Community discussions

 
User avatar
kolorasta
Member Candidate
Member Candidate
Topic Author
Posts: 299
Joined: Sun Jun 25, 2006 11:55 pm
Location: Argentina

Torch screen capture - What do you think he/she is doing?

Thu Nov 30, 2006 6:38 am

What do you think this client is doing. He/she is doing this kind of stuff all day

Image
 
User avatar
mneumark
Member
Member
Posts: 375
Joined: Thu Jun 08, 2006 7:20 am
Location: Escalon, CA
Contact:

Thu Nov 30, 2006 7:05 am

That looks like P2P using Random Ports. You might want to consider limiting TCP connections down to a certain number. Or impliment some P2P rules.
 
User avatar
kolorasta
Member Candidate
Member Candidate
Topic Author
Posts: 299
Joined: Sun Jun 25, 2006 11:55 pm
Location: Argentina

Thu Nov 30, 2006 2:31 pm

i looks like a p2p

but when i go to IP/Firewall/Connections ... there aren't any connections detected as P2P for this user

and i've got this rule in firewall

3 ;;; Drop P2P
chain=forward p2p=all-p2p connection-state=established action=drop
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24264
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Thu Nov 30, 2006 2:35 pm

could be encrypted uTorrent or Azureus
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Thu Nov 30, 2006 2:45 pm

i looks like a p2p

but when i go to IP/Firewall/Connections ... there aren't any connections detected as P2P for this user

and i've got this rule in firewall

3 ;;; Drop P2P
chain=forward p2p=all-p2p connection-state=established action=drop
it seems they have advanced in their technology in hiding from this filter rule. here in forums macgaiver posted configuration that could fight that "bastardo" :)
 
User avatar
kolorasta
Member Candidate
Member Candidate
Topic Author
Posts: 299
Joined: Sun Jun 25, 2006 11:55 pm
Location: Argentina

Thu Nov 30, 2006 4:54 pm

i looks like a p2p

but when i go to IP/Firewall/Connections ... there aren't any connections detected as P2P for this user

and i've got this rule in firewall

3 ;;; Drop P2P
chain=forward p2p=all-p2p connection-state=established action=drop
it seems they have advanced in their technology in hiding from this filter rule. here in forums macgaiver posted configuration that could fight that "bastardo" :)
you mean this thread? http://forum.mikrotik.com/viewtopic.php ... =macgaiver
 
User avatar
kolorasta
Member Candidate
Member Candidate
Topic Author
Posts: 299
Joined: Sun Jun 25, 2006 11:55 pm
Location: Argentina

Thu Nov 30, 2006 5:06 pm

could be encrypted uTorrent or Azureus
these can't be dropped?
 
User avatar
bjohns
Member Candidate
Member Candidate
Posts: 272
Joined: Sat May 29, 2004 4:11 am
Location: Sippy Downs, Australia
Contact:

Fri Dec 01, 2006 3:11 am

could be encrypted uTorrent or Azureus
these can't be dropped?
Not easily - deep packet inspection isn't possible due to the encryption. Other means of tagging the packets will need to be devised and I think that's easier said than done. I haven't specifically looked at such traffic although if they're anything like Skype traffic...
 
User avatar
111111
Member Candidate
Member Candidate
Posts: 194
Joined: Thu Oct 05, 2006 1:39 am
Location: BG,SOFIA

Sat Dec 02, 2006 2:18 am

there is a simple variant
make list of torrent servers and block it
block and ports biger then 1024
 
User avatar
jdejansb
Frequent Visitor
Frequent Visitor
Posts: 66
Joined: Thu Jul 13, 2006 1:35 pm
Location: Srbija
Contact:

Sat Dec 02, 2006 5:44 pm

That looks like P2P using Random Ports. You might want to consider limiting TCP connections down to a certain number. Or impliment some P2P rules.
That seems like a nice idea - if one exceeds (for example) 300 connections - HE will have problems with other progs (messengers, browsers, send/recv emails...)

Btw, how to limit number of connections for pppoe user(s)??

D.
 
User avatar
kolorasta
Member Candidate
Member Candidate
Topic Author
Posts: 299
Joined: Sun Jun 25, 2006 11:55 pm
Location: Argentina

Sun Dec 03, 2006 6:03 pm

there is a simple variant
make list of torrent servers and block it
block and ports biger then 1024
where can i obtain a list of torrent servers?
 
User avatar
111111
Member Candidate
Member Candidate
Posts: 194
Joined: Thu Oct 05, 2006 1:39 am
Location: BG,SOFIA

Sun Dec 03, 2006 6:13 pm

where can i obtain a list of torrent servers?
hard to be find
http://torrents.to/
have lot of torrent server listed, i see 300+

other variant
block web pages with "bt." "torrent" "torrents"

and maby hard hardest thing
see most used addreses on port 80 in time before begin big downloads
 
jo2jo
Forum Veteran
Forum Veteran
Posts: 958
Joined: Fri May 26, 2006 1:25 am

Sun Dec 03, 2006 11:10 pm

your best bet is to just queue ports above 1024...and then just look for other legitmate ports that you customers use and open those one at a time or 3 at a time accordingly.



also another thing that most ppl dont think of when looking at a torch scan is that it can be Xbox Live or somekind of online gaming in which your customer is the host...

i.e. i did some tests and when i'm hosting a online game on my xbox 360 you will see a spread of ports and dst's with consistant TX on each..some more than others
:beep :beep :beep
 
User avatar
111111
Member Candidate
Member Candidate
Posts: 194
Joined: Thu Oct 05, 2006 1:39 am
Location: BG,SOFIA

Mon Dec 04, 2006 1:21 am

jo2jo i thing kolorasta want to block traffic on personal of establishment or somthing else were internet is not for games and p2p.
If kolorasta is provider on home users, he will not stop p2p becouse he will waste his clients

Who is online

Users browsing this forum: Google [Bot], MSN [Bot] and 108 guests