Blocking P2P traffic & scheduling access

RouterOS General
1

Hello,

We deploy Routerboards to remote offices to provide guest wireless access. We are regularly receiving notices from ISPs that wireless users are downloading movies from a honeypot. The team who deploys and manages the configuration has had problems getting the unit to drop the traffic so I’m hoping this community can point us in the right direction. We risk having the service terminated if we can’t mitigate this activity.

The device is a Routerboard 951Ui-2HnD, version 6.40.4, firmware ar9344, current firmware 3.22. I’m not sure what all they’ve tried in the past, but looking in the config of a specific router where the problem exists, I see an L7 rule with this regexp:

^(\x13bittorrent protocol|azver\x01$|get /scrape?info_hash=get /announce?info_hash=|get /client/bitcomet/|GET /data?fid=)|d1:ad2:id20:|\x08’7P)[RP]

Also, is there a way to schedule availability of the services. For example, only allow wireless connections between certain hours of certain days.

Thank you.

2

Additional feedback on what was previously attempted:

3

ShadeOfSpirit pointed me to this PDF: https://mum.mikrotik.com/presentations/RU17M/presentation_4715_1508314218.pdf

I’m not sure I did everything correctly because I don’t understand what appears to be Russian. I was little disappointed the commands in the PDF were images so I couldn’t highlight the text to reduce typos. I ended up with the following, with my internal clients using 192.168.88.0/24. There were more entries in the p2p-seeds list in the PDF but later it seemed to indicate additional entries are dynamically added to the p2p-list? As a result I don’t think I have the p2p-seeds list setup correctly?

/ip firewall address-list
add address=address1 list=p2p-seeds

/ip firewall layer7-protocol
add name=l7-filter regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
add name=Scrape regexp="get /scrape\\\?info_has="
add name=Announce regexp="^get /announce\\\?info_hash="
add name=Bitcomet regexp="^ /client/bitcomet/"
add name=FID regexp="^GET /data\\\?fid="
add name=DHT regexp="^d1:.d2:id20:
add name=Azver regexp="^azver\01\$"
add name=RP regexp="\08'7P\\) [RP]"
add name=BitTorrent regexp="\13bittorrent protocol"
add name=ut_pex regexp=.*:md11:.*:ut_pex.*:
add name="\B5TP_FIN" regexp="^\11\00.{2}.{4}.{4}.{4}.{2}.{2}"
add name="\B5TP_STATE" regexp="^!\11\00.{2}.{4}.{4}.{4}.{2}.{2}"
add name="\B5TP_RESET" regexp="^1\11\00.{2}.{4}.{4}.{4}.{2}.{2}"
add name="\B5TP_SYN" regexp="^A\11\00.{2}.{4}.{4}.{4}.{2}.{2}"
add name=bittorrent_Teredo regexp="^`.*\13bittorrent protocol"
add name=DHT_Teredo regexp="^`.*d1:[a|r]d2:id20:.*y1:[q|r]e"
add name=ut_pex_Teredo regexp="^`.*:md11:.*:ut_pex.*"
add name="\B5TP_SYN_Teredo" regexp="^`.*A\00.{2}.{4}.{4}.{4}.{2}.{2}"
add name="\B5TP_STATE_Teredo" regexp="^`.*!\00.{2}.{4}.{4}.{4}.{2}.{2}"
add name="\B5TP_RESET_Teredo" regexp="^`.*1\00.{2}.{4}.{4}.{4}.{2}.{2}"
add name="\B5TP_FIN_Teredo" regexp="^`.*\11\00.{2}.{4}.{4}.{4}.{2}.{2}"

/ip firewall mangle
add action=add-src-to-address-list address-list=p2p-seeds address-list-timeout=none-dynamic chain=forward dst-address=192.168.88.0/24 layer7-protocol=l7-filter src-address-list=!p2p-seeds
add action=add-dst-to-address-list address-list=p2p-seeds address-list-timeout=none-dynamic chain=forward dst-address-list=!p2p-seeds layer7-protocol=l7-filter src-address-list=192.168.88.0/24
add action=mark-connection chain=forward new-connection-mark=p2p-cmark passthrough=yes src-address-list=p2p-seeds
add action=mark-connection chain=forward dst-address-list=p2p-seeds new-connection-mark=p2p-cmark passthrough=yes
add action=mark-packet chain=forward connection-mark=p2p-cmark new-packet-mark=p2p-mark passthrough=no
Help blocking P2P traffic
4

If you go to uTorrent Options → Preferences → BitTorrent → Protocol Encryption and set Outgoing to Enabled, you can forget all about blocking torrent.
All data will be invisible for any filter you try to setup.

5

Sigh, I just finished translating that document :slight_smile: Any other ideas on how to discourage it’s use through our technology? Shape the P2P traffic to a very slow rate? We’d be chasing our tail when blocking the MAC address if they know how to spoof it.

6

be careful with config with from this presentation - it works very good (no matter what torrent client, en-scripted or not). but it have one big minus - if your have a device with not enough memory (RAM) you will run out of it rather fast (at the end of presentation there is some information about uptime and used memory). as a variant - add hosts to the list for a certain period of time.

7

Some observations on a home connection with a hAP AC:

-Config shared above by evcass doesn’t seem to have any effect, even after adding a couple of Drop rules that match the packet and connection marks and the src and dst address lists, just in case. Torrents still flowed freely (though the counters in those firewall rules did increment up a bit).
-I do get addresses added to the address list, though. After two sample torrents, I had about 400 addresses in the address list.
-After these test torrents, I ended up with ~97MB free of 128MB, so at least light, single-user torrenting doesn’t seem to fill RAM up super fast (I was worried a single torrent might kill my router).
-Turning on L7 filtering dropped my downstream throughput to about 200mbps with ~65% CPU usage (vs. ~500mbps with ~25% CPU usage without it). Be aware that filtering doesn’t come without a performance cost.

I know they’ve worked really hard at making torrents hard to block, but when guests abuse my connection and my service is at risk of being cut off (or I’m at risk for legal action), it’s quite frustrating…