From mboxrd@z Thu Jan 1 00:00:00 1970 From: Gordan Bobic Date: Thu, 27 Mar 2003 16:04:30 +0000 Subject: Re: [LARTC] Intelligent P2P detection Message-Id: List-Id: References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org On Thursday 27 Mar 2003 15:32, Robert Krycza=B3o wrote: > > Unfortunately, it gets progressively more difficult when P2P > > clients learn to > > masquerade as the real protocols, and there is at least one P2P > > application > > out there that can operate over SMTP, sending valid requests. :-( > > The everlasting battle between creators of swords and shields:) If p2p ap= ps > start to mimick as other protocols and use encription then content based > classificators are of no use. Yup. And this is happening right now... > > That sounds like an interesting idea, provided you have some real > > evidence of > > this being the case. And this will only work until P2P network software > > starts to randomly change packet sizes to obfuscate itself. :-( > > I was told that applications doing it exists. I haven't checked it, thoug= h. I haven't heard of an application that does it, but I have always felt=20 reasonably sure that it has either already happened or is about to be=20 implemented... > > But, I guess we have to work with what we have now, and not worry > > about the > > future advancements before they happen. :-) > > Hehe... yes doing something instead of just talking is a good idea:) Well, for a little while, anyway, until the new version of the client comes= =20 out... > > I hope you will all forgive me for being... restrained (for want of > > better word) in my expectations of the success of such network traffic > > analysis. It > > is a depressing subject to talk about. :-( > > I think this e-mail is a nice summary. I enjoyed reading it. I could say > that I agree your opinions. Thank you. :-) > Maybe creating free alternatives to shaping software like those from > www.dyband.com is a way. People using it are very happy actually. They > adapt to network utilization, allow extensive logging, setting different > parameters like max bandwidth, ramps, minimum acceptable rate. The main > idea is to limit aggresive users and give maximum performance and quality > (latency, jitter throughput etc.) to standard users. It looks very well on > paper but I haven't tried dyband yet.... Maybe there is other software li= ke > this I am not aware of. I haven't heard about any of them. I am a great believer in "home brewed"=20 solutions. :-) The problem you start getting there is that monitoring and shaping traffic = on=20 a 100 Mb pipe will take a huge amount of CPU power, and even that will only= =20 work if the traffic is not encrypted. The only way of attacking the problem= I=20 can think of is by actually attempting to connect to the client machine on = the suspiciously used well known ports, and seeing if it works. If it doesn= 't=20 work as expected, you know it's likely to be a P2P application. I am not sure if you really want to do that, though, as it involves active = port scanning rather than just monitoring, and some of your customers may=20 complain... Gordan _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/