[kwlug-disc] Blocking Bittorrrent

[B.S.]

You are trying to solve a social problem with technology, thus you will always fail - they keep building better idiots. You know this, but obviously feel compelled to try and put some limits on it, and wouldn't without reason. [As long as USB keys are allowed, or cameras, or cell phones, or there is a key to a door, users remain the likeliest point of security failure, not technology.]

First line of defense is education. Either that hasn't been sufficiently successful for you, or you don't have the budget for it.

First question is ... what makes you think this is a, or the, problem. And what I really mean by that is, can you identify particular users or locations where this is most prevalent? e.g. Public or volunteer users? If so, can you segregate them or vlan them off so you can put controls on just that group?

Can you reverse your thinking? Instead of default allow all rules, can you default to deny all, with exceptions?

e.g. Only permit ports 80 and 443? [On the non-server / non-IT machines, which means subnetting such off.]

So far as I know, your most likely line of success will be to set up / require web proxies. (Assuming least of the torrenting is happening via browser.) You can then open the well known ports for everything else (ssh, samba, sip, etc.) - resulting in closing everything else off, unless it comes from the proxy. And even on the proxy you could max out per ip outgoing connections - attempts to talk to more than, say, 10 peers at once, would fail.

Inevitably that will have it's own pain, but it's faster to grease a squeaky wheel brought to your attention than to find a hidden leak.



----- Original Message -----
> From: Paul Nijjar <paul_nijjar at yahoo.ca>
> To: kwlug-disc at kwlug.org
> Cc: 
> Sent: Monday, November 16, 2015 8:41 PM
> Subject: [kwlug-disc] Blocking Bittorrrent
> 
> 
> Once again, I have found myself on Santa's naughty list, and I am
> tired of it. Thus I have decided to transition into full-blown evil.
> (The consequences for both Christmas presents and Judgement Day appear
> to be similar, and it is not as if I am going to make any progress
> going the other way.) Thus, I would like to become a mini-Rogers and block
> bittorrent on our network. 
> 
> The firewall is pfSense.
> 
> pfSense has layer-7 filtering, but it only works for unencrypted
> traffic, so unless I can implement a MITM attack I am probably not
> going to be able to use it to block Bittorrent. 
> 
> You can't block bittorrent based on ports, because Bittorrent can use
> many different ports. 
> 
> You can't block it based on IP address. 
> 
> I can sometimes identify likely torrent traffic by looking at the
> incoming connections that are blocked by the firewall. A lot of
> incoming connections to the same port often indicates torrent traffic,
> but does not help me block people from making incoming torrent
> connections. 
> 
> I could take a page out of Rogers's playbook and attempt to slow down
> all encrypted traffic (or even block it all, which is pretty evil but
> would make web surfing and SSH inconvenient). I am not sure whether
> pfSense could even identify encrypted traffic, but some L7 filtering
> might make it possible. I could potentially allow encrypted traffic
> over a few ports (22, 443, whatever SMTP uses) but then Bittorrent
> just will use 443 again. 
> 
> Maybe I could flag computers that make a lot of simultaneous
> connections? But then if Khalid ever visits TWC (as he will this
> Thursday, when the local Drupal group is having a Drupal release
> party) then he will be flagged, because he always has some ridiculous
> number of tabs open in his web browser. 
> 
> I have been poking around on the Internet, but have not found any good
> suggestions thus far. Can you help me be evil?