I have a customer behind my MT 2.8 that has started uploading at continuous maximum rate. I can see that the IP addresses he is connecting to are cable/DSL subscribers so I suspect this is P2P traffic. I have a firewall rule to log all P2P traffic but it’s not catching it. Is there a way I can find out more about what sort of traffic this is so that I can throttle it back?
Thanks.
hi gjs,
as a quick fix, try to use \queue simple
add name=bad-customer dst-address=a.b.c.d/32 total-limit-at=xy bites/s total-limit-max=xy bites/s
this will throttle him down, so you have more time and peace to investigate.
bye, mp3turbo.
Thanks, mp3turbo2, but I already have a simple queue in place for this customer (and all others) and I have reduced his speed slightly while I investigate.
So, I can contact him and tell him he is violating terms of service (which he is), but I would rather gracefully throttle back just the protocol that is using so much bandwidth.
Do you notice common ports to the destination addresses that this user is connected to? Take a look at the connections part of the firewall. You can look up the port(s) to determine what p2p app is being used.
Ports appear to be arbitary. Here’s a sample:
76 A 192.168.51.107:4495 85.70.29.130:34539 tcp established 4d14h55m30s
77 A 192.168.51.107:3682 148.233.221.14:15749 tcp established 4d3h27m52s
78 U 192.168.51.107:2162 172.131.163.90:49340 tcp established 4d12h21m23s
79 A 192.168.51.107:2631 172.186.179.50:14183 tcp established 4d19h42m50s
80 A 192.168.51.107:3085 172.189.149.168:16847 tcp established 4d3h51m17s
81 A 192.168.51.107:3461 196.1.169.76:41482 tcp established 4d7h41m58s
82 U 192.168.51.107:3740 200.10.69.160:12930 tcp established 4d6h14m1s
83 A 192.168.51.107:1028 200.52.185.92:10785 tcp established 4d12h26m28s
84 A 192.168.51.107:1041 200.52.185.92:10785 tcp established 4d12h47m26s
85 A 192.168.51.107:1328 200.52.185.92:10785 tcp established 4d12h27m15s
86 A 192.168.51.107:1364 200.52.185.92:10785 tcp established 4d13h19m47s
87 A 192.168.51.107:1475 200.52.185.92:10785 tcp established 4d12h58m58s
88 A 192.168.51.107:1624 200.52.185.92:10785 tcp established 4d12h28m1s
Does this help?
Thanks
Hello,
I also have trouble with P2P. I have a few Customers that constantly upload at the max bandwidth.
I have a Firewall mangle rule that is supposed to mark all-p2p from any ip to any ip with with a flow mark of p2p-traffic but nothing hits the rule. any help is appreciated. Then a queue tree that shapes all flow mark p2p-traffic to 384000. all of the sudden nothing is being mangled…
I have watched the customers with torch and the connections are completely random. I suspect the traffic is BitTorrent (just from knowing the customers)
Does anyone know if they have changed the protocal so that MT does not recognize it???
Thanks
Joe
Possibly very nasty!
Can people please post if they know of protocols that change ports?
And any likely fixes?
Regards
Sorry GJS, those are quite random and at a glance hard to identify 
Doesn’t Kazza (or related p2p apps with this protocol) allow random ports? On average, how many connections does this guy have at any given time? Do any of the addresses run on ports between 6881 and 6889?
There are about 350 connections listed in the connections tab of the firewall for his IP address. I can’t see any ports between 6881 and 6889 being used.
Would burst limit be useful here? So that the connection slows when a long upload or download is being carried out? When does a bust limit “reset” back to allowing full bandwidth?
Thanks
The burst question is an interesting one.
I’ve found that on a 2 port router acting as an PPPoE access concentrator I can control p2p up and down. I 1st Flow Mark the packets (using mangle) based on which IP address they are to / from (as I know my own addresses). Then I mark independently the up and down p2p packets. I have a queue tree for the up traffic with parent of the WAN NIC this then has child queues of local traffic up and p2p up. I’ve never been to sure which perent I should use to limit down traffic so just have the one entry for p2p down with a parent of global-out.
If anyone can see a way to improve this I would be interested in knowing, but it does control p2p traffic perfectly. I also have schedule tasks which take off most of these limits in the middle of the night.
Had an email from a user last week complaining that he had tried a lot of differnt p2p apps and none gave him very good performance 
As for p2p do the mangle mark rules get updated with new p2p protocols on each release? is it not stated in the changelog (often) With this information I would know if it was worth upgrading to the laters MT rOS version.
Hi Harvski,
I have a logging rule for all P2P traffic. This catches WinMX traffic perfectly, but shows nothing for the guy I’m having trouble with. So, presumably, no amount of mangling is going to help until the protocols are covered by MT.
Is there any way I can send details of this traffic to MT so that they could incorporate it in a future release?
Also, could you post your scripts for scheduled lifting of the limits at night? I have the user throttled back on all upload at the moment, via a simple queue, but I could lift the limits at certain times.
Thanks.
I’ve a number of scheduled tasks to create:
night: 00:30
Day: 05:30
peak: 16:30 - 19:30
{/queue tree set down_p2p max-limit=1600000}
{/queue tree set up_p2p max-limit=200000}
I would like to know what othser think day/night and peak times should be?
Just to round off this thread, thanks to Harvski who identified this traffic as warez (http://www.warez.com). After an upgrade to 2.8.22 this traffic is now being caught by P2P rules.
Thanks to everyone for your help.