Community discussions

MikroTik App
 
zimbofury
newbie
Topic Author
Posts: 48
Joined: Wed Nov 03, 2010 8:10 am

Claimed Infringement

Tue Mar 01, 2011 9:30 am

my company provides bandwidth via satellite to many customers around zimbabwe as well as installing mikrotik products to enable them control. just the other day we had a clients site marked for a claimed infringement for downloading movies via bittorrent. I have setup mangle rules to mark bittorrent connections on a layer7 basis and added firewall rules to drop any and all bittorent. strangely it seems to pass through.

i would like one of the following. either to be able to block all file sharing and P2P software 100% or to be able to Log the type of traffic customers do. I did ask a south african company licensed in mikrotik products and i was told that you are only able to view real time connections via IP > Firewall > Connections. preferably i would like to log everthing.

below are the mangle and firewall rules.

4 ;;; Drop Bittorrent L7 Input
chain=input action=drop layer7-protocol=bittorrent

5 ;;; Drop Bittorent L7 Forward
chain=forward action=drop layer7-protocol=bittorrent

6 ;;; Drop Bittorrent L7 Output
chain=output action=drop layer7-protocol=bittorrent

13 chain=prerouting action=mark-connection
new-connection-mark=bittorrent connection passthrough=no
layer7-protocol=bittorrent

any help would be greatly appreciated.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26943
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Claimed Infringement

Tue Mar 01, 2011 9:33 am

you can safely remove those rules from "input" and "output" chains. they don't do anything, you need only forward.

of course if you want to be strict, you can make a NAT rule to forward all web traffic to the transparent proxy, and drop all other traffic, that would impact p2p users for sure.
 
zimbofury
newbie
Topic Author
Posts: 48
Joined: Wed Nov 03, 2010 8:10 am

Re: Claimed Infringement

Tue Mar 01, 2011 3:07 pm

ok ill be working on creating a new firewall with your recommendations. definitely similar to what our supplier from south africa suggested.

but is there a way to actually log who is doing what traffic? the problem is we need to show the client that we caught them. otherwise we will be liable. so far we are just taking screenshots :P but that is a labor intensive operation and since we cant keep checking for 24 hours straight, chances are that we will miss a few.

basically we wish to be able to remotely login to our routers and check the logs to see what has been passing through the link.

thanks.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26943
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Claimed Infringement

Tue Mar 01, 2011 3:08 pm

you can use Torch to see ip addresses and ports, and how much traffic is going there.

http://wiki.mikrotik.com/wiki/Manual:Tr ... l_torch.29
 
zimbofury
newbie
Topic Author
Posts: 48
Joined: Wed Nov 03, 2010 8:10 am

Re: Claimed Infringement

Fri Jul 08, 2011 11:23 am

hi. coming back to this, please could you link or further explain "of course if you want to be strict, you can make a NAT rule to forward all web traffic to the transparent proxy, and drop all other traffic, that would impact p2p users for sure."

thanks! :)
 
CCDKP
Member Candidate
Member Candidate
Posts: 170
Joined: Fri Jan 28, 2011 11:24 pm
Location: Midwest, United States

Re: Claimed Infringement

Fri Jul 08, 2011 5:10 pm

BitTorrent is a tough one to track and block due to the advanced encryption it is starting to use. The built-in BitTorrent filter doesn't do a real great job of blocking it. Here is an enhanced L7 filter:
/ip firewall layer7-protocol
add comment="" name=bittorrent regexp="^(\\x13bittorrent protocol|azver\\x01\$\
    |get /scrape\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet\
    /|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
The biggest problem is that even if you block tracker access, bittorrent uses a peer-to-peer trackerless system known as DHT to establish links. This can also be blocked, but it requires intercepting DNS.

There is an awesome thread about blocking p2p. It's a bit long, but well worth the read:
http://forum.mikrotik.com/viewtopic.php?f=2&t=21178

Personally, I use a system that blocks what p2p it can, then upon detection, temporarily throttles the user down to unbearable speeds. This was designed for public wireless hotspots, where the goal is to make the network unusable for p2p'ers so they go elsewhere. It could easily have the QoS/Mangle removed from it and just work as blocking/logging for you. I detailed it here: http://forum.mikrotik.com/viewtopic.php ... 83#p249583


--@CC_DKP
 
robertfranz
newbie
Posts: 37
Joined: Tue Apr 21, 2009 3:30 am

Re: Claimed Infringement

Fri Jul 08, 2011 8:11 pm

BitTorrent is a tough one to track and block due to the advanced encryption it is starting to use. The built-in BitTorrent filter doesn't do a real great job of blocking it. Here is an enhanced L7 filter:
/ip firewall layer7-protocol
add comment="" name=bittorrent regexp="^(\\x13bittorrent protocol|azver\\x01\$\
    |get /scrape\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet\
    /|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
The biggest problem is that even if you block tracker access, bittorrent uses a peer-to-peer trackerless system known as DHT to establish links. This can also be blocked, but it requires intercepting DNS.

There is an awesome thread about blocking p2p. It's a bit long, but well worth the read:
http://forum.mikrotik.com/viewtopic.php?f=2&t=21178

Personally, I use a system that blocks what p2p it can, then upon detection, temporarily throttles the user down to unbearable speeds. This was designed for public wireless hotspots, where the goal is to make the network unusable for p2p'ers so they go elsewhere. It could easily have the QoS/Mangle removed from it and just work as blocking/logging for you. I detailed it here: http://forum.mikrotik.com/viewtopic.php ... 83#p249583

It looks like we've stumbled down the same rabbit hole.

For my public hotspots, all I need is a demonstration of due diligence in preventing ip theft.

What I actually have is effectively complete blocking of p2p.

I don't really understand why people in our situation are nuking this.

Even with encryption on, bittorrent is leaky as a sieve.

My only detection rule is the checkbox for All-P2P.

This is used to mark the connection and then the packets, and places the originating ip, where the ip is on the local subnet, on the bad_boys list for 5 seconds, which trigger the fw rule to drop all traffic to/from bad_boys.

I've found that the way this works in practice is:

as soon as I fire up Utorrent, even though encryption is forced both in and out, P2P is detected and my throughput goes away.

I close Utorrent, and about 10 seconds later the connection is marked closed in conntrack, and about 5 seconds after that I'm removed from bad_boys and my throughput resumes.

I can't speak to other proto's as I haven't tested for them, but for BT, this has worked for me 100%, and any false positives go away on their own quickly enough.




--@CC_DKP