On Fri, 23 May 2014 12:14:47 -0700, "David Kaye"
Post by David Kaye
The manager of an apartment building I administer (74 units) got a notice
from Comcast stating that Bit Torrent was used to download "Game of
Thrones". I'm aware that these issues usually just end with the notice
being sent. Even so, my customer wants to be reassured that I'm doing
everything I can do to help stop this file piracy.
Is there any kind of (not too expensive) firewalling available that
addresses this issue?
As Thad mentioned, it would be helpful if you described the existing
Which issue? The excessive incoming traffic? The possibly exessive
outgoing traffic? The downloading of pirated software? The violation
of the ToS?
Excessive incoming and outgoing traffic can best be handled with
logging (and graphing) software such as MRTG, RRDtool, Nagios, etc.
These can track aggreagate traffic by MAC address, IP address, or as I
like to do, ethernet managed switch port number. If the apartment
user plugs his router into a port on an ethernet switch, it can be
monitored. However, that would not stop a user from changing their
MAC or IP address.
If the apartment building uses Wi-Fi to distribute internet, things
become more complexicated. A wireless LAN switch system:
is needed along with a RADIUS server forcing each user to login before
using the service. This allows tracking and monitoring by user, not
by device. This has the added bonus of keeping the neighbors out of
the system. With 74 ports, such a system will be rather expensive.
The biggest expense is not in the hardware, but in the time it takes
for a qualified person to inspect the logs/graphs and look for signs
of abuse. For example, comparing the date/time of the alleged abuse
from Comcast, with the traffic logs, will probably identify the
culprit. However, that takes considerable time, effort, and
expertise. Do you really want to act as enforcer? I don't.
An expert P2P user will NOT show any obvious traffic patterns.
However, the overwhelming number of BitTorrent users use the default
port numbers and config. For example, BitTorrent tends to open a
large number of simultaneous incoming streams, which can be detected.
It also tends to generate some simultaneous outgoing traffic, which
can also be seen.
I don't think there's anything one can economically do to seperate
legal and illegal P2P activity. With the addition of encryption and
seperating the good from the bad is probably impossible by pattern
Detecting Torrents Using Snort
Jeff Liebermann ***@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558