Community discussions

 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: how block connection of p2p?

Tue Apr 26, 2011 12:49 am

Then your best option still remains to whitelist legitimate traffic and drop everything else. Blacklisting doesn't scale, as discussed in this thread. Particularly if you could face punishment for missing something that you should have blacklisted, or couldn't blacklist something because doing so was technologically unfeasible.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
TKITFrank
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Jul 07, 2009 2:55 pm
Location: Sweden

Re: how block connection of p2p?

Tue Apr 26, 2011 7:30 am

Why would it affect other users if you have normal QoS set up? If one guy has 1Mbit, let him use it however he wants, even if it's all 1Mbit with P2P other users will not be affected.
There are legal problems here in Germany for prof. services "tolerating" violation of copyrights.
Or, in other words, the WISP could be held responsible for a user of the hotspot, for example, who downloads copyrighted material, in case, the access to this copyrighted material is not secured as much as possible.

Blocking P2P is one method to make violation of copyrights more difficult.
Hi reinerotto,

Have you tried my approach? If so is it not working?

/Frank
MTCNA

"I don't believe UNIX is Utopia. It's just the best set of tools around."
 
reinerotto
Member
Member
Posts: 431
Joined: Thu Dec 04, 2008 2:35 am

Re: how block connection of p2p?

Tue May 10, 2011 1:16 pm

Why would it affect other users if you have normal QoS set up? If one guy has 1Mbit, let him use it however he wants, even if it's all 1Mbit with P2P other users will not be affected.
There are legal problems here in Germany for prof. services "tolerating" violation of copyrights.
Or, in other words, the WISP could be held responsible for a user of the hotspot, for example, who downloads copyrighted material, in case, the access to this copyrighted material is not secured as much as possible.

Blocking P2P is one method to make violation of copyrights more difficult.
Hi reinerotto,

Have you tried my approach? If so is it not working?

/Frank
Not yet implemented. But definitely I will try.
I am still looking at other solutions to block illigetimate traffic as far as possible. Whitelisting seems to be too restictive for me, a solution of "last resort". The point is, it is a balence I have to do between facing legal risks and giving an honest user as much freedom as possible.
For instance, it will definitely not be possible to block dowloads of single copyrighted songs, for example.
 
User avatar
otgooneo
Trainer
Trainer
Posts: 570
Joined: Tue Dec 01, 2009 3:24 am
Location: Mongolia
Contact:

Re: how block connection of p2p?

Wed May 25, 2011 11:17 am

P2P matcher (ROS5.2) doesn`t work for uTorrent. For some torrent it works fine. Does anybody know why doesn`t work?
You do not have the required permissions to view the files attached to this post.
----------------------------
Want to learn more and more...
 
TKITFrank
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Jul 07, 2009 2:55 pm
Location: Sweden

Re: how block connection of p2p?

Wed May 25, 2011 12:02 pm

Do you only use the built in p2p matcher? and if so do you use encrypted p2p in the torrent client?
If so it can not catch it. You will have to try to follow the posts in this thread :)
MTCNA

"I don't believe UNIX is Utopia. It's just the best set of tools around."
 
mktwifi
Frequent Visitor
Frequent Visitor
Posts: 68
Joined: Wed Oct 15, 2008 9:45 am

Re: how block connection of p2p?

Tue Jun 07, 2011 7:11 pm

Dear Guys!
I have just tried to configure mikrotik transparent traffic shaping for limit P2P traffic but without success.
I have used TKITFrank configuration to mark P2P traffic then I have created queue tree for limit bandwidth but P2P traffic goes through router without any limit.
Could you check my configuration and tell me where are errors?

/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
disabled=no forward-delay=15s l2mtu=1522 max-message-age=20s mtu=1500 \
name=bridge1 priority=0x8000 protocol-mode=none transmit-hold-count=6
/ip firewall layer7-protocol
add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrap\
e\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\
\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
add name=BITTORRENT_ANNOUNCE regexp=^get.+announce.
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=yes limit-at=0 \
max-limit=1M name=download_blacklist_leaf packet-mark=\
blacklist_download_packet parent=download_root priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=yes limit-at=0 \
max-limit=128k name=upload_blacklist_leaf packet-mark=\
blacklist_upload_packet parent=upload_root priority=8
/queue type
set default kind=pfifo name=default pfifo-limit=50
set ethernet-default kind=pfifo name=ethernet-default pfifo-limit=50
set wireless-default kind=sfq name=wireless-default sfq-allot=1514 \
sfq-perturb=5
set synchronous-default kind=red name=synchronous-default red-avg-packet=1000 \
red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set hotspot-default kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=\
5
add kind=pcq name=pcq_down_p2p pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=40 pcq-rate=0 pcq-src-address-mask=32 \
pcq-src-address6-mask=128 pcq-total-limit=14000
add kind=pcq name=pcq_up_p2p pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=40 pcq-rate=0 pcq-src-address-mask=32 \
pcq-src-address6-mask=128 pcq-total-limit=14000
set default-small kind=pfifo name=default-small pfifo-limit=10
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=128k name=P2P_Down packet-mark=p2p parent=global-out priority=8 \
queue=pcq_down_p2p
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=1M name=P2P_Up packet-mark=p2p parent=global-in priority=8 \
queue=pcq_up_p2p
/interface bridge port
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none \
interface=ether2 path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none \
interface=ether3 path-cost=10 point-to-point=auto priority=0x80
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no \
use-ip-firewall-for-vlan=no
/ip dns static
add address=127.0.0.1 disabled=no name=router.utorrent.com ttl=1d
add address=127.0.0.1 disabled=no name=dht.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vrpc.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vzrpx020.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vzapp020.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=client.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=mirror-user1.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=ip.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=jp.bitcomet.com ttl=1d
add address=127.0.0.1 disabled=no name=torrent-cache.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=inside.bitcomet.com ttl=1d
add address=127.0.0.1 disabled=no name=router.bitcomet.net ttl=1d
add address=127.0.0.1 disabled=no name=router.bittorrent.com ttl=1d
add address=127.0.0.1 disabled=no name=".*\\(^\\|\\.\\)utorrent\\.com" ttl=1d
add address=127.0.0.1 disabled=no name=".*\\(^\\|\\.\\)vuze\\.com" ttl=1d
add address=127.0.0.1 disabled=no name=".*\\(^\\|\\.\\)bitcomet\\.org" ttl=1d
add address=127.0.0.1 disabled=no name=".*\\(^\\|\\.\\)bitcomet\\.com" ttl=1d
add address=127.0.0.1 disabled=no name=".*\\(^\\|\\.\\)bitcomet\\.net" ttl=1d
/ip firewall address-list
add address=193.238.77.80 disabled=no list=P2P_LIMIT
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall mangle
add action=mark-packet chain=prerouting comment=LIMIT_P2P_DROP disabled=no \
new-packet-mark=p2p p2p=all-p2p passthrough=no src-address-list=P2P_LIMIT
add action=mark-packet chain=postrouting disabled=no dst-address-list=\
P2P_LIMIT new-packet-mark=p2p p2p=all-p2p passthrough=no
add action=mark-packet chain=prerouting disabled=no layer7-protocol=\
BITTORRENT new-packet-mark=p2p passthrough=no src-address-list=P2P_LIMIT
add action=mark-packet chain=postrouting disabled=no dst-address-list=\
P2P_LIMIT layer7-protocol=BITTORRENT new-packet-mark=p2p passthrough=no
add action=mark-packet chain=prerouting disabled=no layer7-protocol=\
BITTORRENT_ANNOUNCE new-packet-mark=p2p passthrough=no src-address-list=\
P2P_LIMIT
add action=mark-packet chain=postrouting disabled=no dst-address-list=\
P2P_LIMIT layer7-protocol=BITTORRENT_ANNOUNCE new-packet-mark=p2p \
passthrough=no


Thanks in advance

Best regards
 
CCDKP
Member Candidate
Member Candidate
Posts: 170
Joined: Fri Jan 28, 2011 11:24 pm
Location: Midwest, United States

Re: how block connection of p2p?

Tue Jun 07, 2011 8:12 pm

Dear Guys!
I have just tried to configure mikrotik transparent traffic shaping for limit P2P traffic but without success.
I have used TKITFrank configuration to mark P2P traffic then I have created queue tree for limit bandwidth but P2P traffic goes through router without any limit.
Could you check my configuration and tell me where are errors?
EDIT: These queues will not restrict BitTorrent Traffic, but will still throttle any traffic picked up by the P2P filter. See my post below for a better explanation.
First, when dealing with Queue tress, you always need a "root" bound to Global-in/global-out/interface/whatever, then you bind your leaf to the root. If you don't, the QoS never applies correctly.

