I read the articles about p2p and they say you can limit or block all p2p connections but encrypted ones. there are 1200 people in my network and the bandwidth is not enough for all of them when some of them downloading files through torrent. I blocked rapidshare etc. and all-p2p but then they discovered encryption method and I can't block them. So what would you do if you were me.
Thanks in advance.
Re: How to block encrypted p2p.
there is nothing much you can do.
You can block access to torrent sites.
Here you can find good example
http://gregsowell.com/?m=200910
You can block access to torrent sites.
Here you can find good example
http://gregsowell.com/?m=200910
Re: How to block encrypted p2p.
I have been working for a very long time on a QOS implementation that has been seeing GREAT results. This implementation is not free, but is ANYTHING that is worthwhile free? See a description here: http://blog.butchevans.com/2009/11/140/
For what it's worth, my approach does not block this traffic. It is intended to make this traffic, along with all other traffic that behaves "badly", step out of the way of more interactive traffic. While I can appreciate Greg's approach, it is not, in my opinion, the best approach since it WILL match a very large amount of traffic that is useful.
For what it's worth, my approach does not block this traffic. It is intended to make this traffic, along with all other traffic that behaves "badly", step out of the way of more interactive traffic. While I can appreciate Greg's approach, it is not, in my opinion, the best approach since it WILL match a very large amount of traffic that is useful.
Re: How to block encrypted p2p.
I (partially) agree with butche's approach - try to identify the traffic that is "legitimate" and that is essential (voip, http etc). Prioritize this traffic and make sure it has required/enough bandwidth.
But do not _block_ other traffic - p2p will find another way if it's blocked. What you need to do is to _limit_ that traffic (so that from the point of view of p2p application it isn't blocked, it just has low bandwidth). This low bandwidth won't hurt you (make sure it's really low), p2p will still work (with very limited side effects in your network) and it won't actively search for another way...
While I'm not mikrotik expert (yet
) and I won't even try to provide you with the config (I'm sure butche will help if you can't do it yourself) - but this is the approach some big ISPs choose 
But do not _block_ other traffic - p2p will find another way if it's blocked. What you need to do is to _limit_ that traffic (so that from the point of view of p2p application it isn't blocked, it just has low bandwidth). This low bandwidth won't hurt you (make sure it's really low), p2p will still work (with very limited side effects in your network) and it won't actively search for another way...
While I'm not mikrotik expert (yet
) and I won't even try to provide you with the config (I'm sure butche will help if you can't do it yourself) - but this is the approach some big ISPs choose
Last edited by dyrdymal on Fri Dec 11, 2009 11:26 am, edited 2 times in total.
Re: How to block encrypted p2p.
I had good results with limiting connections. p2p tries to use large number of connections, what actually degrades network more than bandwidth usage.
Re: How to block encrypted p2p.
yep - I'd limit both bandwidth and connections in wireless network. _limit_ is the key word here...I had good results with limiting connections. p2p tries to use large number of connections, what actually degrades network more than bandwidth usage.
-
-
kameelperdza
Member
- Posts: 468
- Joined:
- Location: Oudtshoorn, South Africa
Re: How to block encrypted p2p.
What i did to stop p2p completely is to put a firewall(ipcop) between mikrotik and internet. I have installed a addon which i can administrate and controll ports.
If you can find a way to allow only needed ports on your mikrotik rb then that would help. Im only allowing port 80,25 and 110. P2p wont work becos the ports is blocked.
If you can find a way to allow only needed ports on your mikrotik rb then that would help. Im only allowing port 80,25 and 110. P2p wont work becos the ports is blocked.
Re: How to block encrypted p2p.
This "addon" is included in Mikrotik. Not sure why you had to add another device.What i did to stop p2p completely is to put a firewall(ipcop) between mikrotik and internet. I have installed a addon which i can administrate and controll ports.
The "if you can find a way..." is VERY simple. Here is an example that will only allow port 80/TCP and 53/UDP.If you can find a way to allow only needed ports on your mikrotik rb then that would help. Im only allowing port 80,25 and 110. P2p wont work becos the ports is blocked.
Code: Select all
/ip firewall filter
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward src-address=192.168.0.0/16 protocol=tcp dst-port=80 action=accept
add chain=forward src-address=192.168.0.0/16 protocol=udp dst-port=53 action=accept
add chain=forward action=drop-
-
andreacoppini
Trainer
- Posts: 498
- Joined:
- Location: Malta, Europe
Re: How to block encrypted p2p.
I usually implement a system similar to Butch's, running completely on MikroTik.
