NBAR and BitTorrent

Discussion in 'Cisco' started by Ben Horner, Jan 5, 2004.

  1. Ben Horner

    Ben Horner Guest

    I just a had a quick thought about BitTorrent and Cisco's NBAR today and I
    was wondering if any of you had any suggestions on how to further refine my
    idea.

    I realised this morning that a great way to bock BitTorrent traffic is not
    to block the traffic itself but instead block the .torrent files that the
    downloaders use to connect to the trackers.

    Cisco's NBAR facility can block http url's with wildcards like this:

    Router(config)#class-map match-any torrents
    Router(config-cmap)#match protocol http url "*.torrent"

    Router(config)#policy-map torrent-requests
    Router(config-pmap)#class torrents
    Router(config-pmap)#drop

    Now I know that BitTorrent is also used for legitamate sharing of files, but
    for people looking for a quick and easy solution I think this should work.
    Any comments?


    Regards
    Ben ;-)
     
    Ben Horner, Jan 5, 2004
    #1
    1. Advertising

  2. Ben Horner

    Richard Deal Guest

    Ben,

    The more I work with NBAR, the more I'm finding that it's cooler and cooler
    each time. I, too, have used it to block P2P programs. The main concern I
    have with NBAR is CPU and memory utilization--keep track a close eye on both
    of these. If these become a problem on your router, then a content filtering
    switch would be a better solution. But being able to run this on even a low
    end router provides a lot of flexibility in defining policies.

    Cheers!

    Richard

    "Ben Horner" <> wrote in message
    news:btbh50$2vq4$...
    > I just a had a quick thought about BitTorrent and Cisco's NBAR today and I
    > was wondering if any of you had any suggestions on how to further refine

    my
    > idea.
    >
    > I realised this morning that a great way to bock BitTorrent traffic is not
    > to block the traffic itself but instead block the .torrent files that the
    > downloaders use to connect to the trackers.
    >
    > Cisco's NBAR facility can block http url's with wildcards like this:
    >
    > Router(config)#class-map match-any torrents
    > Router(config-cmap)#match protocol http url "*.torrent"
    >
    > Router(config)#policy-map torrent-requests
    > Router(config-pmap)#class torrents
    > Router(config-pmap)#drop
    >
    > Now I know that BitTorrent is also used for legitamate sharing of files,

    but
    > for people looking for a quick and easy solution I think this should work.
    > Any comments?
    >
    >
    > Regards
    > Ben ;-)
    >
    >
    >
     
    Richard Deal, Jan 5, 2004
    #2
    1. Advertising

  3. Ben Horner

    Jason Kau Guest

    Richard Deal <> wrote:
    > Ben,
    > The more I work with NBAR, the more I'm finding that it's cooler and cooler
    > each time. I, too, have used it to block P2P programs. The main concern I
    > have with NBAR is CPU and memory utilization--keep track a close eye on both
    > of these. If these become a problem on your router, then a content filtering
    > switch would be a better solution. But being able to run this on even a low
    > end router provides a lot of flexibility in defining policies.


    What's even more cool is User-Defined Custom Application Classification
    features introduced in 12.3(4)T:

    http://www.cisco.com/univercd/cc/td...ios122/122newft/122t/122t8/dtnbarad.htm#90179

    12.3(4)T and Later Custom Application Examples
    In the following example, the custom protocol app_sales1 will identify TCP
    packets with a source port of 4567 and contain the term "SALES" in the
    fifth byte of the payload:

    ip nbar custom app_sales1 5 ascii SALES source tcp 4567

    In the following example, the custom protocol virus_home will identify UDP
    packets with a destination port of 3000 and contain "0x56" in the seventh
    byte of the payload:

    ip nbar custom virus_home 7 hex 0x56 dest udp 3000

    In the following example, custom protocol media_new will identify TCP
    packets with a destination or source port of 4500 and that have a value of
    90 at the sixth byte of the payload:

    ip nbar custom media_new 6 decimal 90 tcp 4500

    In the following example, custom protocol msn1 will look for TCP packets
    with a destination or source port of 6700:

    ip nbar custom msn1 tcp 6700

    In the following example, custom protocol mail_x will look for UDP packets
    with a destination port of 8202.

    ip nbar custom mail_x destination udp 8202

    In the following example, custom protocol mail_y will look for UDP packets
    with destination ports between 3000 and 4000 including 3000 and 4000 as
    well as port 5500:

    ip nbar custom mail_y destination udp range 3000 4000 5500

    --
    Jason Kau
    http://www.cnd.gatech.edu/~jkau
     
    Jason Kau, Jan 6, 2004
    #3
  4. Ben Horner

    Daniel Meyer Guest

    Hallo Ben,

    > I realised this morning that a great way to bock BitTorrent traffic is not
    > to block the traffic itself but instead block the .torrent files that the
    > downloaders use to connect to the trackers.


