NBAR, bittorrent and RC4 based encryption

Answered Question
Dec 16th, 2009

   My question is simple. Does NBAR bittorrent PDLM works?

The answer could be 'yes', 'no' or 'it depends'.

Bittorrent client (like other peer-to-peer applications) now use protocol encryption techniques based on RC4, named MSE, PHE and so on.

If you take a recent bittorrent release and go in "Options", "Preferences", "bittorrent" you will find a "protocol encryption" section.

I tried to block bittorrent using NBAR with a typical configuration like this:

class-map match-any filtro
match protocol kazaa2
match protocol edonkey
match protocol gnutella
match protocol bittorrent

...

During my test I have a match for "part" of the traffic:

Match: protocol bittorrent
        89774 packets, 13916382 bytes
        30 second rate 86000 bps

But I continued to use bittorrent without problems!!! I mean that only a part of the traffic was detected and dropped. Probably the "outgoing" part because in the default configuration bittorrent doesn't use encryption for outgoing traffic.

In the Cisco web site I'm not be able to find any references about encryption. But the question is: there is something wrong in my configurations OR Cisco should clearly state that NBAR is able to detect only part of the peer-to-peer traffic?

Thankyou

Gianrico Fichera

itesys srl

I have this problem too.
0 votes
Correct Answer by bkattan about 6 years 11 months ago

Hi,

Today i had the same requirement, and when i realized i had 75% of my bandwidth used classified as unknown by NBAR, i decided to do the following:

Consider the reverse logic. Police everything NBA does not recognize, including the P2P protocols NBAR does.

To make it clearer, i started off by created long class-map, with around 81 "match not protocol" statements.

The result is traffic NBAR does not recognize. and to match the P2P NBAR does recognize, i omitted them from the list.

Then i caled that class-map into a policy that polices the result to about 10% of my bandwidth.

The logic sounded nasty but made sense. But the config would no take, no clue why, but i guess the class-map was too long.

(if any developper is reading this, a coment would be nice please using 3845 and IOS version  12.4(15)T9)

So..........a minor adjustment .........created 14 class-maps, each matching (not "match not") 6 protocols, then a policymap calling those class-maps, not doing anything to the traffic, then a policer at the class-default.

This means that any match on any of the 14 class-maps would allow the packet to cross untouched, otherwise (unknown protocol), it will hit the policer.

expect around 25% of extra CPU load depending on your bandwidth.

I can post my config if you need it.

Good luck.

Bassem Kattan

CCIE# 20156

Correct Answer by stevjarbeck about 6 years 11 months ago

This works until protocol encryption is enabled.  Once protocol encryption is enabled it will not block this traffic.  There is no way that I know of to resolve this issue once the traffic is encrypted.  You can define an ACL to block common ports.  Below is what I use.  But again, once the traffic is encrypted there isn't much you can do.  I don't believe there is anyway without an alternate hardware/software solution that will block encrypted P2P traffic.  If you find out otherwise please let me know.

This is what I use on a Cisco 871w

class-map match-any P2P
match protocol bittorrent
match protocol edonkey
match protocol kazaa2
match protocol gnutella
match protocol fasttrack
class-map match-any VPN
match access-group name VPN
class-map match-any WebEmail
match protocol http
match protocol secure-http
match protocol ftp
match protocol smtp
match protocol pop3

policy-map drop-P2P
class P2P
   drop
policy-map QoSPolicy
class VPN
  bandwidth remaining percent 25
class WebEmail
  bandwidth remaining percent 74
class class-default
fair-queue


interface FastEthernet4
ip nbar protocol-discovery
service-policy output QoSPolicy
service-policy input drop-P2P

