* [LARTC] Detecting p2p traffic
@ 2006-05-07 23:43 Andrew Beverley
2006-05-08 19:22 ` Jason Boxman
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Andrew Beverley @ 2006-05-07 23:43 UTC (permalink / raw)
To: lartc
After varying degrees of success with p2p detection modules, I would like to
write the following rules using iptables to reliably identify p2p traffic:
1. If a host on the network has 5 or more simutaneous tcp connections to ports
above 1024, mark all connections to ports 1024 and above as 60.
2. If a host has received (or sent) UDP packets from 5 different hosts' ports
above 1024 in a minute then classify all UDP traffic to and from that host
above port 1024 as 60.
Number 1 can almost be acheived using something similar to:
iptables .. --dport 1024: -m connlimit --connlimit-above 5 -j MARK --set-mark 60
Unfortunately though it still leaves 5 connections slurping up plenty of
bandwidth.
I have no ideas for number 2.
Anybody any ideas?
On my network all p2p traffic falls into these categories, and I don't mind
overmatching with other traffic.
Thanks,
Andy
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LARTC] Detecting p2p traffic
2006-05-07 23:43 [LARTC] Detecting p2p traffic Andrew Beverley
@ 2006-05-08 19:22 ` Jason Boxman
2006-05-22 6:26 ` Andrew Beverley
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Jason Boxman @ 2006-05-08 19:22 UTC (permalink / raw)
To: lartc
On Sunday 07 May 2006 19:43, Andrew Beverley wrote:
> After varying degrees of success with p2p detection modules, I would like
> to write the following rules using iptables to reliably identify p2p
> traffic:
>
<snip>
> On my network all p2p traffic falls into these categories, and I don't mind
> overmatching with other traffic.
If you can, you could look into compiling and using ipp2p against your kernel.
I find it works extremely well with my p2p traffic from edonkey protocol(s).
You may have success with L7-Filter, too. You can probably use both at the
same time, but I've never tried as ipp2p works for me.
--
Jason Boxman
http://edseek.com/ - Linux and FOSS stuff
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LARTC] Detecting p2p traffic
2006-05-07 23:43 [LARTC] Detecting p2p traffic Andrew Beverley
2006-05-08 19:22 ` Jason Boxman
@ 2006-05-22 6:26 ` Andrew Beverley
2006-05-22 6:39 ` Andrew Beverley
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Andrew Beverley @ 2006-05-22 6:26 UTC (permalink / raw)
To: lartc
Jason Boxman wrote:
> On Sunday 07 May 2006 19:43, Andrew Beverley wrote:
>> After varying degrees of success with p2p detection modules, I would like
>> to write the following rules using iptables to reliably identify p2p
>> traffic:
>>
> <snip>
>> On my network all p2p traffic falls into these categories, and I don't mind
>> overmatching with other traffic.
>
> If you can, you could look into compiling and using ipp2p against your kernel.
> I find it works extremely well with my p2p traffic from edonkey protocol(s).
> You may have success with L7-Filter, too. You can probably use both at the
> same time, but I've never tried as ipp2p works for me.
Thanks - I tried both ipp2p and l7-filter. I found that on the whole
they worked well, but on the network of 50 clients there was always a
couple that it didn't detect. I also wanted to put something in place
that didn't need upgrading - if and when I move on someone will have to
keep updating ipp2p and l7-filter on the server.
Andy
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LARTC] Detecting p2p traffic
2006-05-07 23:43 [LARTC] Detecting p2p traffic Andrew Beverley
2006-05-08 19:22 ` Jason Boxman
2006-05-22 6:26 ` Andrew Beverley
@ 2006-05-22 6:39 ` Andrew Beverley
2006-05-22 6:42 ` Samuel Díaz García
2006-05-22 14:25 ` Luciano Ruete
4 siblings, 0 replies; 6+ messages in thread
From: Andrew Beverley @ 2006-05-22 6:39 UTC (permalink / raw)
To: lartc
Ryan Castellucci wrote:
> On 5/7/06, Andrew Beverley <andy@andybev.com> wrote:
>> After varying degrees of success with p2p detection modules, I
>> would like to write the following rules using iptables to reliably
>> identify p2p traffic:
>>
>> 1. If a host on the network has 5 or more simutaneous tcp
>> connections to ports above 1024, mark all connections to ports 1024
>> and above as 60.
>>
>> 2. If a host has received (or sent) UDP packets from 5 different
>> hosts' ports above 1024 in a minute then classify all UDP traffic
>> to and from that host above port 1024 as 60.
>>
>> Number 1 can almost be acheived using something similar to:
>> iptables .. --dport 1024: -m connlimit --connlimit-above 5 -j MARK
>> --set-mark 60
>>
>> Unfortunately though it still leaves 5 connections slurping up
>> plenty of bandwidth.
>>
>> I have no ideas for number 2.
>>
>> Anybody any ideas?
>
> Take a look at the 'recent' and 'set' stuff. You can use it to
> create groups of 'naughty' users and match against those groups.
> Recent is probably better in this case.
I achieved most of this with 'set'. I create an iptree ipset list that
times out after 60 seconds. If the above are detected then the user's IP
address is added to the ipset, and any subsequent traffic from the user
destined to or from ports above 1024 is marked at a lower priority.
The one thing I haven't managed yet is detecting many different UDP
ports within a set time period. Instead I match on UDP traffic packets
longer then 1000 bytes, which seems to work on the whole but I'd like to
get it to detect on different port numbers as it is less likely to over
match.