    So i simply DL the torrents at home, put them on disk, take them to the
    company and start the download.

    Blocking the torrents is not enough :)

    Danny
    --
    Whenever, wherever http://www.cyberdelia.de
    We're meant to be together
    I'll be there and you'll be near
    And that's the deal my dear Try it: www.trustix.net
     
    Daniel Meyer, Jan 6, 2004
    #4
  5. Ben Horner

    Ben Horner Guest

    Oh yeah I agree, but I am sure that taking the steps I said would help to at
    least reduce the total amount of BT use. It's definately not a perfect
    answer. Maybe by using a packet sniffer I could identify a common byte in
    all the packets and use Jason's suggestion of creating a custom NBAR rule
    that acts on ports 6881 - 6999.

    Cheers
    Ben ;-)


    "Daniel Meyer" <> wrote in message
    news:...
    > Hallo Ben,
    >
    > > I realised this morning that a great way to bock BitTorrent traffic is

    not
    > > to block the traffic itself but instead block the .torrent files that

    the
    > > downloaders use to connect to the trackers.

    >
    > So i simply DL the torrents at home, put them on disk, take them to the
    > company and start the download.
    >
    > Blocking the torrents is not enough :)
    >
    > Danny
    > --
    > Whenever, wherever http://www.cyberdelia.de
    > We're meant to be together
    > I'll be there and you'll be near
    > And that's the deal my dear Try it: www.trustix.net
     
    Ben Horner, Jan 6, 2004
    #5
  6. In article <>, VINH <> wrote:
    :Hi CISCO GURU,
    :Just wonder does any one in the group have suggestion of an ACL that
    :will block out most of the P2P traffic @ router's interface. Thankyou
    :in advanced.

    I already answered this in your thread, "ACL sample/suggestion".

    But since you've seen fit to post it again, here's the ACL
    we use on our PIX to block unwanted stuff including P2P. Bitwise complement
    all the netmasks for use with IOS (e.g., 255.255.254.0 would become 0.0.1.255)


    : ICQ/AOL IM
    access-list CSM-acl-Ginside deny ip any 205.188.153.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 205.188.179.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 205.188.248.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 205.188.252.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 205.188.253.0 255.255.255.0
    access-list CSM-acl-Ginside deny tcp any any eq aol

    : MSG Messenger
    access-list CSM-acl-Ginside deny ip any 207.46.110.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any host 207.46.104.20

    : Yahoo instant messenger grg 20020729
    access-list CSM-acl-Ginside deny ip any host 64.58.78.228
    access-list CSM-acl-Ginside deny ip any host 66.163.172.50
    access-list CSM-acl-Ginside deny ip any host 66.163.172.51
    access-list CSM-acl-Ginside deny ip any host 216.136.232.154
    access-list CSM-acl-Ginside deny ip any host 64.58.78.227

    : microsoft messenger
    : e450.voice.microsoft.com. And apparently packets come back from
    : a different IP for 7001.

    : but first exempt hotmail from the ban
    access-list CSM-acl-Ginside permit tcp object-group Ginside_IBD_routable object-group MSN_hotmail_hosts eq www

    : beiming.net chat and other crud
    access-list CSM-acl-Ginside deny ip any host 217.160.24.86

    : c1n.com streaming crud
    access-list CSM-acl-Ginside deny ip any 65.59.116.0 255.255.255.0

    : welovechat.com
    access-list CSM-acl-Ginside deny ip any host 216.234.183.231

    :mp3search.astraweb.com
    access-list CSM-acl-Ginside deny ip any host 207.8.172.80

    : www.zeropaid.com
    access-list CSM-acl-Ginside deny ip any host 209.126.159.86

    : www.blubster.com
    access-list CSM-acl-Ginside deny ip any host 216.40.243.204

    : cage.hlserver.com (hotline)
    access-list CSM-acl-Ginside deny ip any host 216.191.56.39

    : www.winmx.com - tcp 7950 -> 7952
    access-list CSM-acl-Ginside deny ip any host 216.187.105.102
    access-list CSM-acl-Ginside deny ip any 64.49.201.0 255.255.255.0
    : 206.142.53 also brilliantdigital
    access-list CSM-acl-Ginside deny ip any 206.142.53.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any host 66.11.167.171
    access-list CSM-acl-Ginside deny ip any host 66.11.167.177
    access-list CSM-acl-Ginside deny ip any host 66.11.167.178
    access-list CSM-acl-Ginside deny ip any host 64.246.36.73

