NBAR and P2P

Unanswered Question
Jan 25th, 2008
User Badges:

Hi,


I'd like to know if NBAR can detect the bittorent trafic if a client like uTorrent enables protocol encryption. (http://www.utorrent.com/faq.php#Does_.C2B5Torrent_support_Protocol_Encryption.3F)


If it can't, is there any way to still be able to shape this p2p taffic to a limitted rate?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tgregorics Sun, 01/27/2008 - 10:03
User Badges:

If i knew the port numbers i would use ACLs and wouldn't need NBAR in the first place.


Unfortunately now days trackers use random port numbers, obviously to make filtering harder. I can't track down every tracker my local users use, and even if i do, they just search for an other one.


So, basically you saying that NBAR only classifies p2p traffic based on "known" port numbers? if so, then it's useless.

Edison Ortiz Sun, 01/27/2008 - 10:22
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

NBARs deployed by Cisco checks for application behavior, custom NBARs only check for src/dst ports.


__


Edison.

tgregorics Sun, 01/27/2008 - 23:29
User Badges:

Well, good to know, but with this we are back to square one.


I still don't know if the bittorrent NBAR can match encrypted torrent packets (like the ones uTorrent, the MOST POPULAR client, generates) or not?

guruprasadr Sun, 01/27/2008 - 20:09
User Badges:
  • Gold, 750 points or more

HI, [PLS RATE if HELPS]


Cisco IOS version 12.4(4)T introduced the much awaited Skype classification in NBAR. Now, with simple policy you can block Skype in much the same way as you used to block kazza, limewire, and other p2p applications.


Example:

NBAR configuration to drop Skype packets

class "map match" any p2p

match protocol skype

policy "map block" p2p

class p2p

drop

int FastEthernet0

description PIX "facing interface service"

policy "input block" p2p


If you are unsure about the bandwidth-eating applications being used in your organization, you can access the interface connected to the Internet and configure using the following command:


"ip nbar protocol-discovery"


This will enable nbar discovery on your router.


If you use the following command:


"show ip nbar protocol-discovery stats bit-rate top-n 10"


It will show you the top 10 bandwidth-eating applications being used by the users. Now, you will be able to block/restrict traffic with appropriate QoS policy.


You can also use "ip nbar port-map" command to look for the protocol or protocol name using a port number or numbers other than the well-known Internet Assigned Numbers Authority (IANA)-assigned port numbers.


Usage as per Cisco:


"ip nbar port-map protocol-name [tcp | udp] port-number"


Up to 16 ports can be specified with the above command. Port number values can range from 0 to 65535.


Here is the another way to go:

================================

Download the PDLM from Cisco to your flash then configure.


ip nbar pdlm flash:bittorrent.pdlm

ip nbar pdlm flash:eDonkey.pdlm

ip nbar pdlm flash:gnutella.pdlm

ip nbar pdlm flash:kazaa2.pdlm

ip nbar pdlm flash:WinMX.pdlm

ip nbar pdlm flashrinter.pdlm

!

class-map match-any nbar-discovery

match protocol gnutella

match protocol kazaa2

match protocol napster

match protocol printer

match protocol http url "*cmd.exe*"

match protocol fasttrack

match protocol novadigm

match protocol edonkey

match protocol bittorrent

!

!

policy-map ip-prec-marked

class nbar-discovery

drop

!

Interface Serial0/1

ip nbar protocol-discovery

service-policy input ip-prec-marked


HOPE I am Informative.


PLS RATE if HELPS !!!!


Best Regards,


Guru Prasad R

Joseph W. Doherty Wed, 02/20/2008 - 17:40
User Badges:
  • Super Bronze, 10000 points or more

The latest NBAR PDLM for BitTorrent is version 3.0, datestamped 8/22/2007. The release notes don't mention encryption, so that might be a problem, but they do note (for non-encypted?) "The BitTorrent PDL module identifies and classifies most BitTorrent traffic regardless of port." Try it and see if it helps.


PS:

Some NBAR protocol matching is just a pretty face on port matching, other NBAR protocol matching does deeper and/or stateful analysis. See http://www.cisco.com/en/US/customer/prod/collateral/iosswrel/ps6537/ps6558/ps6612/ps6653/prod_qas09186a00800a3ded.html for more information.

slaptijack Sat, 02/23/2008 - 13:54
User Badges:

I'm sure this is a case of too little too late, but I can tell you from personal experience that NBAR does not detect encrypted Bittorrent trafic.


Sorry.

richardburford Tue, 04/28/2009 - 01:33
User Badges:

Yes I can confirm that it does not detect encrypted traffic. With encryption off my policy works and the client gets no download. As soon as the client turns on encryption the download will start.


I have heard people have had some success blocking access to the info_hash file from the tracker using http url filtering with a regex. This effectively starves the client of peers.

Actions

This Discussion