access-list 104 deny   tcp any any eq 135
access-list 104 deny   udp any any eq 135
access-list 104 deny   udp any any eq netbios-ss
access-list 104 deny   udp any any eq netbios-ns
access-list 104 deny   udp any any eq 445
access-list 104 deny   tcp any any eq 139
access-list 104 deny   tcp any any eq 445
access-list 104 deny   tcp any any eq 4444
access-list 104 deny   tcp any any eq 137
access-list 104 deny   udp any any eq tftp
access-list 104 deny   udp any any eq 1214
access-list 104 deny   udp any any eq 3531
access-list 104 deny   udp any any eq 6346
access-list 104 deny   udp any any eq 6347
access-list 104 deny   udp any any eq 6801
access-list 104 deny   udp any any eq 6881
access-list 104 deny   udp any any eq 6882
access-list 104 deny   udp any any eq 6883
access-list 104 deny   udp any any eq 6884
access-list 104 deny   udp any any eq 6885
access-list 104 deny   udp any any eq 6886
access-list 104 deny   udp any any eq 6887
access-list 104 deny   udp any any eq 6888
access-list 104 deny   udp any any eq 6889
access-list 104 deny   tcp any any eq 1214
access-list 104 deny   tcp any any eq 2074
access-list 104 deny   tcp any any eq 2075
access-list 104 deny   tcp any any eq 2076
access-list 104 deny   tcp any any eq 3531
access-list 104 deny   tcp any any eq 3724
access-list 104 deny   tcp any any eq 5500
access-list 104 deny   tcp any any eq 5800
access-list 104 deny   tcp any any eq 5900
access-list 104 deny   tcp any any eq 6346
access-list 104 deny   tcp any any eq 6347
access-list 104 deny   tcp any any eq 6881
access-list 104 deny   tcp any any eq 6882
access-list 104 deny   tcp any any eq 6883
access-list 104 deny   tcp any any eq 6884
access-list 104 deny   tcp any any eq 6885
access-list 104 deny   tcp any any eq 6886
access-list 104 deny   tcp any any eq 6887
access-list 104 deny   tcp any any eq 6888
access-list 104 deny   tcp any any eq 6889
access-list 104 deny   tcp any any eq 6990
access-list 104 deny   tcp any any eq 6991
access-list 104 deny   tcp any any eq 6992
access-list 104 deny   tcp any any eq 6993
access-list 104 deny   tcp any any eq 6994
access-list 104 deny   tcp any any eq 6995
access-list 104 deny   tcp any any eq 6996
access-list 104 deny   tcp any any eq 6997
access-list 104 deny   tcp any any eq 6998
access-list 104 deny   tcp any any eq 6999
access-list 104 deny   tcp any any eq 8000
access-list 104 deny   tcp any any eq 8001
access-list 104 deny   tcp any any eq 8090
access-list 104 deny   tcp any any eq 8767
access-list 104 deny   tcp any any eq 10200
access-list 104 deny   tcp any any eq 14534
access-list 104 deny   tcp any any eq 51234
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (2 ratings)
Loading.
Correct Answer
stevjarbeck Wed, 12/16/2009 - 09:00

This works until protocol encryption is enabled.  Once protocol encryption is enabled it will not block this traffic.  There is no way that I know of to resolve this issue once the traffic is encrypted.  You can define an ACL to block common ports.  Below is what I use.  But again, once the traffic is encrypted there isn't much you can do.  I don't believe there is anyway without an alternate hardware/software solution that will block encrypted P2P traffic.  If you find out otherwise please let me know.

This is what I use on a Cisco 871w

class-map match-any P2P
match protocol bittorrent
match protocol edonkey
match protocol kazaa2
match protocol gnutella
match protocol fasttrack
class-map match-any VPN
match access-group name VPN
class-map match-any WebEmail
match protocol http
match protocol secure-http
match protocol ftp
match protocol smtp
match protocol pop3

policy-map drop-P2P
class P2P
   drop
policy-map QoSPolicy
class VPN
  bandwidth remaining percent 25
class WebEmail
  bandwidth remaining percent 74
class class-default
fair-queue


interface FastEthernet4
ip nbar protocol-discovery
service-policy output QoSPolicy
service-policy input drop-P2P

access-list 104 deny   tcp any any eq 135
access-list 104 deny   udp any any eq 135
access-list 104 deny   udp any any eq netbios-ss
access-list 104 deny   udp any any eq netbios-ns
access-list 104 deny   udp any any eq 445
access-list 104 deny   tcp any any eq 139
access-list 104 deny   tcp any any eq 445
access-list 104 deny   tcp any any eq 4444
access-list 104 deny   tcp any any eq 137
access-list 104 deny   udp any any eq tftp
access-list 104 deny   udp any any eq 1214
access-list 104 deny   udp any any eq 3531
access-list 104 deny   udp any any eq 6346
access-list 104 deny   udp any any eq 6347
access-list 104 deny   udp any any eq 6801
access-list 104 deny   udp any any eq 6881
access-list 104 deny   udp any any eq 6882
access-list 104 deny   udp any any eq 6883
access-list 104 deny   udp any any eq 6884
access-list 104 deny   udp any any eq 6885
access-list 104 deny   udp any any eq 6886
access-list 104 deny   udp any any eq 6887
access-list 104 deny   udp any any eq 6888
access-list 104 deny   udp any any eq 6889
access-list 104 deny   tcp any any eq 1214
access-list 104 deny   tcp any any eq 2074
access-list 104 deny   tcp any any eq 2075
access-list 104 deny   tcp any any eq 2076
access-list 104 deny   tcp any any eq 3531
access-list 104 deny   tcp any any eq 3724
access-list 104 deny   tcp any any eq 5500
access-list 104 deny   tcp any any eq 5800
access-list 104 deny   tcp any any eq 5900
access-list 104 deny   tcp any any eq 6346
access-list 104 deny   tcp any any eq 6347
access-list 104 deny   tcp any any eq 6881
access-list 104 deny   tcp any any eq 6882
access-list 104 deny   tcp any any eq 6883
access-list 104 deny   tcp any any eq 6884
access-list 104 deny   tcp any any eq 6885
access-list 104 deny   tcp any any eq 6886
access-list 104 deny   tcp any any eq 6887
access-list 104 deny   tcp any any eq 6888
access-list 104 deny   tcp any any eq 6889
access-list 104 deny   tcp any any eq 6990
access-list 104 deny   tcp any any eq 6991
access-list 104 deny   tcp any any eq 6992
access-list 104 deny   tcp any any eq 6993
access-list 104 deny   tcp any any eq 6994
access-list 104 deny   tcp any any eq 6995
access-list 104 deny   tcp any any eq 6996
access-list 104 deny   tcp any any eq 6997
access-list 104 deny   tcp any any eq 6998
access-list 104 deny   tcp any any eq 6999
access-list 104 deny   tcp any any eq 8000
access-list 104 deny   tcp any any eq 8001
access-list 104 deny   tcp any any eq 8090
access-list 104 deny   tcp any any eq 8767
access-list 104 deny   tcp any any eq 10200
access-list 104 deny   tcp any any eq 14534
access-list 104 deny   tcp any any eq 51234
Correct Answer
bkattan Sat, 12/26/2009 - 12:17