Secondly, where you go from here depends on if this router is performing the NAT or not. If you are NOT performing NAT on this router, it is very simple:
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=<max upload> name=upload_root parent=<upstream interface (ether1?)> priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=<max down> name=download_root parent=<downstream interface (etherX?)> priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=128k name=P2P_Down packet-mark=p2p parent=download_root priority=8 queue=pcq_down_p2p
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=1M name=P2P_Up packet-mark=p2p parent=upload_root priority=8 queue=pcq_up_p2p
The reason this works is you are marking all p2p packets with "p2p" and using the parent interface to separate upload from download traffic.

If you are using NAT, then the rules get kind of ugly. Interface queues occur after the NAT, therefore they can't see addresses behind the NAT. This means everything gets marked as a single source IP on the upload and PCQ fails to work. They way around this is to apply the QoS to Global-out. Since Global-out sees both upload and download traffic, you need to mark packets as either upload or download p2p traffic.

For that, consider something like:
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=<max upload> name=upload_root parent=<upstream interface (ether1?)> priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=<max down> name=download_root parent=<downstream interface (etherX?)> priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=128k name=P2P_Down packet-mark=p2p_download parent=download_root priority=8 queue=pcq_down_p2p
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=1M name=P2P_Up packet-mark=p2p_upload parent=upload_root priority=8 queue=pcq_up_p2p

/ip firewall mangle
add action=mark-packet chain=prerouting comment=LIMIT_P2P_DROP disabled=no \
new-packet-mark=p2p_upload p2p=all-p2p passthrough=no src-address-list=P2P_LIMIT
add action=mark-packet chain=postrouting disabled=no dst-address-list=\
P2P_LIMIT new-packet-mark=p2p_download p2p=all-p2p passthrough=no
add action=mark-packet chain=prerouting disabled=no layer7-protocol=\
BITTORRENT new-packet-mark=p2p_upload passthrough=no src-address-list=P2P_LIMIT
add action=mark-packet chain=postrouting disabled=no dst-address-list=\
P2P_LIMIT layer7-protocol=BITTORRENT new-packet-mark=p2p_download passthrough=no
add action=mark-packet chain=prerouting disabled=no layer7-protocol=\
BITTORRENT_ANNOUNCE new-packet-mark=p2p_upload passthrough=no src-address-list=P2P_LIMIT
add action=mark-packet chain=postrouting disabled=no dst-address-list=\
P2P_LIMIT layer7-protocol=BITTORRENT_ANNOUNCE new-packet-mark=p2p_download passthrough=no
Also, a bit of consideration for speed, I would add the following as the first rule in mangle:
add action=accept chain=prerouting disabled=no passthrough=no src-address-list=!P2P_LIMIT dst-address-list=!P2P_LIMIT
This way you let all traffic not on your P2P_LIMIT list bypass the CPU-heavy L7 filters.

I hope this is enough to get you started. I posted a config I used here: http://forum.mikrotik.com/viewtopic.php ... &start=120
Otherwise, Janis's MUM talk was really helpful in finally figuring out QoS for me. The video is here: http://www.tiktube.com/index.php?video= ... xClIoEKDH=

Best of luck
--@CC_DKP
Last edited by CCDKP on Thu Jun 09, 2011 9:35 pm, edited 1 time in total.
CC_DKP: MTCNA, MTCRE, MTCWE, MTCTCE, part-time packet wrangler
 
TKITFrank
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Jul 07, 2009 2:55 pm
Location: Sweden

Re: how block connection of p2p?

Thu Jun 09, 2011 10:53 am

Hi,

Just a note... don't use the DNS entries if you just want to traffic shape. They will ONLY block.

Dear Guys!
I have just tried to configure mikrotik transparent traffic shaping for limit P2P traffic but without success.
I have used TKITFrank configuration to mark P2P traffic then I have created queue tree for limit bandwidth but P2P traffic goes through router without any limit.
Could you check my configuration and tell me where are errors?

/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
disabled=no forward-delay=15s l2mtu=1522 max-message-age=20s mtu=1500 \
name=bridge1 priority=0x8000 protocol-mode=none transmit-hold-count=6
/ip firewall layer7-protocol
add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrap\
e\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\
\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
add name=BITTORRENT_ANNOUNCE regexp=^get.+announce.
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=yes limit-at=0 \
max-limit=1M name=download_blacklist_leaf packet-mark=\
blacklist_download_packet parent=download_root priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=yes limit-at=0 \
max-limit=128k name=upload_blacklist_leaf packet-mark=\
blacklist_upload_packet parent=upload_root priority=8
/queue type
set default kind=pfifo name=default pfifo-limit=50
set ethernet-default kind=pfifo name=ethernet-default pfifo-limit=50
set wireless-default kind=sfq name=wireless-default sfq-allot=1514 \
sfq-perturb=5
set synchronous-default kind=red name=synchronous-default red-avg-packet=1000 \
red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set hotspot-default kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=\
5
add kind=pcq name=pcq_down_p2p pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=40 pcq-rate=0 pcq-src-address-mask=32 \
pcq-src-address6-mask=128 pcq-total-limit=14000
add kind=pcq name=pcq_up_p2p pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=40 pcq-rate=0 pcq-src-address-mask=32 \
pcq-src-address6-mask=128 pcq-total-limit=14000
set default-small kind=pfifo name=default-small pfifo-limit=10
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=128k name=P2P_Down packet-mark=p2p parent=global-out priority=8 \
queue=pcq_down_p2p
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=1M name=P2P_Up packet-mark=p2p parent=global-in priority=8 \
queue=pcq_up_p2p
/interface bridge port
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none \
interface=ether2 path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none \
interface=ether3 path-cost=10 point-to-point=auto priority=0x80
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no \
use-ip-firewall-for-vlan=no
/ip dns static
add address=127.0.0.1 disabled=no name=router.utorrent.com ttl=1d
add address=127.0.0.1 disabled=no name=dht.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vrpc.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vzrpx020.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vzapp020.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=client.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=mirror-user1.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=ip.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=jp.bitcomet.com ttl=1d
add address=127.0.0.1 disabled=no name=torrent-cache.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=inside.bitcomet.com ttl=1d
add address=127.0.0.1 disabled=no name=router.bitcomet.net ttl=1d
add address=127.0.0.1 disabled=no name=router.bittorrent.com ttl=1d
add address=127.0.0.1 disabled=no name=".*\\(^\\|\\.\\)utorrent\\.com" ttl=1d
add address=127.0.0.1 disabled=no name=".*\\(^\\|\\.\\)vuze\\.com" ttl=1d
add address=127.0.0.1 disabled=no name=".*\\(^\\|\\.\\)bitcomet\\.org" ttl=1d
add address=127.0.0.1 disabled=no name=".*\\(^\\|\\.\\)bitcomet\\.com" ttl=1d
add address=127.0.0.1 disabled=no name=".*\\(^\\|\\.\\)bitcomet\\.net" ttl=1d
/ip firewall address-list
add address=193.238.77.80 disabled=no list=P2P_LIMIT
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall mangle
add action=mark-packet chain=prerouting comment=LIMIT_P2P_DROP disabled=no \
new-packet-mark=p2p p2p=all-p2p passthrough=no src-address-list=P2P_LIMIT
add action=mark-packet chain=postrouting disabled=no dst-address-list=\
P2P_LIMIT new-packet-mark=p2p p2p=all-p2p passthrough=no
add action=mark-packet chain=prerouting disabled=no layer7-protocol=\
BITTORRENT new-packet-mark=p2p passthrough=no src-address-list=P2P_LIMIT
add action=mark-packet chain=postrouting disabled=no dst-address-list=\
P2P_LIMIT layer7-protocol=BITTORRENT new-packet-mark=p2p passthrough=no
add action=mark-packet chain=prerouting disabled=no layer7-protocol=\
BITTORRENT_ANNOUNCE new-packet-mark=p2p passthrough=no src-address-list=\
P2P_LIMIT
add action=mark-packet chain=postrouting disabled=no dst-address-list=\
P2P_LIMIT layer7-protocol=BITTORRENT_ANNOUNCE new-packet-mark=p2p \
passthrough=no


Thanks in advance

Best regards
MTCNA

"I don't believe UNIX is Utopia. It's just the best set of tools around."
 
CCDKP
Member Candidate
Member Candidate
Posts: 170
Joined: Fri Jan 28, 2011 11:24 pm
Location: Midwest, United States

Re: how block connection of p2p?

