[kwlug-disc] Blocking Bittorrrent

Khalid Baheyeldin kb at 2bits.com
Mon Nov 16 21:44:46 EST 2015 

I have not seen Bittorrent traffic.

But what I am seeing recently on many sites is that comment spammers coming
in over HTTP via Tor exit nodes, trying to register users and/or post SEO
comments.

Makes it very hard to do anything about them. Depending on the site we
either just let it be, as long as it is not too much of a resource drain,
or block the IP address, and then they pop in back after a few days on a
new one.

An arms race causing a whack-a-mole scenario ...

On Mon, Nov 16, 2015 at 8:41 PM, Paul Nijjar <paul_nijjar at yahoo.ca> wrote:

>
> Once again, I have found myself on Santa's naughty list, and I am
> tired of it. Thus I have decided to transition into full-blown evil.
> (The consequences for both Christmas presents and Judgement Day appear
> to be similar, and it is not as if I am going to make any progress
> going the other way.) Thus, I would like to become a mini-Rogers and block
> bittorrent on our network.
>
> The firewall is pfSense.
>
> pfSense has layer-7 filtering, but it only works for unencrypted
> traffic, so unless I can implement a MITM attack I am probably not
> going to be able to use it to block Bittorrent.
>
> You can't block bittorrent based on ports, because Bittorrent can use
> many different ports.
>
> You can't block it based on IP address.
>
> I can sometimes identify likely torrent traffic by looking at the
> incoming connections that are blocked by the firewall. A lot of
> incoming connections to the same port often indicates torrent traffic,
> but does not help me block people from making incoming torrent
> connections.
>
> I could take a page out of Rogers's playbook and attempt to slow down
> all encrypted traffic (or even block it all, which is pretty evil but
> would make web surfing and SSH inconvenient). I am not sure whether
> pfSense could even identify encrypted traffic, but some L7 filtering
> might make it possible. I could potentially allow encrypted traffic
> over a few ports (22, 443, whatever SMTP uses) but then Bittorrent
> just will use 443 again.
>
> Maybe I could flag computers that make a lot of simultaneous
> connections? But then if Khalid ever visits TWC (as he will this
> Thursday, when the local Drupal group is having a Drupal release
> party) then he will be flagged, because he always has some ridiculous
> number of tabs open in his web browser.
>
> I have been poking around on the Internet, but have not found any good
> suggestions thus far. Can you help me be evil?
>
> - Paul
>
> --
> http://pnijjar.freeshell.org
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
>


-- 
Khalid M. Baheyeldin
2bits.com, Inc.
Fast Reliable Drupal
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
Simplicity is the ultimate sophistication. --   Leonardo da Vinci
For every complex problem, there is an answer that is clear, simple, and
wrong." -- H.L. Mencken
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20151116/0e2fb6f9/attachment.htm>

More information about the kwlug-disc mailing list