Torch screen capture - What do you think he/she is doing?

kolorasta · November 30, 2006, 4:38am

What do you think this client is doing. He/she is doing this kind of stuff all day

mneumark · November 30, 2006, 5:05am

That looks like P2P using Random Ports. You might want to consider limiting TCP connections down to a certain number. Or impliment some P2P rules.

kolorasta · November 30, 2006, 12:31pm

i looks like a p2p

but when i go to IP/Firewall/Connections … there aren’t any connections detected as P2P for this user

and i’ve got this rule in firewall

3 ;;; Drop P2P
chain=forward p2p=all-p2p connection-state=established action=drop

normis · November 30, 2006, 12:35pm

could be encrypted uTorrent or Azureus

janisk · November 30, 2006, 12:45pm

it seems they have advanced in their technology in hiding from this filter rule. here in forums macgaiver posted configuration that could fight that “bastardo”

kolorasta · November 30, 2006, 2:54pm

you mean this thread? http://forum.mikrotik.com/t/firewall-rule/8179/1

kolorasta · November 30, 2006, 3:06pm

these can’t be dropped?

bjohns · December 1, 2006, 1:11am

Not easily - deep packet inspection isn’t possible due to the encryption. Other means of tagging the packets will need to be devised and I think that’s easier said than done. I haven’t specifically looked at such traffic although if they’re anything like Skype traffic…

111111 · December 2, 2006, 12:18am

there is a simple variant
make list of torrent servers and block it
block and ports biger then 1024

jdejansb · December 2, 2006, 3:44pm

That seems like a nice idea - if one exceeds (for example) 300 connections - HE will have problems with other progs (messengers, browsers, send/recv emails…)

Btw, how to limit number of connections for pppoe user(s)??

D.

kolorasta · December 3, 2006, 4:03pm

where can i obtain a list of torrent servers?

111111 · December 3, 2006, 4:13pm

where can i obtain a list of torrent servers?

hard to be find
http://torrents.to/
have lot of torrent server listed, i see 300+

other variant
block web pages with “bt.” “torrent” “torrents”

and maby hard hardest thing
see most used addreses on port 80 in time before begin big downloads

jo2jo · December 3, 2006, 9:10pm

your best bet is to just queue ports above 1024…and then just look for other legitmate ports that you customers use and open those one at a time or 3 at a time accordingly.

also another thing that most ppl dont think of when looking at a torch scan is that it can be Xbox Live or somekind of online gaming in which your customer is the host…

i.e. i did some tests and when i’m hosting a online game on my xbox 360 you will see a spread of ports and dst’s with consistant TX on each..some more than others

111111 · December 3, 2006, 11:21pm

jo2jo i thing kolorasta want to block traffic on personal of establishment or somthing else were internet is not for games and p2p.
If kolorasta is provider on home users, he will not stop p2p becouse he will waste his clients