Hi,

Today i had the same requirement, and when i realized i had 75% of my bandwidth used classified as unknown by NBAR, i decided to do the following:

Consider the reverse logic. Police everything NBA does not recognize, including the P2P protocols NBAR does.

To make it clearer, i started off by created long class-map, with around 81 "match not protocol" statements.

The result is traffic NBAR does not recognize. and to match the P2P NBAR does recognize, i omitted them from the list.

Then i caled that class-map into a policy that polices the result to about 10% of my bandwidth.

The logic sounded nasty but made sense. But the config would no take, no clue why, but i guess the class-map was too long.

(if any developper is reading this, a coment would be nice please using 3845 and IOS version  12.4(15)T9)

So..........a minor adjustment .........created 14 class-maps, each matching (not "match not") 6 protocols, then a policymap calling those class-maps, not doing anything to the traffic, then a policer at the class-default.

This means that any match on any of the 14 class-maps would allow the packet to cross untouched, otherwise (unknown protocol), it will hit the policer.

expect around 25% of extra CPU load depending on your bandwidth.

I can post my config if you need it.

Good luck.

Bassem Kattan

CCIE# 20156

bkattan Sat, 12/26/2009 - 12:30

here it is:

class-map match-any 11
match protocol secure-nntp
match protocol secure-pop3
match protocol secure-telnet
match protocol sip
match protocol skinny
match protocol skype
class-map match-any 10
match protocol rtsp
match protocol secure-ftp
match protocol secure-http
match protocol secure-imap
match protocol secure-irc
match protocol secure-ldap
class-map match-any 13
match protocol ssh
match protocol streamwork
match protocol sunrpc
match protocol syslog
match protocol telnet
match protocol tftp
class-map match-any 12
match protocol smtp
match protocol snapshot
match protocol snmp
match protocol socks
match protocol sqlnet
match protocol sqlserver
class-map match-any 14
match protocol vdolive
match protocol vofr
match protocol xwindows
class-map match-any 1
match protocol arp
match protocol bgp
match protocol bridge
match protocol cdp
match protocol citrix
match protocol clns
class-map match-any 2
match protocol clns_es
match protocol clns_is
match protocol cmns
match protocol compressedtcp
match protocol cuseeme
match protocol dhcp
class-map match-any 3
match protocol directconnect
match protocol dns
match protocol egp
match protocol eigrp
match protocol exchange
match protocol finger
class-map match-any 4
match protocol ftp
match protocol gopher
match protocol gre
match protocol h323
match protocol http
match protocol icmp
class-map match-any 5
match protocol imap
match protocol ipinip
match protocol ipsec
match protocol irc
match protocol kerberos
class-map match-any 6
match protocol l2tp
match protocol ldap
match protocol llc2
match protocol mgcp
match protocol netbios
match protocol netshow
class-map match-any 7
match protocol nfs
match protocol nntp
match protocol notes
match protocol novadigm
match protocol ntp
match protocol ospf
class-map match-any 8
match protocol pad
match protocol pcanywhere
match protocol pop3
match protocol pppoe
match protocol pptp
match protocol printer
class-map match-any 9
match protocol rcmd
match protocol rip
match protocol rsrb
match protocol rsvp
match protocol rtcp
match protocol rtp

Policy-Map police
   Class 1
   Class 2
   Class 3
   Class 4
   Class 5
   Class 6
   Class 7
   Class 8
   Class 9
   Class 10
   Class 11
   Class 12
   Class 13
   Class 14
   Class class-default
    police cir 10000000 bc 312500
      conform-action transmit
      exceed-action drop

Actions

This Discussion

Related Content