I use the L7 filter to match all 'valid' traffic, then use simple FIFO Queues to prioritize this valid traffic, and put a hard bandwidth limit on the unmatched traffic (which mostly consists of p2p traffic).
See http://wiki.mikrotik.com/wiki/Basic_tra ... _protocols
It's all self-contained inside the MikroTik router itself, no external devices. It needs practically no maintenance since standard protocols (DNS, HTTP, FTP) rarely change structure, and those are the ones that are matched.
It does need a beefy router, but I usually only implement this at the upstream edge, where I usually have an RB1000 or a P4 at least anyway. CPU never goes above 10%. In one particularly bad environment -a hotel with about 500 rooms with free wired Ethernet access in each room)- I was able to reduce upstream latency from 900-1500ms down to a steady 9ms.
I use the L7 filter to match all 'valid' traffic, then use simple FIFO Queues to prioritize this valid traffic, and put a hard bandwidth limit on the unmatched traffic (which mostly consists of p2p traffic).
See http://wiki.mikrotik.com/wiki/Basic_tra ... _protocols
It's all self-contained inside the MikroTik router itself, no external devices. It needs practically no maintenance since standard protocols (DNS, HTTP, FTP) rarely change structure, and those are the ones that are matched.
It does need a beefy router, but I usually only implement this at the upstream edge, where I usually have an RB1000 or a P4 at least anyway. CPU never goes above 10%. In one particularly bad environment -a hotel with about 500 rooms with free wired Ethernet access in each room)- I was able to reduce upstream latency from 900-1500ms down to a steady 9ms.
Re: How to block encrypted p2p.
I started using connection rate classifier (>ROSv3.30) to separate bulk traffic from interactive. Works quite well, however controlling download traffic is hard if not impossible. I think it would be nice to be able to manipulate TCP window scaling just like MSS.
The thing I'm looking atm is changing MSS size of bulk traffic during download congestion to lower downlink latency for interactive traffic.
regards,
Michael
The thing I'm looking atm is changing MSS size of bulk traffic during download congestion to lower downlink latency for interactive traffic.
regards,
Michael
-
-
andreacoppini
Trainer
- Posts: 498
- Joined:
- Location: Malta, Europe
Re: How to block encrypted p2p.
would connection rate classifier work with p2p traffic? P2P transactions tend to be short and bursty, with the only common parameter being the src-IP (the client running the P2P software), P2P swallows bandwidth exactly because it behaves like a really large and distributed web page download.
I thought conn. rate classifier only works on large HTTP/FTP transfers, since they are usually static connections with lots of traffic going through that single connection.
I thought conn. rate classifier only works on large HTTP/FTP transfers, since they are usually static connections with lots of traffic going through that single connection.
Re: How to block encrypted p2p.
That's where PCQ helps. Setup PCQ to ID traffic by src IP and the p2p client will only get a portion of the bandwidth.with the only common parameter being the src-IP (the client running the P2P software)
In my approach I don't need to limit traffic only stop one client from overpowering others and give more bandwidth to web browsing, music streaming, voip. If there's only p2p on line I'm ok with it taking up all the bandwidth.
I'll tell you, in secret
, I'm also looking at scripting a classifier that will account for total traffic per client to make shaping more fair...Michael
EDITED for clarity.
Re: How to block encrypted p2p.
We bought butch's filtering method, and so far it seems to work pretty good, running a single mikrotik rb450g with 40 or 50 pppoe users never gets above 35% when the AP is maxed (about 3mbit). we have several dozen sites like it running the same setup with great result. I also have a rule to do a tcp reset at 61 connections per user.
not sure how it would work in a non-distributed single mikrotik network tho. i would imagine lots of users with some heavy bandwidth would require a pretty uber-box.
not sure how it would work in a non-distributed single mikrotik network tho. i would imagine lots of users with some heavy bandwidth would require a pretty uber-box.
Re: How to block encrypted p2p.
We also bought a machine that can recognize and block or limit encrypted p2p traffic and it works perfect. it can also do lots of work but it is not relevant to this topic. it works between internet and mikrotik. My problem is solved.
-
-
kameelperdza
Member
- Posts: 468
- Joined:
- Location: Oudtshoorn, South Africa
Re: How to block encrypted p2p.
We also bought a machine that can recognize and block or limit encrypted p2p traffic and it works perfect. it can also do lots of work but it is not relevant to this topic. it works between internet and mikrotik. My problem is solved.
So what is the name of the machine?
Re: How to block encrypted p2p.
it is called "ipoque" it is german company's product. it works as a bridge and can limit or block everything by subscriber. For example I have lots of people play world of warcraft and i prioritized wow packets, so they can play wow very well when the internet using is very high.
