Community discussions

 
evcass
just joined
Topic Author
Posts: 6
Joined: Thu Oct 26, 2017 6:17 pm

Blocking P2P traffic & scheduling access

Thu Oct 26, 2017 6:38 pm

Hello,

We deploy Routerboards to remote offices to provide guest wireless access. We are regularly receiving notices from ISPs that wireless users are downloading movies from a honeypot. The team who deploys and manages the configuration has had problems getting the unit to drop the traffic so I'm hoping this community can point us in the right direction. We risk having the service terminated if we can't mitigate this activity.

The device is a Routerboard 951Ui-2HnD, version 6.40.4, firmware ar9344, current firmware 3.22. I'm not sure what all they've tried in the past, but looking in the config of a specific router where the problem exists, I see an L7 rule with this regexp:

^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=get /announce\?info_hash=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x08'7P\)[RP]

Also, is there a way to schedule availability of the services. For example, only allow wireless connections between certain hours of certain days.

Thank you.
 
evcass
just joined
Topic Author
Posts: 6
Joined: Thu Oct 26, 2017 6:17 pm

Re: Blocking P2P traffic & scheduling access

Thu Oct 26, 2017 7:28 pm

Additional feedback on what was previously attempted:

* I have setup the Layer7 protocol to identify BitTorrent (see filter in first post)
https://www.dropbox.com/s/29wkan0t1fd7o ... 1.jpg?dl=0
* It is successful in identifying and logging these attempts in the firewall setting that I added leveraging the layer7 protocol setting for BitTorrent.
https://www.dropbox.com/s/9txse9h6jorm6 ... 2.jpg?dl=0
* It is successfully logging these attempts.
https://www.dropbox.com/s/18kgozvopermk ... 3.jpg?dl=0
* The drop firewall rule shows the identical bytes and packets as the logging rule, but based on the emails it is not successful in truly blocking the traffic.
https://www.dropbox.com/s/ti42k5ab9aqbn ... 4.jpg?dl=0
 
evcass
just joined
Topic Author
Posts: 6
Joined: Thu Oct 26, 2017 6:17 pm

Re: Blocking P2P traffic & scheduling access

Thu Oct 26, 2017 10:00 pm

ShadeOfSpirit pointed me to this PDF: https://mum.mikrotik.com/presentations/ ... 314218.pdf

I'm not sure I did everything correctly because I don't understand what appears to be Russian. I was little disappointed the commands in the PDF were images so I couldn't highlight the text to reduce typos. I ended up with the following, with my internal clients using 192.168.88.0/24. There were more entries in the p2p-seeds list in the PDF but later it seemed to indicate additional entries are dynamically added to the p2p-list? As a result I don't think I have the p2p-seeds list setup correctly?
/ip firewall address-list
add address=address1 list=p2p-seeds

/ip firewall layer7-protocol
add name=l7-filter regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
add name=Scrape regexp="get /scrape\\\?info_has="
add name=Announce regexp="^get /announce\\\?info_hash="
add name=Bitcomet regexp="^ /client/bitcomet/"
add name=FID regexp="^GET /data\\\?fid="
add name=DHT regexp="^d1:.d2:id20:
add name=Azver regexp="^azver\01\$"
add name=RP regexp="\08'7P\\) [RP]"
add name=BitTorrent regexp="\13bittorrent protocol"
add name=ut_pex regexp=.*:md11:.*:ut_pex.*:
add name="\B5TP_FIN" regexp="^\11\00.{2}.{4}.{4}.{4}.{2}.{2}"
add name="\B5TP_STATE" regexp="^!\11\00.{2}.{4}.{4}.{4}.{2}.{2}"
add name="\B5TP_RESET" regexp="^1\11\00.{2}.{4}.{4}.{4}.{2}.{2}"
add name="\B5TP_SYN" regexp="^A\11\00.{2}.{4}.{4}.{4}.{2}.{2}"
add name=bittorrent_Teredo regexp="^`.*\13bittorrent protocol"
add name=DHT_Teredo regexp="^`.*d1:[a|r]d2:id20:.*y1:[q|r]e"
add name=ut_pex_Teredo regexp="^`.*:md11:.*:ut_pex.*"
add name="\B5TP_SYN_Teredo" regexp="^`.*A\00.{2}.{4}.{4}.{4}.{2}.{2}"
add name="\B5TP_STATE_Teredo" regexp="^`.*!\00.{2}.{4}.{4}.{4}.{2}.{2}"
add name="\B5TP_RESET_Teredo" regexp="^`.*1\00.{2}.{4}.{4}.{4}.{2}.{2}"
add name="\B5TP_FIN_Teredo" regexp="^`.*\11\00.{2}.{4}.{4}.{4}.{2}.{2}"