Thu Jun 09, 2011 9:32 pm

Dear Guys!
I have just tried to configure mikrotik transparent traffic shaping for limit P2P traffic but without success.
I have used TKITFrank configuration to mark P2P traffic then I have created queue tree for limit bandwidth but P2P traffic goes through router without any limit.
Could you check my configuration and tell me where are errors?
Just a note... don't use the DNS entries if you just want to traffic shape. They will ONLY block.
After reading TKITFrank's note, I realized I made a big blunder. I got a little wrapped up in fixing the Queue's, I didn't think about the end goal of the project. The QoS Example I helped with above will not shape bittorrent traffic.
It will work fine for anything flagged by the p2p filter normally, but not for normal bittorrent traffic.

The reason is simple. The bittorrent data connections through which the major volume of traffic are transferred is encrypted, randomized, and specifically designed to avoid traffic shaping filters. The L7 filters we are working with are designed to flag the announce packets and peer exchanges, which are used to help peers establish the data connections with each other.

A good analogy for BitTorrent would be two teenagers meeting up to covertly talk about something (and about as equally hard to fully stop). When they want to talk, they call each other on their cellphones, agree to meet at someplace like the mall, then they get together and talk. It is very simple to "block" this system by controlling the egress points. Take away the cellphone (the announce packets we filter for), and block online chat/email (DNS filtering). This prevents them from agreeing where and when to meet up, thus stopping the conversation. Throttling is FAR more difficult. While you can limit cellphone minutes and email messages, it only takes one small message one time of getting through for them to successfully meet up. Once they have met up, they can have a full conversation and decide when and where to meet up again from there.

The only somewhat viable method for throttling P2P traffic is to use the L7 and DNS filters to detect the presence of P2P traffic, then throttle the whole connection down for some predetermined amount of time. This has the unfortunate side-effect of slowing down all of that user's "legitimate" traffic as well as P2P. I use this method as a deterrent on a few public hotspots (see my example post on page 3 of this thread). I block all p2p, BitTorrent announce, and BitTorrent DNS I can, but when I detect the traffic, I go the extra mile and throttle their connection down to unusable speeds for the next hour. That way if any p2p traffic makes it through undetected, it is still throttled, and more likely, the user will get fed up with the slow connection for browsing the web that they leave and go use someone else's network.

Sorry for the confusion on this. If nothing else, just applying an even PCQ to all user's traffic can make a connection a lot more usable, especially when a single user is pulling down a lot of data. I apply this to all routers I set up, regardless of any p2p blocking I may be doing.


--@CC_DKP
CC_DKP: MTCNA, MTCRE, MTCWE, MTCTCE, part-time packet wrangler
 
TKITFrank
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Jul 07, 2009 2:55 pm
Location: Sweden

Re: how block connection of p2p?

Fri Jun 10, 2011 8:15 am

Hi,

I think the only thing to do at the moment in MikroTik is to mark all OK traffic and place them in queues and then have a rest of whats left queue for p2p and well the rest ;)
This approach has been said before in this thread if i am not mistaken. But that is a bit off topic since the thread is about blocking. Perhaps there should be two threads one for blocking like this one and a new for traffic shaping? Both are vital for us users :)

@Normis is this something you can sort up and arrange? In the same time there is a thread in Routerboard Hardware that is about the same thing perhaps that one should be moved as well?

p.s Anyhow I think this thread has some good ideas both for blocking and traffic shaping from many people so perhaps sticky? d.s
MTCNA

"I don't believe UNIX is Utopia. It's just the best set of tools around."
 
CCDKP
Member Candidate
Member Candidate
Posts: 170
Joined: Fri Jan 28, 2011 11:24 pm
Location: Midwest, United States

Re: how block connection of p2p?

Fri Jun 17, 2011 6:35 am

So after checking into some user complaints, I discovered Yahoo.com has a very high false positive rate on the bittorrent_announce filter. Any site with the words both "get" and "announce" in the source will trigger. Has anyone found a good way to refine this filter to more bittorrent-specific detection?

Edit:
So after doing a bit of research and learning more about the protocol, I discovered a typo in the existing Bittorrent L7 filter. As TKITFrank has listed, (and as the Manual's L7 Wiki page shows):
/ip firewall layer7-protocol
 add comment="" name=bittorrent regexp="^(\\x13bittorrent protocol|azver\\x01\$\
    |get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet\
    /|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
If you break this out, it is actually a combination of several filters:
\x13bittorrent protocol
azver\x01$
get /scrape\?info_hash=get /announce\?info_hash=
get /client/bitcomet/
GET /data\?fid=
d1:ad2:id20:
\x08'7P\)[RP]
After looking at the source code for the ipp2p project, i realized the 3rd line should be two separate filters, "get /scrape\\\?info_hash=" and "get /announce\\\?info_hash=", the second of which is the target of TKITFrank's Bittorrent_announce filter. After correcting the filter, I noticed a LOT higher detection rate.

So to summarize, both of the existing Bittorrent and Bittorrent_announce L7 filters should be removed in favor of:
/ip firewall layer7-protocol
 add comment="" name=bittorrent regexp="^(\\x13bittorrent protocol|azver\\x01\$\
    |get /scrape\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet\
    /|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
Would anyone else mind giving this a try and seeing if it helps their detection rate?

--@CC_DKP
CC_DKP: MTCNA, MTCRE, MTCWE, MTCTCE, part-time packet wrangler
 
User avatar
mves
Frequent Visitor
Frequent Visitor
Posts: 91
Joined: Tue Jan 11, 2011 8:15 pm
Location: Serbia

Re: how block connection of p2p?

Wed Jul 06, 2011 11:38 pm

Hi guys... I'm back :)
CCDKP, I replaced that rule and so far it's possibly brought some change. At least, less false positive hits and I've seen much less hits on ports 6881-6999 so I guess you are on a right track but I tested it for a short period of time. However, it looks like a correct change. I'm also keeping BITTORRENT_ANNOUNCE part for compare.
add comment="" name=BITTORRENT_SCRAPE regexp=^get.+scrape.
I've also added this rule some time ago because no one considered tracker scrapping.
 
CCDKP
Member Candidate
Member Candidate
Posts: 170
Joined: Fri Jan 28, 2011 11:24 pm
Location: Midwest, United States

Re: how block connection of p2p?

Wed Jul 06, 2011 11:52 pm

Hi guys... I'm back :)
CCDKP, I replaced that rule and so far it's possibly brought some change. At least, less false positive hits and I've seen much less hits on ports 6881-6999 so I guess you are on a right track but I tested it for a short period of time. However, it looks like a correct change. I'm also keeping BITTORRENT_ANNOUNCE part for compare.
add comment="" name=BITTORRENT_SCRAPE regexp=^get.+scrape.
I've also added this rule some time ago because no one considered tracker scrapping.
You shouldn't need a separate scrape rule anymore, either. If you look at the original rule that was screwed up:
get /scrape\?info_hash=get /announce\?info_hash=
Both the Scrape and Announce filters were merged into a single rule, rendering both useless. By using the updated rule I provided, both Scrape and Announce will be flagged as originally intended.
get /scrape\?info_hash=
get /announce\?info_hash=
--@CC_DKP
CC_DKP: MTCNA, MTCRE, MTCWE, MTCTCE, part-time packet wrangler
 
User avatar
mves
Frequent Visitor
Frequent Visitor
Posts: 91
Joined: Tue Jan 11, 2011 8:15 pm
Location: Serbia

Re: how block connection of p2p?

