P2P Blocking

centsi · Wed Dec 13, 2006 2:54 pm

Hi.

Using a general P2P blocking filter was working very nicely until this week, when we have noticed emule getting through - perhaps using the "protocol obfuscation" setting.

Also another client called "ares", which I believe uses gnutella, seems to be getting through, and I am concerned that bittorrent etc may well be.

Has anyone else noticed this?

I suspect this is part of an ongoing arms race between those of us that want to block p2p and those of us that want to use it, but I wish to be certain that there is no problem on our particular installation.

If this is due to P2P companies improving their protocols, can we expect that the Mikrotik programmers will be looking in to improving the blocking?

BTW we are none the less very impressed with Mikrotik.

Cheers.

Wed Dec 13, 2006 3:03 pm

Ares protocol can only be droped, speed limiting is impossible for it, matcher p2p=warez is used for that.
As well encrypted torrent can be only dropped.

changeip · Wed Dec 13, 2006 9:45 pm

My first run in with p2p was this week. I packet marked all high port to high port connections > 10240 and it seemed to help - is this standard practice to throttle high to high connections to fight p2p? The standard queue with p2p enabled was only catching about 25% of it.

Sam

titius · Thu Dec 14, 2006 1:02 am

please can you explain that a little better.

@sergejs

encrypted torrent CANT be dropped, if it can please write it how to

Thu Dec 14, 2006 8:23 am

I can offer two ways to drop p2p traffic,
- first method, to mark connections with appropriate p2p mark on the firewall mangle, then drop them.
- second method, use firewall to allow known traffic and drop anything else.

Thu Dec 14, 2006 10:16 am

If i remember correctly - uTorrent can't be dropped, Azureus can. There is no way how to detect it, the traffic is encrypted, all the packets are different, there is no way of telling that is uTorrent's traffic.

janisk · Thu Dec 14, 2006 10:36 am

every week someone is discussing how to drop p2p traffic, or limit it somehow.

every week new topic.

if you took "oh mighty" search and searched dropping p2p, limiting p2p you would finally bump on macgaiver's post how to drop encrypted p2p

and please, remember - encrypted traffic is encrypted for a cause - so noon really sees what is going on there. if start to decrypt it - we would violate any known privacy regulations/rules

good luck

EDIT:

for those who do not know where is search button:
http://forum.mikrotik.com//viewtopic.php?p=55425#55425

mortin · Thu Dec 14, 2006 10:56 am

I noticed that also the marking rule is no more effective. The only clue whats come to me is mark selected traffic like http, ftp, pop3, smtp, some communicators and give them higher prioriety. All the rest of traffic mark as other garbage and give it the lowest priorety.

Marcin

janisk · Thu Dec 14, 2006 11:08 am

yes, that is solution, but creating that you have to be very careful. and for majority it is somehow complicated due to limited knowledge of ROS

good luck.

ldvaden · Mon Apr 23, 2007 4:21 am

every week someone is discussing how to drop p2p traffic, or limit it somehow. every week new topic.

good luck

EDIT:

for those who do not know where is search button:
http://forum.mikrotik.com//viewtopic.php?p=55425#55425

Does a new week begin on Sunday or Monday?

Nomination for this week: <http://tools.ietf.org/html/rfc4594>, especially Figure 3.

Fair use excerpt:

    ------------------------------------------------------------------
   |   Service     |  DSCP   |    DSCP     |       Application        |
   |  Class Name   |  Name   |    Value    |        Examples          |
   |===============+=========+=============+==========================|
   |Network Control|  CS6    |   110000    | Network routing          |
   |---------------+---------+-------------+--------------------------|

best regards/ldv