Page 1 of 1

Torch screen capture - What do you think he/she is doing?

Posted: Thu Nov 30, 2006 6:38 am
by kolorasta
What do you think this client is doing. He/she is doing this kind of stuff all day

Image

Posted: Thu Nov 30, 2006 7:05 am
by mneumark
That looks like P2P using Random Ports. You might want to consider limiting TCP connections down to a certain number. Or impliment some P2P rules.

Posted: Thu Nov 30, 2006 2:31 pm
by kolorasta
i looks like a p2p

but when i go to IP/Firewall/Connections ... there aren't any connections detected as P2P for this user

and i've got this rule in firewall

3 ;;; Drop P2P
chain=forward p2p=all-p2p connection-state=established action=drop

Posted: Thu Nov 30, 2006 2:35 pm
by normis
could be encrypted uTorrent or Azureus

Posted: Thu Nov 30, 2006 2:45 pm
by janisk
i looks like a p2p

but when i go to IP/Firewall/Connections ... there aren't any connections detected as P2P for this user

and i've got this rule in firewall

3 ;;; Drop P2P
chain=forward p2p=all-p2p connection-state=established action=drop
it seems they have advanced in their technology in hiding from this filter rule. here in forums macgaiver posted configuration that could fight that "bastardo" :)

Posted: Thu Nov 30, 2006 4:54 pm
by kolorasta
i looks like a p2p

but when i go to IP/Firewall/Connections ... there aren't any connections detected as P2P for this user

and i've got this rule in firewall

3 ;;; Drop P2P
chain=forward p2p=all-p2p connection-state=established action=drop
it seems they have advanced in their technology in hiding from this filter rule. here in forums macgaiver posted configuration that could fight that "bastardo" :)
you mean this thread? http://forum.mikrotik.com/viewtopic.php ... =macgaiver

Posted: Thu Nov 30, 2006 5:06 pm
by kolorasta
could be encrypted uTorrent or Azureus
these can't be dropped?

Posted: Fri Dec 01, 2006 3:11 am
by bjohns
could be encrypted uTorrent or Azureus
these can't be dropped?
Not easily - deep packet inspection isn't possible due to the encryption. Other means of tagging the packets will need to be devised and I think that's easier said than done. I haven't specifically looked at such traffic although if they're anything like Skype traffic...

Posted: Sat Dec 02, 2006 2:18 am
by 111111
there is a simple variant
make list of torrent servers and block it
block and ports biger then 1024

Posted: Sat Dec 02, 2006 5:44 pm
by jdejansb
That looks like P2P using Random Ports. You might want to consider limiting TCP connections down to a certain number. Or impliment some P2P rules.
That seems like a nice idea - if one exceeds (for example) 300 connections - HE will have problems with other progs (messengers, browsers, send/recv emails...)

Btw, how to limit number of connections for pppoe user(s)??

D.

Posted: Sun Dec 03, 2006 6:03 pm
by kolorasta
there is a simple variant
make list of torrent servers and block it
block and ports biger then 1024
where can i obtain a list of torrent servers?

Posted: Sun Dec 03, 2006 6:13 pm
by 111111
where can i obtain a list of torrent servers?
hard to be find
http://torrents.to/
have lot of torrent server listed, i see 300+

other variant
block web pages with "bt." "torrent" "torrents"

and maby hard hardest thing
see most used addreses on port 80 in time before begin big downloads

Posted: Sun Dec 03, 2006 11:10 pm
by jo2jo
your best bet is to just queue ports above 1024...and then just look for other legitmate ports that you customers use and open those one at a time or 3 at a time accordingly.



also another thing that most ppl dont think of when looking at a torch scan is that it can be Xbox Live or somekind of online gaming in which your customer is the host...

i.e. i did some tests and when i'm hosting a online game on my xbox 360 you will see a spread of ports and dst's with consistant TX on each..some more than others

Posted: Mon Dec 04, 2006 1:21 am
by 111111
jo2jo i thing kolorasta want to block traffic on personal of establishment or somthing else were internet is not for games and p2p.
If kolorasta is provider on home users, he will not stop p2p becouse he will waste his clients