Thu Jul 07, 2011 12:05 am

Yes... thanks for that one :)

And for queue tree for P2P catch I used this because I could not manage this to work otherwise... So, it's working on me... don't ask how and why :D
I've striped everything but P2P. If you guys find some other less stupid way THAT WORK to capture this, please let me know.
/ip firewall mangle
add action=mark-packet chain=prerouting comment=\
    "_____________P2P - Upload_______________" disabled=no dst-port=10000-65535 \
    new-packet-mark=P2P passthrough=yes protocol=tcp src-address=xx.xx.xx.xx \
    src-port=10000-65535
add action=mark-packet chain=prerouting disabled=no dst-port=10000-65535 \
    new-packet-mark=P2P passthrough=yes protocol=udp src-address=xx.xx.xx.xx \
    src-port=10000-65535
add action=mark-packet chain=prerouting disabled=no dst-port=10000-65535 \
    new-packet-mark=P2P passthrough=yes protocol=tcp src-address=xx.xx.xx.xx \
    src-port=1000-5000
add action=mark-packet chain=prerouting comment="Other - Upload" disabled=no \
    new-packet-mark=Other passthrough=yes src-address=xx.xx.xx.xx


add action=mark-connection chain=prerouting comment=\
    "_____________P2P - Download_____________" disabled=no new-connection-mark=\
    P2P p2p=all-p2p passthrough=no src-address=xx.xx.xx.xx
add action=mark-connection chain=prerouting disabled=no layer7-protocol=\
    BITTORRENT new-connection-mark=P2P passthrough=no src-address=xx.xx.xx.xx
add action=mark-connection chain=prerouting disabled=no dst-port=10000-65535 \
    new-connection-mark=P2P passthrough=no protocol=tcp src-address=\
    xx.xx.xx.xx src-port=10000-65535
add action=mark-connection chain=prerouting disabled=no dst-port=10000-65535 \
    new-connection-mark=P2P passthrough=no protocol=udp src-address=\
    xx.xx.xx.xx src-port=10000-65535
add action=mark-connection chain=prerouting disabled=no dst-port=10000-65535 \
    new-connection-mark=P2P passthrough=no protocol=tcp src-address=\
    xx.xx.xx.xx src-port=1000-5000
add action=mark-connection chain=prerouting disabled=no dst-port=6881-6999 \
    new-connection-mark=P2P passthrough=no protocol=udp src-address=\
    xx.xx.xx.xx
add action=mark-connection chain=prerouting disabled=no dst-port=6881-6999 \
    new-connection-mark=P2P passthrough=no protocol=tcp src-address=\
    xx.xx.xx.xx
add action=mark-packet chain=prerouting connection-mark=P2P disabled=no \
    new-packet-mark=P2P passthrough=no
add action=mark-connection chain=prerouting comment=\
    "____________Other - Download____________" disabled=no \
    new-connection-mark=Other passthrough=no src-address=xx.xx.xx.xx
add action=mark-packet chain=prerouting connection-mark=Other disabled=no \
    new-packet-mark=Other passthrough=no
 
CCDKP
Member Candidate
Member Candidate
Posts: 170
Joined: Fri Jan 28, 2011 11:24 pm
Location: Midwest, United States

Re: how block connection of p2p?

Thu Jul 07, 2011 12:35 am

Yes... thanks for that one :)

And for queue tree for P2P catch I used this because I could not manage this to work otherwise... So, it's working on me... don't ask how and why :D
I've striped everything but P2P. If you guys find some other less stupid way THAT WORK to capture this, please let me know.
A couple things to note:
First, you need to be careful about your use of "Passthrough".
Passthrough means that once the rule is applied continue down the chain.

As it stands now, anything that matches rule 1 would have the "p2p" mark added, then would continue down the chain, trip rule 4, have the packet mark changed to "other", then continue down through all the Download rules. Conversely, anything that trips one of your connection mark rules would have the connection marked, then skip the rest of the rules (including the actual marking of the packet). The general rule of thumb is:
action=mark-connection passthrough=yes
action=mark-packet passthrough=no

Secondly, you want to be doing the L7 bittorrent filter on both upload and download traffic, since the majority of the times it will flag is the client making a Get request of the server (upload traffic).

On that note, remember the bittorrent L7 filter primarily detects the tracker information, which is very a small HTTP query. It can not track the actual P2P data exchange if it is using encryption.

Finally, what are you using for a queue type, and are you performing NAT on this router? If you are using PCQ and are performing NAT, you have to mark upload and download packets separately, then use Global-out as the root, so that PCQ occurs prior to SNAT.

With all that high-number port marking, how does it handle traffic like skype? I would be very leery to run something like this, as I would be frightened at the number of false positives.


--@CC_DKP
CC_DKP: MTCNA, MTCRE, MTCWE, MTCTCE, part-time packet wrangler
 
User avatar
mves
Frequent Visitor
Frequent Visitor
Posts: 91
Joined: Tue Jan 11, 2011 8:15 pm
Location: Serbia

Re: how block connection of p2p?

Thu Jul 07, 2011 1:19 am

Oh... I've striped everything else and left entries only for P2P catcher... I thought it can be useful for someone. I'm using PCQ on queue tree and I'm using that only on myself so it's working fine on my home computers. I'm connected to the link through ubiquti Airgrid M5-HP in a router mode with directly assigned public IP. Basically, I have bandwidth separately reserved only for http, P2P, local file server and unlimited for winbox, ssh, snmp... Skype works fine however :lol:
Like I said... it works on me and my home network. I never said it's a good or right solution but it works on my needs. If you put before this rules http, game ports or what ever else you need, you probably won't have any problems because everything else that is not a stuff that you are using will end up on P2P and the Other filter. Previously, in my rules set of p2p blocking, I've also implemented port blocking of this same ports (not related with this). In this case however, I did not block p2p to me but simply put a cap on allowed bandwidth to my home network. If you put 1 kb down/up on those ports on queue tree, you could probably made a mess on your network because this was not planed for killing p2p but only for easing on available bandwidth. I was planed this for implementing on 5Ghz network for QOS but I never manage it to work as it should be. However, it suited perfectly for my home network.

Edit...
And for false positives, yes, you are right, matching ports like that can easily lead to false positive if applied on a global plan. You could log P2P users IP from firewall filter and place it to src address list on those ports in a mangle so you'll have only detected users goes through this. In this case you'll cut a false positives to a regular detection. If it helps, great. Next, it's up to you will you find any working usage of this for implementing in a p2p blocking or working QOS.
 
phuc061290
just joined
Posts: 3
Joined: Tue Sep 27, 2011 11:40 am

Re: how block connection of p2p?

Wed Oct 05, 2011 10:17 pm

great post. thanks.
. ..
. . .
Last edited by phuc061290 on Sat Nov 12, 2011 10:00 am, edited 11 times in total.
 
CCDKP
Member Candidate
Member Candidate
Posts: 170
Joined: Fri Jan 28, 2011 11:24 pm
Location: Midwest, United States

Re: how block connection of p2p?

Tue Oct 11, 2011 9:03 pm

In 5.7 they finally added the ability to use connection-limit to track UDP streams. I am still doing some testing, but initially it looks promising.
add action=drop chain=forward connection-limit=16,32 disabled=no dst-port=!53 protocol=udp
This limits each IP to 16 non-DNS UDP streams. 16 should be enough that skype and other non-p2p applications shouldn't get impacted, but you may need to tweak them for your network.

Again, it's not a magic bullet, but it can help when combined with various other methods described within this post.

Edit: Corrected typo, Thanks mves
Last edited by CCDKP on Tue Oct 11, 2011 10:16 pm, edited 2 times in total.
CC_DKP: MTCNA, MTCRE, MTCWE, MTCTCE, part-time packet wrangler
 
User avatar
mves
Frequent Visitor
Frequent Visitor
Posts: 91
Joined: Tue Jan 11, 2011 8:15 pm
Location: Serbia

Re: how block connection of p2p?

Tue Oct 11, 2011 10:04 pm

In 5.7 they finally added the ability to use connection-limit to track UDP streams. I am still doing some testing, but initially it looks promising.
add action=drop chain=forward connection-limit=16,32 disabled=no dst-port=!53 protocol=tcp
This limits each IP to 16 non-DNS UDP streams. 16 should be enough that skype and other non-p2p applications shouldn't get impacted, but you may need to tweak them for your network.

Again, it's not a magic bullet, but it can help when combined with various other methods described within this post.

Did you make a typo? It's should be protocol=udp, right?
 
User avatar
mves
Frequent Visitor
Frequent Visitor
Posts: 91
Joined: Tue Jan 11, 2011 8:15 pm
Location: Serbia

Re: how block connection of p2p?

Wed Oct 12, 2011 2:17 pm

Yes, it looks very promising. Router on my link is upgraded to 5.7 so testing is started on myself and unadjusted torrent client. Perhaps allow skype through L7 before dropping udp.
/ip firewall layer7-protocol
add name=Skype regexp="^..\\x02............."
/ip firewall filter
add action=accept chain=forward disabled=no layer7-protocol=Skype

add action=accept chain=forward disabled=no dst-port=53 protocol=udp

add action=drop chain=forward connection-limit=16,32 disabled=no protocol=udp
Also, adding udp line with connection limit is possible only through terminal, not over winbox since connection limit gets grey. So, is this some kind of bug?
 
CCDKP
Member Candidate
Member Candidate
Posts: 170
Joined: Fri Jan 28, 2011 11:24 pm
Location: Midwest, United States

Re: how block connection of p2p?

Wed Oct 12, 2011 8:36 pm

Yes, it looks very promising. Router on my link is upgraded to 5.7 so testing is started on myself and unadjusted torrent client. Perhaps allow skype through L7 before dropping udp.
...
Also, adding udp line with connection limit is possible only through terminal, not over winbox since connection limit gets grey. So, is this some kind of bug?
I just set the UDP to something reasonable. I haven't seen skype hold open more than 8-9 simultaneous udp streams on a group call. I don't like relying on L7 filters for whitelisting, because if skype changes the signature then everything starts getting blocked. I prefer to "fail open" and let p2p traffic through, since I will see a spike in bandwidth and know to go fix it.

