Re: [LARTC] Intelligent P2P detection

From: Gordan Bobic <lartc@bobich.net>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Intelligent P2P detection
Date: Thu, 27 Mar 2003 16:04:30 +0000	[thread overview]
Message-ID: <marc-lartc-104878135119949@msgid-missing> (raw)
In-Reply-To: <marc-lartc-104857984213566@msgid-missing>

On Thursday 27 Mar 2003 15:32, Robert Krycza³o wrote:

> > Unfortunately, it gets progressively more difficult when P2P
> > clients learn to
> > masquerade as the real protocols, and there is at least one P2P
> > application
> > out there that can operate over SMTP, sending valid requests. :-(
>
> The everlasting battle between creators of swords and shields:) If p2p apps
> start to mimick as other protocols and use encription then content based
> classificators are of no use.

Yup. And this is happening right now...

> > That sounds like an interesting idea, provided you have some real
> > evidence of
> > this being the case. And this will only work until P2P network software
> > starts to randomly change packet sizes to obfuscate itself. :-(
>
> I was told that applications doing it exists. I haven't checked it, though.

I haven't heard of an application that does it, but I have always felt 
reasonably sure that it has either already happened or is about to be 
implemented...

> > But, I guess we have to work with what we have now, and not worry
> > about the
> > future advancements before they happen. :-)
>
> Hehe... yes doing something instead of just talking is a good idea:)

Well, for a little while, anyway, until the new version of the client comes 
out...

> > I hope you will all forgive me for being... restrained (for want of
> > better word) in my expectations of the success of such network traffic
> > analysis. It
> > is a depressing subject to talk about. :-(
>
> I think this e-mail is a nice summary. I enjoyed reading it. I could say
> that I agree your opinions.

Thank you. :-)

> Maybe creating free alternatives to shaping software like those from
> www.dyband.com is a way. People using it are very happy actually. They
> adapt to network utilization, allow extensive logging, setting different
> parameters like max bandwidth, ramps, minimum acceptable rate. The main
> idea is to limit aggresive users and give maximum performance and quality
> (latency, jitter throughput etc.) to standard users. It looks very well on
> paper but I haven't tried dyband yet.... Maybe there is other software like
> this I am not aware of.

I haven't heard about any of them. I am a great believer in "home brewed" 
solutions. :-)

The problem you start getting there is that monitoring and shaping traffic on 
a 100 Mb pipe will take a huge amount of CPU power, and even that will only 
work if the traffic is not encrypted. The only way of attacking the problem I 
can think of is by actually attempting to connect to the client machine on 
the suspiciously used well known ports, and seeing if it works. If it doesn't 
work as expected, you know it's likely to be a P2P application.

I am not sure if you really want to do that, though, as it involves active 
port scanning rather than just monitoring, and some of your customers may 
complain...

Gordan
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/