Exemption for Pando Networks Bittorrent activity on Cisco IPS 4255

Unanswered Question
Apr 23rd, 2010
User Badges:

I'm a network administrator at a university and we use the Cisco IPS 4255 to monitor dorm network traffic.  It has worked well for detecting dorm residents who use Bittorrent or Kazaa P2P file sharing applications, and we configured our IPS to shun the user's IP addreess upon detection.  But lately, we have been getting complaints from users that they get disconnected from the Internet (shunned) because they were watching high definition streaming video from legitimate sites such as NBC.com.   It turns out that NBC.com uses Pando Networks Media Booster to deliver their streaming TV shows in HD via Bittorrent technology:

http://www.pandonetworks.com/nbc-selects-pando-networks-to-power-tv-downloads

http://pandonetworks.com/faq


We do want to block the P2P application file sharing activity because users could transfer copyrighted music or movies files, but we don't want to block streaming video that utilizes the Pando Networks technology.  Has anyone else encountered this problem?  Anyone have any suggestions to tackle this problem?  I know I can configure exemptions on the IPS sensor policies, but not sure if it is possible to exempt just streaming HD video (Pando Networks technology that uses Bittorrent protocol).


thanks,

  Wayne

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Panos Kampanakis Fri, 04/23/2010 - 12:19
User Badges:
  • Cisco Employee,

One think to try is to capture traffic pattern of the Pando app and try to match on a patterns and have it being excluded  from being checked against other signatures as soon as it matches the Pando signature..


I hope it makes sense.


PK

wflai Mon, 04/26/2010 - 08:37
User Badges:

Thanks for the suggestion, but it might be too time-consuming to look for the patterns.  Anyways, I opened a TAC case and they will check with development to see if they will release IPS signatures to detect Pando Networks Bittorrent traffic......

hickmott1 Mon, 05/03/2010 - 07:17
User Badges:

Hi. I'm the lead client-side programmer at Pando Networks. We'd be happy to help out with this; what do you need to know?

wflai Tue, 05/11/2010 - 09:00
User Badges:

Hi Andrew,

   I did a test with my laptop on our dorm network and accessed an HD video at nbc.com to capture the packets via my Cisco IPS 4255 sensor as suggested earlier.   I captured 265 MB of traffic of the HD video via the IPS and opened the capture file in Wireshark to look for any unique characteristics of the Pando Media Booster related streaming HD video traffic, I only noticed that the destination port for traffic originating from my laptop went to high ports (above TCP 45,000) and the destination IP addresses goes to residential networks (cable or DSL users), which is typical of BitTorrent traffic.  I already opened a Cisco TAC case regarding this problem, but the Cisco TAC engineer stated that the Cisco IPS development team has no plans to specifically identifiy Pando Media Booster HD video BitTorrent traffic--he told me we would need to bring this issue up to our Cisco account team for an enhancement request.


Andrew, since you work for Pando, do you know of any unique characteristics of the Pando HD video BitTorrent traffic (which uses the PMB.exe Windows process on the client computers) that I could use to create a custom signature on my Cisco IPS to exclude this traffic from being blocked?  I think it would be good for Pando to "insert" some unique characteristics if it hasn't done so already to prevent other universities or companies from inadvertently blocking the streaming HD video BitTorrent traffic.  Thanks.

Actions

This Discussion