And yes, it does appear to be a bug in winbox.
CC_DKP: MTCNA, MTCRE, MTCWE, MTCTCE, part-time packet wrangler
 
engineertote
Member Candidate
Member Candidate
Posts: 177
Joined: Tue May 19, 2009 1:36 pm

Re: how block connection of p2p?

Tue Oct 18, 2011 10:20 pm

I'm fighting with this bit torrent for the past week but this bad torrent is win :(

i have follow all ways to limit it with no success , , i just tried
add action=drop chain=forward connection-limit=16,32 disabled=no dst-port=!53 protocol=udp
and did small test with bit torrent and its getting much more them limit :(
In 5.7 they finally added the ability to use connection-limit to track UDP streams. I am still doing some testing, but initially it looks promising.
add action=drop chain=forward connection-limit=16,32 disabled=no dst-port=!53 protocol=udp
This limits each IP to 16 non-DNS UDP streams. 16 should be enough that skype and other non-p2p applications shouldn't get impacted, but you may need to tweak them for your network.

Again, it's not a magic bullet, but it can help when combined with various other methods described within this post.

Edit: Corrected typo, Thanks mves
Ahmed
MTCNA , MTCTCE , MTCRE , MTCINE
 
CCDKP
Member Candidate
Member Candidate
Posts: 170
Joined: Fri Jan 28, 2011 11:24 pm
Location: Midwest, United States

Re: how block connection of p2p?

Tue Oct 18, 2011 11:09 pm

and did small test with bit torrent and its getting much more them limit :(
Bittorrent can use both TCP and UDP connections. Connection limiting on TCP is a bit touchier since so many things rely on it. The point of restricting the number of UDP connections isn't to completely kill Bittorrent, nothing can. The point of it is to move more connections over into TCP where they can be managed a little easier.

UDP poses a problem because it doesn't respond well to upstream Quality of Service. TCP uses window sizing to dynamically throttle connections, while UDP just keeps sending more packets. By limiting the UDP streams, more connections are forced over into TCP, where Quality of Service can work its magic and limit the data better.

If you go into the connection tracking on your router, you will see it is correctly limiting the number of UDP connections, there are just a lot more TCP connections to go along with it.
CC_DKP: MTCNA, MTCRE, MTCWE, MTCTCE, part-time packet wrangler
 
User avatar
mves
Frequent Visitor
Frequent Visitor
Posts: 91
Joined: Tue Jan 11, 2011 8:15 pm
Location: Serbia

Re: how block connection of p2p?

Wed Oct 26, 2011 6:04 pm

@engineertote
Try my approach. So far, it's still working with a quite good blocking ratio. No mangle rules and no DNS filtering. Downside is, you'll have to allow online game ports.
/ip firewall layer7-protocol
add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrap\
    e\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet/|GET /dat\
    a\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
/ip firewall filter
add action=accept chain=forward comment=Skype disabled=no dst-port=12350 \
    protocol=tcp
add action=accept chain=forward comment=\
    "Online games - CS, COD, Steam server (UDP)" disabled=no dst-port=\
    27000-27050,28960 protocol=udp
add action=accept chain=forward comment=\
    "Online games - CS, COD, Steam server (TCP)" disabled=no dst-port=\
    27000-27050,28960 protocol=tcp
add action=accept chain=forward comment=\
    "Online Igre - Battlefield : Bad Company 2" disabled=no dst-port=\
    11050-11070,18181-18186,19567-19587 protocol=udp
add action=accept chain=forward comment=\
    "Online Igre - Battlefield : Bad Company 2" disabled=no dst-port=\
    13505,18390,18395 protocol=tcp

add action=add-src-to-address-list address-list=Torrent address-list-timeout=\
    1h30m chain=forward comment=__________All-p2p__________ disabled=no \
    in-interface=XXXXXXXXXX p2p=all-p2p src-address=\
    xx.xx.xx.xx-xx.xx.xx.xx time=9h-23h55m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward disabled=no in-interface=XXXXXXXXXX p2p=\
    all-p2p reject-with=icmp-network-unreachable src-address=\
    xx.xx.xx.xx-xx.xx.xx.xx time=9h-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=add-src-to-address-list address-list=Torrent address-list-timeout=\
    1h30m chain=forward comment=" ______Bittorrent_____" disabled=no \
    in-interface=XXXXXXXXXX layer7-protocol=BITTORRENT src-address=\
    xx.xx.xx.xx-xx.xx.xx.xx time=9h-23h55m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward disabled=no in-interface=XXXXXXXXXX \
    layer7-protocol=BITTORRENT reject-with=icmp-network-unreachable \
    src-address=xx.xx.xx.xx-xx.xx.xx.xx time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=add-src-to-address-list address-list="Torrent 6881" \
    address-list-timeout=1h30m chain=forward comment="____6881-6999 udp___" \
    disabled=no dst-port=6881-6999 in-interface=XXXXXXXXXX protocol=udp \
    src-address=xx.xx.xx.xx-xx.xx.xx.xx time=\
    9h-23h55m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward disabled=no dst-port=6881-6999 in-interface=\
    cortanovci protocol=udp reject-with=icmp-network-unreachable src-address=\
    xx.xx.xx.xx-xx.xx.xx.xx time=9h-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=add-src-to-address-list address-list="Torrent 6881" \
    address-list-timeout=1h30m chain=forward comment="____6881-6999 tcp___" \
    disabled=no dst-port=6881-6999 in-interface=XXXXXXXXXX protocol=tcp \
    src-address=xx.xx.xx.xx-xx.xx.xx.xx time=\
    9h-23h55m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward disabled=no dst-port=6881-6999 in-interface=\
    cortanovci protocol=tcp reject-with=icmp-network-unreachable src-address=\
    xx.xx.xx.xx-xx.xx.xx.xx time=9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="House cleaning" disabled=no \
    dst-port=10000-65500 protocol=tcp reject-with=icmp-network-unreachable \
    src-address-list=Torrent src-port=10000-65500 time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward disabled=no dst-port=10000-65500 protocol=udp \
    reject-with=icmp-network-unreachable src-address-list=Torrent src-port=\
    10000-65500 time=9h-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward disabled=no dst-port=10000-65500 protocol=tcp \
    reject-with=icmp-network-unreachable src-address-list=Torrent src-port=\
    1000-5000 time=9h-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward disabled=no dst-port=10000-65500 protocol=tcp \
    reject-with=icmp-network-unreachable src-address-list="Torrent 6881" \
    src-port=10000-65500 time=9h-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward disabled=no dst-port=10000-65500 protocol=udp \
    reject-with=icmp-network-unreachable src-address-list="Torrent 6881" \
    src-port=10000-65500 time=9h-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward disabled=no dst-port=10000-65500 protocol=tcp \
    reject-with=icmp-network-unreachable src-address-list="Torrent 6881" \
    src-port=1000-5000 time=9h-23h59m,sun,mon,tue,wed,thu,fri,sat
xx.xx.xx.xx-xx.xx.xx.xx
IP range for filtering on interface (customer ONLY, without gateway, example, 192.168.200.10-192.168.200.240)

in-interface=XXXXXXXXXX
name of your target interface

The above system is for blocking bittorent protocols with allowed running time from midnight to 9:00 (AM). Make note that it's port based blocking so you'll have to add ports for online games that are used on your network and are affected with port blocking. You can get false readings on 6881-6999 ports but that's small percentage. It blocks up to 90-95% of bittorent traffic. It's also version without DNS filtering. You can add DNS filtering but then it can't be used for filters below.


To get them under control (not blocking, just reducing number of connections), use logging parts from above filters to get p2p users IP and turn off blocking parts and logged addresses redirect to the filters below.
/ip firewall filter
add action=accept chain=forward disabled=yes dst-port=53 protocol=udp
add action=drop chain=forward connection-limit=16,32 disabled=yes dst-port=10000-65500 protocol=tcp src-address-list=Torrent
add action=drop chain=forward connection-limit=16,32 disabled=yes protocol=udp src-address-list=Torrent
add action=drop chain=forward connection-limit=16,32 disabled=yes dst-port=10000-65500 protocol=tcp src-address-list="Torrent 6881"
add action=drop chain=forward connection-limit=16,32 disabled=yes protocol=udp src-address-list="Torrent 6881"

Of course, you have to edit all to match your system. Hope that it'll help.
 
di9383
just joined
Posts: 23
Joined: Thu Oct 15, 2009 11:29 am

Re: how block connection of p2p?