-
-
kameelperdza
Member
- Posts: 468
- Joined:
- Location: Oudtshoorn, South Africa
Re: How to block encrypted p2p.
you should try ipcop. www.ipcop.org. Its free and also do the same stuff. You can add more thing if you need to.
Re: How to block encrypted p2p.
I don't understand how RouterOS can't block encrypted P2P ? It does the same, why do you need to install another machine for this?
Re: How to block encrypted p2p.
Because those machines come with prepared rules that recognize the traffic.
Cheap network admins can just plug it on their networks and it works.
On routerOS you need knowledge about firewalling and packets.
I am fine with ROS
Cheap network admins can just plug it on their networks and it works.
On routerOS you need knowledge about firewalling and packets.
I am fine with ROS
-
-
andreacoppini
Trainer
- Posts: 498
- Joined:
- Location: Malta, Europe
Re: How to block encrypted p2p.
I still think the 'inverse tagging' approach is the way to go.
Just mark all 'known clean' connections like HTTP, DNS, Skype with L7 filter, and put everything else at the lowest priority. Has been working wonderfully for almost a year at a 500-room hotel with wired ports in each room, on a 12Mb/512kb cable connection.
Latency is never > 100ms even under heavy usage.
Just mark all 'known clean' connections like HTTP, DNS, Skype with L7 filter, and put everything else at the lowest priority. Has been working wonderfully for almost a year at a 500-room hotel with wired ports in each room, on a 12Mb/512kb cable connection.
Latency is never > 100ms even under heavy usage.
-
-
kameelperdza
Member
- Posts: 468
- Joined:
- Location: Oudtshoorn, South Africa
Re: How to block encrypted p2p.
I still think the 'inverse tagging' approach is the way to go.
Just mark all 'known clean' connections like HTTP, DNS, Skype with L7 filter, and put everything else at the lowest priority. Has been working wonderfully for almost a year at a 500-room hotel with wired ports in each room, on a 12Mb/512kb cable connection.
Latency is never > 100ms even under heavy usage.
wow 12mb nice, wish i had that speed. I only have 1mb
Re: How to block encrypted p2p.
I purchased the QOS goodies from Butch about 6 months ago, it's been working flawlessly and is easy to add/change what I need to shape. If you're having issues wrapping your head around queues and QOS I would highly recommend spending $175 (assuming that's what it still costs) and a little time with Butch helping you set it up. You won't regret it 
Re: How to block encrypted p2p.
+1 for andreacoppini approach
Re: How to block encrypted p2p.
just wondering if you bought the prx 20?it is called "ipoque" it is german company's product. it works as a bridge and can limit or block everything by subscriber. For example I have lots of people play world of warcraft and i prioritized wow packets, so they can play wow very well when the internet using is very high.
here in Canada its around three thousand dollars.
Re: How to block encrypted p2p.
http://forum.mikrotik.com/viewtopic.php?t=21178
I drop unencrypted and encrypted. Works like a charm.
Only flaw right now is that if a P2P program uses ONLY 443 for all its traffic and it is encrypted it will bypass my rules.
I drop unencrypted and encrypted. Works like a charm.
Only flaw right now is that if a P2P program uses ONLY 443 for all its traffic and it is encrypted it will bypass my rules.
-
-
hotelpeertopeer
just joined
- Posts: 1
- Joined:
Re: How to block encrypted p2p.
Have a look at www.hotelpeertopeer.com
They have a SaaS business model that makes sense (no Cap-ex) and defeats port scanning peer to peer technologies.
Blocking port 443 is useless against Kazaa and other port scanning peer to peer technologies. Only layer 7 deep packet inspection with a constantly updated database of P2P sites can effectively combat the problem. The other issue in Hotels is, at a minimum, the ability to record and reproduce records of what MAC address went to what sites if the Hotel is held liable for guests accessing illegal materials, the hotelpeertopeer guys can store 2 years of these records and/or back the records up via FTP
Rich
They have a SaaS business model that makes sense (no Cap-ex) and defeats port scanning peer to peer technologies.
Blocking port 443 is useless against Kazaa and other port scanning peer to peer technologies. Only layer 7 deep packet inspection with a constantly updated database of P2P sites can effectively combat the problem. The other issue in Hotels is, at a minimum, the ability to record and reproduce records of what MAC address went to what sites if the Hotel is held liable for guests accessing illegal materials, the hotelpeertopeer guys can store 2 years of these records and/or back the records up via FTP
Rich