Andy
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LARTC] Detecting p2p traffic
2006-05-07 23:43 [LARTC] Detecting p2p traffic Andrew Beverley
` (2 preceding siblings ...)
2006-05-22 6:39 ` Andrew Beverley
@ 2006-05-22 6:42 ` Samuel Díaz García
2006-05-22 14:25 ` Luciano Ruete
4 siblings, 0 replies; 6+ messages in thread
From: Samuel Díaz García @ 2006-05-22 6:42 UTC (permalink / raw)
To: lartc
I'm using the 2 modules at the same, and the problems I encounter are:
1) l7-filter need to patch kernel (you can't skip this), and for this
reason in my recent scripts I'm putting "module detection procedures"
to allow me disable this module when no exists.
2) With a little manual changes into .h files and .c headers includes
section, you can compile kernel module and iptables extensions for
ipp2p, with this sources, you can upgrade you kernel and put a
detection script into init scripts to detect, compile and install ipp2p
without problems.
3) I use p2p detection modules in this way:
a) Marking p2p traffic in mangle table.
b) Limiting bandwidth with tc.
c) Using connlimit iptables extension in filter table to drop tcp
"new p2p connections" when they reaches a limit.
Perhaps this help a bit.
Regards
--
Samuel Díaz García
ArcosCom Wireless, S.L.L.
CIF: B11828068
c/ Romero Gago, 19
Arcos de la Frontera
11630 - Cadiz
http://www.arcoscom.com
mailto:samueldg@arcoscom.com
msn: samueldg@arcoscom.com
Tlfn.: 956 70 13 15
Fax: 956 70 34 83
El Lun, 22 de Mayo de 2006, 8:26, Andrew Beverley escribió:
> Jason Boxman wrote:
>> On Sunday 07 May 2006 19:43, Andrew Beverley wrote:
>>> After varying degrees of success with p2p detection modules, I would
>>> like
>>> to write the following rules using iptables to reliably identify p2p
>>> traffic:
>>>
>> <snip>
>>> On my network all p2p traffic falls into these categories, and I don't
>>> mind
>>> overmatching with other traffic.
>>
>> If you can, you could look into compiling and using ipp2p against your
>> kernel.
>> I find it works extremely well with my p2p traffic from edonkey
>> protocol(s).
>> You may have success with L7-Filter, too. You can probably use both at
>> the
>> same time, but I've never tried as ipp2p works for me.
>
> Thanks - I tried both ipp2p and l7-filter. I found that on the whole
> they worked well, but on the network of 50 clients there was always a
> couple that it didn't detect. I also wanted to put something in place
> that didn't need upgrading - if and when I move on someone will have to
> keep updating ipp2p and l7-filter on the server.
>
> Andy
>
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LARTC] Detecting p2p traffic
2006-05-07 23:43 [LARTC] Detecting p2p traffic Andrew Beverley
` (3 preceding siblings ...)
2006-05-22 6:42 ` Samuel Díaz García
@ 2006-05-22 14:25 ` Luciano Ruete
4 siblings, 0 replies; 6+ messages in thread
From: Luciano Ruete @ 2006-05-22 14:25 UTC (permalink / raw)
To: lartc
On Monday 22 May 2006 03:26, Andrew Beverley wrote:
> Jason Boxman wrote:
> > On Sunday 07 May 2006 19:43, Andrew Beverley wrote:
> >> After varying degrees of success with p2p detection modules, I would
> >> like to write the following rules using iptables to reliably identify
> >> p2p traffic:
> >
> > <snip>
> >
> >> On my network all p2p traffic falls into these categories, and I don't
> >> mind overmatching with other traffic.
> >
> > If you can, you could look into compiling and using ipp2p against your
> > kernel. I find it works extremely well with my p2p traffic from edonkey
> > protocol(s). You may have success with L7-Filter, too. You can probably
> > use both at the same time, but I've never tried as ipp2p works for me.
>
> Thanks - I tried both ipp2p and l7-filter. I found that on the whole
> they worked well, but on the network of 50 clients there was always a
> couple that it didn't detect. I also wanted to put something in place
> that didn't need upgrading - if and when I move on someone will have to
> keep updating ipp2p and l7-filter on the server.
There is an alternative method that i've used and is infallible detecting p2p.
Find out what is *not* p2p traffic in your network and give it the appropriate
bandwidth/priority. Then the rest will be p2p traffic.
This is the same approach used to build firewall rules, which is close all
traffic and start open ports/protocols till all works ok. So at first maybe
there will be some false positives, but with yours clients feedback and a
Little of network analysis all goes to the right place.
Some clues on what is not p2p:
- packets with size<100bytes
- tcp ports 80,21,22,25,110 and so on...
- all udp, some p2p protocols use it for control but AFAIK is not used in data
transfers, and if it is, you can still use a size rule ie: udp<900bytes
- other protocols as icmp igmp esp...
--
Luciano
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2006-05-22 14:25 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-05-07 23:43 [LARTC] Detecting p2p traffic Andrew Beverley
2006-05-08 19:22 ` Jason Boxman
2006-05-22 6:26 ` Andrew Beverley
2006-05-22 6:39 ` Andrew Beverley
2006-05-22 6:42 ` Samuel Díaz García
2006-05-22 14:25 ` Luciano Ruete
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.