Fri Dec 09, 2011 4:53 pm

TKITFrank, did you try your rules with the last version of utorrent client(3.0 and above).Asking about it, because you rules, posted earlier in this topic, seems to work for me. But now, with the last version of utorrent, they don't. Neither with ssl encryption turned on or off.
 
TKITFrank
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Jul 07, 2009 2:55 pm
Location: Sweden

Re: how block connection of p2p?

Fri Dec 09, 2011 5:53 pm

Hi,

No I did not, Will see if I can get a test during next week at work.
Have a nice weekend!
MTCNA

"I don't believe UNIX is Utopia. It's just the best set of tools around."
 
di9383
just joined
Posts: 23
Joined: Thu Oct 15, 2009 11:29 am

Re: how block connection of p2p?

Sun Dec 11, 2011 1:14 pm

TKITFrank, as I can see, DHT really doesn't work with your DNS filter rules, but peer exchange (through tracker I suppose) is working fine, receiving peers and downloads torrent files:( May be you have an advice for me..
PS If it's matters, I use Utorrent 3 (last release) with russian torrent tracker rutracker.org. Can sent you link for torrent file for testing, if you want (because, tracker seems to be in russian only, and it will be hard for you to use it for test, I suppose).
 
User avatar
otgooneo
Trainer
Trainer
Posts: 570
Joined: Tue Dec 01, 2009 3:24 am
Location: Mongolia
Contact:

Re: how block connection of p2p?

Wed Dec 14, 2011 5:37 am

Hi every one.
I use following on my office router RB433UAH. We have about 170 hosts and 70 of them is IPPhones. Also some users use SIPclient software on their workstation. It detects torrent trackers of both local network and external network. Then it will drop all high port and peer to peer connections related this hosts. I use logging for this drop rule and sometimes I see some of SIP RTP connections dropped by this rule. But there is no voice interruption and this issue can be only on office staff, who tries to use torrent. At last, it pretty good works for me. I tested it using many kind of torrent clients.
[otgonkhuu@MOBINET] /ip firewall mangle export
#RouterOS P2P matcher and L7-filters can`t block torrent client, which supports encryption. 
#But it can catch even 1 connection. So source addresses of those connections are the TORRENTUSERS.
#The advantage is it can list my office torrent trackers also it can list peers of external network.
#TorrentExc is my address list of allowed torrent trackers. It is exclusion list.
add action=add-src-to-address-list address-list=TorrentUsers \
    address-list-timeout=10m chain=forward comment=\
    "Add Bit torrent announcer to TorrentUsers" disabled=no layer7-protocol=\
    BITTORRENT_ANNOUNCE src-address-list=!TorrentExc
add action=add-src-to-address-list address-list=TorrentUsers \
    address-list-timeout=10m chain=forward comment=\
    "Add Bit torrenter to TorrentUsers" disabled=no layer7-protocol=BITTORENT \
    src-address-list=!TorrentExc
add action=add-src-to-address-list address-list=TorrentUsers \
    address-list-timeout=10m chain=forward comment=\
    "Add all torrenter to TorrentUsers" disabled=no p2p=all-p2p \
    src-address-list=!TorrentExc
#This is the all connections, which are might be torrent traffics.
add action=mark-connection chain=prerouting disabled=no dst-port=10000-65000 \
    new-connection-mark=Torr passthrough=yes protocol=tcp \
    src-port=10000-65000
add action=mark-connection chain=prerouting disabled=no dst-port=10000-65000 \
    new-connection-mark=Torr passthrough=yes protocol=udp \
    src-port=10000-65000
add action=mark-connection chain=prerouting comment=P2P disabled=no \
    new-connection-mark=Torr p2p=all-p2p passthrough=yes src-address-list=\
    !TorrentExc

[otgonkhuu@MOBINET] > ip firewall filter export
#Filter rule drops all high port peer to peer connections sourced from address list "TorrentUsers"
add action=drop chain=forward comment="Block P2P-Manual" connection-mark=Torr \
    disabled=no dst-address-list=!TorrentExc src-address-list=TorrentUsers
My L7 is same as others. Like posted on http://l7-filter.sourceforge.net/
----------------------------
Want to learn more and more...
 
User avatar
mves
Frequent Visitor
Frequent Visitor
Posts: 91
Joined: Tue Jan 11, 2011 8:15 pm
Location: Serbia

Re: how block connection of p2p?

Wed Dec 14, 2011 1:42 pm

@otgooneo
L7 is a bit outdated, thanks to the CCDKP's observation. All P2P L7 rules are now fitted into single one.
/ip firewall layer7-protocol
add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrap\
    e\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet/|GET /dat\
    a\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
Also, if you are using port blocking, why bother with mangle rules?
 
User avatar
otgooneo
Trainer
Trainer
Posts: 570
Joined: Tue Dec 01, 2009 3:24 am
Location: Mongolia
Contact:

Re: how block connection of p2p?

Thu Dec 15, 2011 9:20 am

Thank you mves for updated L7. Yes you right. If blocking by ports, there no need to mangle rule. I just few months ago tried to block P2P using many examples in that forum. So I just forgot to move rule from mangle to filter rule.
By the way, today I have tested again my torrent blocker, unfortunately my rules already outdated. uTorrent can under this rules. They can work 10 minutes later when started torrent client. :-( It uses ports lower than TCP, UDP 10000. Can`t block ports lower than 10000. It is bad for other network applications. So I need to work again on this.
----------------------------
Want to learn more and more...
 
User avatar
mves
Frequent Visitor
Frequent Visitor
Posts: 91
Joined: Tue Jan 11, 2011 8:15 pm
Location: Serbia

Re: how block connection of p2p?

Thu Dec 15, 2011 12:40 pm

Try my set of rules. It's pure firewall port blocking without any other needed setting. Downside is, you have to add allowed set of ports for certain applications. Add my set of rules on disable and turn them on one by one. Use torch to find out what ports are used for applications they are using and add exception in a firewall before P2P blocking part. It's just like a game ports I had to add in exception. But once you set it right, you'll cut P2P to an acceptable level and hopefully other applications won't be affected if you set it right.
 
CCDKP
Member Candidate
Member Candidate
Posts: 170
Joined: Fri Jan 28, 2011 11:24 pm
Location: Midwest, United States

Re: how block connection of p2p?

Wed Jan 11, 2012 6:39 pm

I posted this in another thread, but figured it would be useful here for anyone searching, since this seems to be the default thread to send people to:

With the current state of encrypted bittorrent, there is no tracking it specifically. The traffic is explicitly designed to avoid being filtered and throttled.

Here are some hard facts on shaping p2p traffic:
  • Older p2p like kazaa and eDonkey respond well to the p2p l7 filter
  • The L7 bittorrent filter in the wiki and forums only flags Tracker activity
  • Even if the tracker is blocked, DHT/UTP allows bittorrent peers to exchange host info
  • The L7 filter does not flag DHT/UTP, use DNS to block if needed.
  • The L7 filter does not flag bittorrent peer transfers (the actual bulk data)
  • Bittorrent peer transfers are usually encrypted and designed to not be tracked
  • Even when encrypted well, bittorrent still "leaks" detectable packets periodically
  • Peer transfers are primarily UDP connections, but will fail over to TCP
  • UDP transfers do not respond to standard QoS (UDP lacks flow-control, it is left up to the application)
From this, the best non-blocking approach I have come up with for handling p2p traffic is as follows:
Whitelist - Detect what you can (http/https, DNS, SSH, skype, games, whatever seems important) and increase its priority.

Flag p2p users - Look for the presence of p2p/bittorrent traffic from a user and add them to a dynamic address list for a preset amount of time (5-20 minutes). You will not be able to catch all the traffic, but by identifying the "leaks", you know the traffic is coming from the user somewhere. Every time a packet flags, it should renew the address list timer.

Take secondary measures - As long as a user stays flagged, impose additional limits on them. Some examples:
  • Add a heavy non-DNS UDP connection limit - This forces udp bittorrent traffic over to TCP, where traditional QoS and packet shaping can regulate it properly (since TCP flow-control is handled by the TCP/IP stack, not the application). This may have adverse effects on video games and skype quality, but after the user closes down the p2p applications, their address list entry will time out and they will go back to normal. UDP conn limit was added in 5.7 for console, and 5.8 for WinBox.

    Limit non-whitelist traffic - Add a reduced bandwidth cap for non-whitelisted traffic. Not always the best plan for ISP's, but useful for hotspots.