/ip firewall mangle
add action=add-src-to-address-list address-list=p2p-seeds address-list-timeout=none-dynamic chain=forward dst-address=192.168.88.0/24 layer7-protocol=l7-filter src-address-list=!p2p-seeds
add action=add-dst-to-address-list address-list=p2p-seeds address-list-timeout=none-dynamic chain=forward dst-address-list=!p2p-seeds layer7-protocol=l7-filter src-address-list=192.168.88.0/24
add action=mark-connection chain=forward new-connection-mark=p2p-cmark passthrough=yes src-address-list=p2p-seeds
add action=mark-connection chain=forward dst-address-list=p2p-seeds new-connection-mark=p2p-cmark passthrough=yes
add action=mark-packet chain=forward connection-mark=p2p-cmark new-packet-mark=p2p-mark passthrough=no

 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1310
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Blocking P2P traffic & scheduling access

Thu Oct 26, 2017 11:12 pm

If you go to uTorrent Options -> Preferences -> BitTorrent -> Protocol Encryption and set Outgoing to Enabled, you can forget all about blocking torrent.
All data will be invisible for any filter you try to setup.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
evcass
just joined
Topic Author
Posts: 6
Joined: Thu Oct 26, 2017 6:17 pm

Re: Blocking P2P traffic & scheduling access

Thu Oct 26, 2017 11:36 pm

Sigh, I just finished translating that document :) Any other ideas on how to discourage it's use through our technology? Shape the P2P traffic to a very slow rate? We'd be chasing our tail when blocking the MAC address if they know how to spoof it.
 
Shadeofspirit
Member Candidate
Member Candidate
Posts: 204
Joined: Fri May 27, 2016 12:15 am
Location: Minsk
Contact:

Re: Blocking P2P traffic & scheduling access

Fri Oct 27, 2017 10:54 am

be careful with config with from this presentation - it works very good (no matter what torrent client, en-scripted or not). but it have one big minus - if your have a device with not enough memory (RAM) you will run out of it rather fast (at the end of presentation there is some information about uptime and used memory). as a variant - add hosts to the list for a certain period of time.
MTCNA, MTCWE
 
alaskanjackal
newbie
Posts: 25
Joined: Tue Sep 29, 2015 1:29 pm

Re: Blocking P2P traffic & scheduling access

Tue Apr 24, 2018 2:27 am

be careful with config with from this presentation - it works very good (no matter what torrent client, en-scripted or not). but it have one big minus - if your have a device with not enough memory (RAM) you will run out of it rather fast (at the end of presentation there is some information about uptime and used memory). as a variant - add hosts to the list for a certain period of time.

Some observations on a home connection with a hAP AC:

-Config shared above by evcass doesn't seem to have any effect, even after adding a couple of Drop rules that match the packet and connection marks and the src and dst address lists, just in case. Torrents still flowed freely (though the counters in those firewall rules did increment up a bit).
-I do get addresses added to the address list, though. After two sample torrents, I had about 400 addresses in the address list.
-After these test torrents, I ended up with ~97MB free of 128MB, so at least light, single-user torrenting doesn't seem to fill RAM up super fast (I was worried a single torrent might kill my router).
-Turning on L7 filtering dropped my downstream throughput to about 200mbps with ~65% CPU usage (vs. ~500mbps with ~25% CPU usage without it). Be aware that filtering doesn't come without a performance cost.

I know they've worked really hard at making torrents hard to block, but when guests abuse my connection and my service is at risk of being cut off (or I'm at risk for legal action), it's quite frustrating...

Who is online

Users browsing this forum: No registered users and 81 guests