Community discussions

MikroTik App
  4. RouterOS
  5. General

Torch screen capture - What do you think he/she is doing?

Post Reply
 
User avatar
kolorasta
Member
Member
Topic Author
Posts: 310
Joined: Sun Jun 25, 2006 11:55 pm
Location: Argentina

Torch screen capture - What do you think he/she is doing?

Thu Nov 30, 2006 6:38 am

What do you think this client is doing. He/she is doing this kind of stuff all day

Image
Top
 
User avatar
mneumark
Member
Member
Posts: 370
Joined: Thu Jun 08, 2006 7:20 am
Location: Escalon, CA
Contact:
Contact mneumark

Thu Nov 30, 2006 7:05 am

That looks like P2P using Random Ports. You might want to consider limiting TCP connections down to a certain number. Or impliment some P2P rules.
Top
 
User avatar
kolorasta
Member
Member
Topic Author
Posts: 310
Joined: Sun Jun 25, 2006 11:55 pm
Location: Argentina

Thu Nov 30, 2006 2:31 pm

i looks like a p2p

but when i go to IP/Firewall/Connections ... there aren't any connections detected as P2P for this user

and i've got this rule in firewall

3 ;;; Drop P2P
chain=forward p2p=all-p2p connection-state=established action=drop
Top
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26912
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:
Contact normis

Thu Nov 30, 2006 2:35 pm

could be encrypted uTorrent or Azureus
Top
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Thu Nov 30, 2006 2:45 pm

i looks like a p2p

but when i go to IP/Firewall/Connections ... there aren't any connections detected as P2P for this user

and i've got this rule in firewall

3 ;;; Drop P2P
chain=forward p2p=all-p2p connection-state=established action=drop
it seems they have advanced in their technology in hiding from this filter rule. here in forums macgaiver posted configuration that could fight that "bastardo" :)
Top
 
User avatar
kolorasta
Member
Member
Topic Author
Posts: 310
Joined: Sun Jun 25, 2006 11:55 pm
Location: Argentina

Thu Nov 30, 2006 4:54 pm

i looks like a p2p

but when i go to IP/Firewall/Connections ... there aren't any connections detected as P2P for this user

and i've got this rule in firewall

3 ;;; Drop P2P
chain=forward p2p=all-p2p connection-state=established action=drop
it seems they have advanced in their technology in hiding from this filter rule. here in forums macgaiver posted configuration that could fight that "bastardo" :)
you mean this thread? http://forum.mikrotik.com/viewtopic.php ... =macgaiver
Top
 
User avatar
kolorasta
Member
Member
Topic Author
Posts: 310
Joined: Sun Jun 25, 2006 11:55 pm
Location: Argentina

Thu Nov 30, 2006 5:06 pm

could be encrypted uTorrent or Azureus
these can't be dropped?
Top
 
User avatar
bjohns
Member Candidate
Member Candidate
Posts: 271
Joined: Sat May 29, 2004 4:11 am
Location: Sippy Downs, Australia
Contact:
Contact bjohns

Fri Dec 01, 2006 3:11 am

could be encrypted uTorrent or Azureus
these can't be dropped?
Not easily - deep packet inspection isn't possible due to the encryption. Other means of tagging the packets will need to be devised and I think that's easier said than done. I haven't specifically looked at such traffic although if they're anything like Skype traffic...
Top
 
User avatar
111111
Member Candidate
Member Candidate
Posts: 195
Joined: Thu Oct 05, 2006 1:39 am
Location: BG,SOFIA

Sat Dec 02, 2006 2:18 am

there is a simple variant
make list of torrent servers and block it
block and ports biger then 1024
Top
 
User avatar
jdejansb
Frequent Visitor
Frequent Visitor
Posts: 69
Joined: Thu Jul 13, 2006 1:35 pm
Location: Srbija
Contact:
Contact jdejansb

Sat Dec 02, 2006 5:44 pm

That looks like P2P using Random Ports. You might want to consider limiting TCP connections down to a certain number. Or impliment some P2P rules.
That seems like a nice idea - if one exceeds (for example) 300 connections - HE will have problems with other progs (messengers, browsers, send/recv emails...)

Btw, how to limit number of connections for pppoe user(s)??

D.
Top
 
User avatar
kolorasta
Member
Member
Topic Author
Posts: 310
Joined: Sun Jun 25, 2006 11:55 pm
Location: Argentina

Sun Dec 03, 2006 6:03 pm

there is a simple variant
make list of torrent servers and block it
block and ports biger then 1024
where can i obtain a list of torrent servers?
Top
 
User avatar
111111
Member Candidate
Member Candidate
Posts: 195
Joined: Thu Oct 05, 2006 1:39 am
Location: BG,SOFIA

Sun Dec 03, 2006 6:13 pm

where can i obtain a list of torrent servers?
hard to be find
http://torrents.to/
have lot of torrent server listed, i see 300+

other variant
block web pages with "bt." "torrent" "torrents"

and maby hard hardest thing
see most used addreses on port 80 in time before begin big downloads
Top
 
jo2jo
Forum Guru
Forum Guru
Posts: 1007
Joined: Fri May 26, 2006 1:25 am

Sun Dec 03, 2006 11:10 pm

your best bet is to just queue ports above 1024...and then just look for other legitmate ports that you customers use and open those one at a time or 3 at a time accordingly.



also another thing that most ppl dont think of when looking at a torch scan is that it can be Xbox Live or somekind of online gaming in which your customer is the host...

i.e. i did some tests and when i'm hosting a online game on my xbox 360 you will see a spread of ports and dst's with consistant TX on each..some more than others
Top
 
User avatar
111111
Member Candidate
Member Candidate
Posts: 195
Joined: Thu Oct 05, 2006 1:39 am
Location: BG,SOFIA

Mon Dec 04, 2006 1:21 am

jo2jo i thing kolorasta want to block traffic on personal of establishment or somthing else were internet is not for games and p2p.
If kolorasta is provider on home users, he will not stop p2p becouse he will waste his clients
Top
Post Reply

Who is online

Users browsing this forum: ieleja and 39 guests
  4. RouterOS
  5. General