    Reduce non-whitelist priorty - Reduce the priority of all non-whitelisted traffic while the user is flagged.

    Flag the user's traffic - If these rules are implemented on CPE / tower equipment, add DSCP marks to non-whitelisted traffic to let your core know it has a high potential of being p2p traffic (and to reduce it's priority if needed)
CC_DKP: MTCNA, MTCRE, MTCWE, MTCTCE, part-time packet wrangler
 
tyronzn
Frequent Visitor
Frequent Visitor
Posts: 68
Joined: Thu May 24, 2007 4:55 pm
Location: Durban,South Africa
Contact:

Re: how block connection of p2p?

Thu Jan 12, 2012 5:33 pm

[quote="mves"]@otgooneo
L7 is a bit outdated, thanks to the CCDKP's observation. All P2P L7 rules are now fitted into single one.
/ip firewall layer7-protocol
add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrap\
    e\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet/|GET /dat\
    a\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"


I've found that method also blocks users HTTP traffic and various other applications so its not 100% reliable,as stated previously policy based routing is currently the best way of doing it
 
CCDKP
Member Candidate
Member Candidate
Posts: 170
Joined: Fri Jan 28, 2011 11:24 pm
Location: Midwest, United States

Re: how block connection of p2p?

Thu Jan 12, 2012 5:51 pm

I've found that method also blocks users HTTP traffic and various other applications so its not 100% reliable,as stated previously policy based routing is currently the best way of doing it
Could you get me an example of websites this blocks or captures of traffic it is flagging on? After fixing it, I have had an EXTREMELY low false-positive rate. Again, this is only for flagging tracker and peer exchange traffic, not data transfer. If there is a case for false positives, I would really like to be on top of it and see if we can tune the rules down better to clear it up.
CC_DKP: MTCNA, MTCRE, MTCWE, MTCTCE, part-time packet wrangler
 
tyronzn
Frequent Visitor
Frequent Visitor
Posts: 68
Joined: Thu May 24, 2007 4:55 pm
Location: Durban,South Africa
Contact:

Re: how block connection of p2p?

Thu Jan 12, 2012 5:56 pm

I've found that method also blocks users HTTP traffic and various other applications so its not 100% reliable,as stated previously policy based routing is currently the best way of doing it
Could you get me an example of websites this blocks or captures of traffic it is flagging on? After fixing it, I have had an EXTREMELY low false-positive rate. Again, this is only for flagging tracker and peer exchange traffic, not data transfer. If there is a case for false positives, I would really like to be on top of it and see if we can tune the rules down better to clear it up.
no problemo amigo,i will build up a list tonight and post in the morning
 
tyronzn
Frequent Visitor
Frequent Visitor
Posts: 68
Joined: Thu May 24, 2007 4:55 pm
Location: Durban,South Africa
Contact:

Re: how block connection of p2p?

Fri Jan 13, 2012 7:18 am

Ok so i have been running that filter rule overnight and this time i havn't had issues with sites being blocked but it doesn't dent p2p,still runs at full speed
 
CCDKP
Member Candidate
Member Candidate
Posts: 170
Joined: Fri Jan 28, 2011 11:24 pm
Location: Midwest, United States

Re: how block connection of p2p?

Fri Jan 13, 2012 4:45 pm

Ok so i have been running that filter rule overnight and this time i havn't had issues with sites being blocked but it doesn't dent p2p,still runs at full speed
It's good to hear you aren't seeing any false positives. If something comes up, please let me know.

With Bittorrent, explicitly, if it gets any sort of foothold, it will quickly steamroll to full capacity. That L7 rule just stops standard tracker exchanges. DHT/UTP peer exchanges are another way to exchange hosts without access to the tracker. Blocking these requires filtering DNS, as mentioned elsewhere in this thread. If you don't do both, you will have almost no impact on the torrent's ability to send data.

Another emerging issue is encrypted UDP trackers, which up to this point, nobody has found a way to identify and block. If you read about 5 posts up I talk about a method for flagging the presence of torrent traffic, then using that to clamp down secondary measures on all of the user's data. This seems like the best general purpose route for an ISP, as it doesn't explicitly block torrent traffic, it just punishes the user and helps to make the traffic more manageable. In the case of a public hotspot that you want to block torrents for liability reasons, I have a few posts across page 2 & 3 talking about flagging a user for p2p and dropping them to horrible dial-up speeds to get them to go elsewhere.

Blocking p2p traffic entirely is a bit like trying to carry water with a colander. Unless you have every last hole plugged, all the water will get out.
CC_DKP: MTCNA, MTCRE, MTCWE, MTCTCE, part-time packet wrangler
 
tyronzn
Frequent Visitor
Frequent Visitor
Posts: 68
Joined: Thu May 24, 2007 4:55 pm
Location: Durban,South Africa
Contact:

Re: how block connection of p2p?

Fri Jan 13, 2012 7:34 pm

Yeah a while ago i added a bunch of dns addresses of the common trackers which just points to a loopback IP,sometimes i have luck with that and other times not,its a hit or miss sometimes with p2p.Quite some time ago i created rules whereby if a user is downloading p2p at certain rates for a certain period of time it adds them to a p2p address list which i throttle quite badly and after 5 or 10 minutes it removes them from the address list.This seemed to work quite well but since then i have upgraded bandwidth,so i dont have contention issues.Until such time i'll let the suckers have their full line speed.

As i stated above i still firmly believe in policy based routing,create one gateway which is the primary and a secondary gateway which you route important traffic through such as mail and http etc and let torrents fight each-other through the primary gateway
 
n21roadie
Forum Guru
Forum Guru
Posts: 1886
Joined: Fri Aug 07, 2009 10:36 pm
Location: Limerick,Ireland

Re: how block connection of p2p?

Fri Jan 13, 2012 8:34 pm

Yeah a while ago i added a bunch of dns addresses of the common trackers which just points to a loopback IP,sometimes i have luck with that and other times not,its a hit or miss sometimes with p2p.Quite some time ago i created rules whereby if a user is downloading p2p at certain rates for a certain period of time it adds them to a p2p address list which i throttle quite badly and after 5 or 10 minutes it removes them from the address list.This seemed to work quite well but since then i have upgraded bandwidth,so i dont have contention issues.Until such time i'll let the suckers have their full line speed.

As i stated above i still firmly believe in policy based routing,create one gateway which is the primary and a secondary gateway which you route important traffic through such as mail and http etc and let torrents fight each-other through the primary gateway
Does the throttle effect all connections or just the p2p connections?
N21roadie,
Network 100% MT for Now?
 
Benygh
just joined
Posts: 10
Joined: Thu Feb 03, 2011 6:33 am

Re: how block connection of p2p?

Sat Jan 14, 2012 12:17 am

Hi,
i use this and it works good, it drops all the p2p connections and so far we didn't get any abuse reports from DC.
:local temp;
:local temp2;
:local temp3;
:foreach i in=[/ip firewall connection find p2p!="none"] do={
:set temp3 [/ip firewall connection get $i src-address];
:set temp2 [:find $temp3 ":" -1];
:set temp3 [:pick $temp3 0 $temp2];
:foreach j in=[/ppp active find address=$temp3] do={
/ppp active remove $j;
}
}
 
TKITFrank
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Jul 07, 2009 2:55 pm
Location: Sweden

Re: how block connection of p2p?

Fri Jan 20, 2012 2:25 pm

TKITFrank, did you try your rules with the last version of utorrent client(3.0 and above).Asking about it, because you rules, posted earlier in this topic, seems to work for me. But now, with the last version of utorrent, they don't. Neither with ssl encryption turned on or off.
Hi,
This week I have been doing the last handoff on the new RB1100AHx2 that will replay my old RB1000 as main firewall for out schools.
I did as you said and checked this and I use utorrent 3.1 and it still works. Do you use the DNS blocking? They are vital...

If you have a working torrent file that will bypass my filter please let me know so I can do a test.

edit...
Did find something interesting...
It seems Peer Exchange uses Multicast.
This is from wireshark...
BT-SEARCH * HTTP/1.1
Host: 239.192.0.0:6771
Port: 40133
Infohash: C355C153B20BECF719121DE149C8DDCF57B32870


Try to block clients from using "multicast peer communication" Unless you use Multicast in your network for video and so on it could be a good idea to block it.
Perhaps this will help.
MTCNA

"I don't believe UNIX is Utopia. It's just the best set of tools around."
 
di9383
just joined
Posts: 23
Joined: Thu Oct 15, 2009 11:29 am

Re: how block connection of p2p?

Sat Jan 21, 2012 11:36 am

Try to block clients from using "multicast peer communication" Unless you use Multicast in your network for video and so on it could be a good idea to block it.
Perhaps this will help.
May be you can tell me, where to do it?

