DNS. Bittorrent uses UDP to send the packets. 

I'm not a PF sense admin, but there are good snort signatures that it can block a bunch of the traffic. ‎If you can turn on IPS mode on the F/W you can block there.

As far as the encrypted traffic, you have to do MITM to inspect it. ‎No way around it. 

The last thing is find the trackers that people are using and blackhole the DNS resolutions. ‎Set DNS entries in your F/W that resolve to 127.0.0.1 for the trackers. This is playing whack-a-mole though. 

  Original Message  
From: Paul Nijjar
Sent: Monday, November 16, 2015 20:43
To: kwlug-disc at kwlug.org
Reply To: KWLUG discussion
Subject: [kwlug-disc] Blocking Bittorrrent


Once again, I have found myself on Santa's naughty list, and I am
tired of it. Thus I have decided to transition into full-blown evil.
(The consequences for both Christmas presents and Judgement Day appear
to be similar, and it is not as if I am going to make any progress
going the other way.) Thus, I would like to become a mini-Rogers and block
bittorrent on our network. 

The firewall is pfSense.

pfSense has layer-7 filtering, but it only works for unencrypted
traffic, so unless I can implement a MITM attack I am probably not
going to be able to use it to block Bittorrent. 

You can't block bittorrent based on ports, because Bittorrent can use
many different ports. 

You can't block it based on IP address. 

I can sometimes identify likely torrent traffic by looking at the
incoming connections that are blocked by the firewall. A lot of
incoming connections to the same port often indicates torrent traffic,
but does not help me block people from making incoming torrent
connections. 

I could take a page out of Rogers's playbook and attempt to slow down
all encrypted traffic (or even block it all, which is pretty evil but
would make web surfing and SSH inconvenient). I am not sure whether
pfSense could even identify encrypted traffic, but some L7 filtering
might make it possible. I could potentially allow encrypted traffic
over a few ports (22, 443, whatever SMTP uses) but then Bittorrent
just will use 443 again. 

Maybe I could flag computers that make a lot of simultaneous
connections? But then if Khalid ever visits TWC (as he will this
Thursday, when the local Drupal group is having a Drupal release
party) then he will be flagged, because he always has some ridiculous
number of tabs open in his web browser. 

I have been poking around on the Internet, but have not found any good
suggestions thus far. Can you help me be evil?

- Paul 

-- 
http://pnijjar.freeshell.org


_______________________________________________
kwlug-disc mailing list
kwlug-disc at kwlug.org
http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org

More information about the kwlug-disc mailing list