From mboxrd@z Thu Jan 1 00:00:00 1970 From: Gordan Bobic Date: Thu, 27 Mar 2003 16:43:11 +0000 Subject: Re: [LARTC] Intelligent P2P detection Message-Id: List-Id: References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org On Thursday 27 Mar 2003 16:38, Robert Krycza=B3o wrote: > > The problem you start getting there is that monitoring and > > shaping traffic on > > a 100 Mb pipe will take a huge amount of CPU power, and even that > > will only > > work if the traffic is not encrypted. The only way of attacking > > the problem I > > can think of is by actually attempting to connect to the client > > machine on > > the suspiciously used well known ports, and seeing if it works. > > If it doesn't > > work as expected, you know it's likely to be a P2P application. > > > > I am not sure if you really want to do that, though, as it > > involves active > > port scanning rather than just monitoring, and some of your customers m= ay > > complain... > > Well they will for sure in a scenario described by you. But I think you > have misunderstood me. Dyband don't do any scanning or content analyzing. > It works as a bridge modyfing data rate based on IP addresses. Yes, but in order to detect what the traffic is, as the client software sta= rts=20 being more clever, you may have to do some pro-active scanning to see wheth= er=20 the traffic is legit or not. And even then the client software may fake leg= it=20 server appearance. You would have to mimick the actual P2P connection=20 handshake to be sure. And on some of them you have a real problem, e.g.=20 FastTrack. They use encrypted connection, and the software is closed-source= ,=20 so it's very difficult to get a handle on cracking the protocol. > You can set > up complicated scheme of bandwidth sharing. You can even automaticaly lim= it > some "aggresive users" based on their usage. It happens on the fly and is > very "smooth" from client point of view. If a client doesn't use his > bandwidth for a while the limit raises (recharges). It allows ISP or > enterprise to FULLY (i mean nearly 100%) utilize their uplink. You don't = do > provisioning:). > > Maybe it is the only reasonable solution.... It sounds like a useful thing to do, but ultimately, you have to detect the= =20 traffic you want to throttle before you can throttle it. That is where the = biggest problem is. Gordan _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/