About DNS filtering..yes, I use it too. But it doesn't work for me.
May be you can advise what is wrong or missed in my config? Thanks in advance.
You do not have the required permissions to view the files attached to this post.
 
TKITFrank
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Jul 07, 2009 2:55 pm
Location: Sweden

Re: how block connection of p2p?

Sat Jan 21, 2012 12:07 pm

Hi,

Not knowing how your network is built I would guess you have to to it at the client switches or CPE's. Do you use Multicast? if not block it.
I can post my DNS entries on Monday when I am at work. But to mee yours looks fine. They should kill DHT.
MTCNA

"I don't believe UNIX is Utopia. It's just the best set of tools around."
 
CCDKP
Member Candidate
Member Candidate
Posts: 170
Joined: Fri Jan 28, 2011 11:24 pm
Location: Midwest, United States

Re: how block connection of p2p?

Sun Jan 22, 2012 12:09 am

You don't need the "bittorrent_announce" rule as it is covered by the "Bittorrent" rule. Anything the Announce rule is flagging is a false positive (yahoo.com's front page will get flagged).

Also, do you have rules to redirect all DNS traffic to the mikrotik? If you don't, a client can just use their own DNS server (google, opendns, etc) and bypass the filter.
CC_DKP: MTCNA, MTCRE, MTCWE, MTCTCE, part-time packet wrangler
 
di9383
just joined
Posts: 23
Joined: Thu Oct 15, 2009 11:29 am

Re: how block connection of p2p?

Sun Jan 22, 2012 10:03 pm

You don't need the "bittorrent_announce" rule as it is covered by the "Bittorrent" rule. Anything the Announce rule is flagging is a false positive (yahoo.com's front page will get flagged).
You are right. Ok, I disabled bittorrent_announce now (btw, can you explain in detail, what does this rule do, and why does yahoo start page correspond to it?), but it seems like nothing is changed.
Also, do you have rules to redirect all DNS traffic to the mikrotik? If you don't, a client can just use their own DNS server (google, opendns, etc) and bypass the filter.
All clients in my network uses mikrotik DNS as their primary and the only one DNS server. They can not change it (have no permissions). Also, I have a rule in Mikrotik, that deny all DNS traffic going through the router (so, no other server can be used).
You do not have the required permissions to view the files attached to this post.
 
CCDKP
Member Candidate
Member Candidate
Posts: 170
Joined: Fri Jan 28, 2011 11:24 pm
Location: Midwest, United States

Re: how block connection of p2p?

Sun Jan 22, 2012 10:48 pm

Ok, I disabled bittorrent_announce now (btw, can you explain in detail, what does this rule do, and why does yahoo start page correspond to it?), but it seems like nothing is changed.
The two biggest flags for bittorrent are the scrape and announce commands sent to the trackers. For a long while, the Bittorrent rule on the wiki that everyone used had a typo in it that disabled it's ability to detect scrapes and announces. This lead to someone (TKITFrank?) making the bittorrent_announce rule to capture them.

The problem comes from the bittorrent_announce rule being rather vague, and able to pick up false positives. The corrected part of the rule that grabs announces also looks for the info_hash parameter, which is a dead giveaway for bittorrent:
get /announce\?info_hash=
Compare this with the filter rule in bittorrent_announce:
add name=BITTORRENT_ANNOUNCE regexp=^get.+announce.
This rule basically looks for anything with the word "get" and "announce". On Yahoo's homepage, there is an object called "Announcebar" at top. When you load the page, at some point a request is generated for "get /announcebar/announcebar_1.0.22.css", which will trip the bittorrent_announce rule, but won't be troubled by the proper rule due to the lack of the info_hash parameter.

If you want to look more into the problem, I detailed the issue with the bittorrent filter here: http://forum.mikrotik.com/viewtopic.php ... 50#p268237
ll clients in my network uses mikrotik DNS as their primary and the only one DNS server. They can not change it (have no permissions). Also, I have a rule in Mikrotik, that deny all DNS traffic going through the router (so, no other server can be used).
First, remember that DNS can use TCP in addition to UDP. Any response over 512 bytes requires TCP to be used. With DNS Sec, DNS over TCP is becoming more common.

Rather than just drop the DNS traffic, you can just as easy redirect it to the internal DNS server:
/ip firewall nat
add action=redirect chain=dstnat comment="Capture DNS" disabled=no dst-port=53 protocol=udp to-ports=53
add action=redirect chain=dstnat comment="Capture DNS" disabled=no dst-port=53 protocol=tcp to-ports=53
CC_DKP: MTCNA, MTCRE, MTCWE, MTCTCE, part-time packet wrangler
 
di9383
just joined
Posts: 23
Joined: Thu Oct 15, 2009 11:29 am

Re: how block connection of p2p?

Mon Jan 23, 2012 11:02 am

Thanks for your help and explanations. After disabling bittorrent_announce rule it started to block torrent traffic in some way:) I also corrected my DNS drop filter - use dstnat instead - seems to work as it should.
One more question. Do encrypted torrent connections should be blocked too? Because, mine don't...

Update: Ups.., seems so, that with encryption enabled in my torrent client, filters are still blocking download...misunderstood a little, because at first when I turned encryption on the torrent file began to download. And now I'm testing with different files - nothing.
 
TKITFrank
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Jul 07, 2009 2:55 pm
Location: Sweden

Re: how block connection of p2p?

Mon Jan 23, 2012 6:39 pm

Hi,

This is a draft will add more info later this week.

Did some testing today and found out that you can bypass my filter by starting the connection on one site and then resume them behind my firewall. To block them you have to use a series of things. This is what I have found.
By marking udp packet size from 62-500 and tagging them as p2p traffic you can successfully identify the dest host that the client connects to. And block the start of the DHT and the encrypted transfer. In my case I marked the packets and added them to a connection-mark just like with the L7 filters.

Step 1;
Complement the current mangle rule set with a udp rule that marks all packets with size 62-500 except dst port 53. And direct them to the P2P chain.

Step 2;
I also created a new L7 filter for the DHT. That I added to the other L7 filters. I hope I remember the regex correctly.
/ip firewall layer7-protocol
add name=BITTORRENT_DHT regexp="^d1\:.d2\:id20\:"

Step 3;
Finally I added a rule in the filter table that uses connection-mark p2p to add destination ip to list p2p-users-ext.
I did then use that list to block all connections in forward chain. I did two lists both src and dst based on those address-lists.


Note that this is only a draft of what I have done. I will add the correct syntax later this week. And I have not done any false positive tests yet. Will do them in 2days when I try them on the main firewall.
So use with care!
MTCNA

"I don't believe UNIX is Utopia. It's just the best set of tools around."
 
User avatar
NetworkPro
Forum Guru
Forum Guru
Posts: 1369
Joined: Mon Jan 05, 2009 6:23 pm
Location: Worldwide
Contact:

Re: how block connection of p2p?

Sat Jan 28, 2012 12:53 am

So to summarize, both of the existing Bittorrent and Bittorrent_announce L7 filters should be removed in favor of:
/ip firewall layer7-protocol
 add comment="" name=bittorrent regexp="^(\\x13bittorrent protocol|azver\\x01\$\
    |get /scrape\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet\
    /|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
--@CC_DKP
Not Working. Can't catch announce.
wiki.mikrotik.com/wiki/NetworkPro_on_Quality_of_Service
 
CCDKP
Member Candidate
Member Candidate
Posts: 170
Joined: Fri Jan 28, 2011 11:24 pm
Location: Midwest, United States

Re: how block connection of p2p?

Sat Jan 28, 2012 1:10 am

So to summarize, both of the existing Bittorrent and Bittorrent_announce L7 filters should be removed in favor of:
/ip firewall layer7-protocol
 add comment="" name=bittorrent regexp="^(\\x13bittorrent protocol|azver\\x01\$\
    |get /scrape\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet\
    /|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
--@CC_DKP
Not Working. Can't catch announce.
Could you please provide a link to the torrent file & what tracker was used, or a packet capture of the announces not getting flagged so I can work on getting the filter updated? My understanding is there is a new wave of encrypted UDP and HTTPS encrypted trackers, which this rule will not be able to catch, but if this is the case I would still like to look at the traffic and see if we can find *something*.

Also, is the rule catching anything for you? If you are bench testing this, is DHT/UTP disabled? Clients can still exchange peers over DHT/UTP without announcing to the tracker.
CC_DKP: MTCNA, MTCRE, MTCWE, MTCTCE, part-time packet wrangler

Who is online

Users browsing this forum: Bing [Bot] and 67 guests