    : limewire.com
    access-list CSM-acl-Ginside deny ip any host 64.225.46.58

    : listen4ever.com
    access-list CSM-acl-Ginside deny ip any host 61.166.69.54

    : www.limewire.com
    access-list CSM-acl-Ginside deny ip any host 64.61.25.138

    : biiiig bytecnts to this.. www.changyuan.com.cn
    access-list CSM-acl-Ginside deny ip any host 202.99.174.186

    : phex.kouk.de
    access-list CSM-acl-Ginside deny ip any host 212.227.118.93

    : www.getqube.com
    access-list CSM-acl-Ginside deny ip any host 24.62.51.36

    : www.grokster.com
    access-list CSM-acl-Ginside deny ip any host 64.246.10.187
    access-list CSM-acl-Ginside deny ip any host 66.51.127.241
    access-list CSM-acl-Ginside deny ip any host 66.51.127.242

    : www.urlblaze.com
    access-list CSM-acl-Ginside deny ip any host 216.117.25.210

    : napster
    access-list CSM-acl-Ginside deny ip any 208.49.239.240 255.255.255.240
    access-list CSM-acl-Ginside deny ip any 208.184.216.0 255.255.255.0

    : Kazaa and Morpheus -- and audiogalaxy too
    access-list CSM-acl-Ginside deny ip any 64.245.58.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 64.245.59.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any host 213.248.107.10
    access-list CSM-acl-Ginside deny ip any 213.248.112.0 255.255.255.0
    access-list CSM-acl-Ginside deny udp any any eq 1214
    access-list CSM-acl-Ginside deny tcp any any eq 1214

    : gnucleus.net
    : GAH! it's on sourceforge and blocks a lot of decent stuff.
    :access-list CSM-acl-Ginside deny ip any host 216.136.171.204

    : MP3.com|mp3.org, etc etc etc
    access-list CSM-acl-Ginside deny ip any 63.241.16.0 255.255.248.0

    access-list CSM-acl-Ginside deny ip any 208.48.67.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any host 209.102.214.25
    access-list CSM-acl-Ginside deny ip any host 66.163.193.26
    access-list CSM-acl-Ginside deny ip any host 203.30.164.23
    access-list CSM-acl-Ginside deny ip any host 209.25.238.166
    access-list CSM-acl-Ginside deny ip any host 213.239.135.8
    access-list CSM-acl-Ginside deny ip any host 66.28.45.75

    : spinner.com
    access-list CSM-acl-Ginside deny ip any 205.188.245.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 205.188.247.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any host 205.188.228.18

    : radio-locator.com
    access-list CSM-acl-Ginside deny ip any host 140.239.230.220

    : radiofreevirgin.com
    access-list CSM-acl-Ginside deny udp any any eq 9569
    access-list CSM-acl-Ginside deny ip any 66.28.237.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 66.215.213.0 255.255.255.0

    : chinagames.net
    access-list CSM-acl-Ginside deny ip any 218.17.224.0 255.255.255.0

    : shoutcast
    access-list CSM-acl-Ginside deny ip any host 205.188.234.88

    : mediaxtranet.net
    access-list CSM-acl-Ginside deny ip any host 64.200.89.51

    : live356.com
    access-list CSM-acl-Ginside deny ip any host 66.28.48.170
    access-list CSM-acl-Ginside deny ip any host 66.28.48.201

    : fconline.com|streamingmedia.com
    access-list CSM-acl-Ginside deny ip any host 64.29.198.31

    : more gnutella
    access-list CSM-acl-Ginside deny udp any any range 6346 6350
    access-list CSM-acl-Ginside deny tcp any any range 6346 6350

    : edonkey, site and ports
    access-list CSM-acl-Ginside deny tcp any host 64.157.92.72
    access-list CSM-acl-Ginside deny tcp any any range 4661 4662
    access-list CSM-acl-Ginside deny udp any any eq 4665

    : brilliantdigital.com, p2p and potential mal-ware
    access-list CSM-acl-Ginside deny ip any host 64.70.38.178

    : more brilliantdigital (added 20030213)
    : 206.142.53 already done in winmx
    :access-list CSM-acl-Ginside deny ip any 206.142.53.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 64.70.38.160 255.255.255.224
    access-list CSM-acl-Ginside deny ip any 64.60.8.160 255.255.255.224
    access-list CSM-acl-Ginside deny ip any host 217.116.227.250
    access-list CSM-acl-Ginside deny ip any host 63.196.54.245

    : msn.com music
    access-list CSM-acl-Ginside deny ip any host 207.68.177.60

    : jabber
    access-list CSM-acl-Ginside deny tcp any any eq 5222
    access-list CSM-acl-Ginside deny tcp any any eq 5269

    : gator.com [SPYWARE]
    access-list CSM-acl-Ginside deny ip any 64.94.89.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 204.238.120.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 64.162.206.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 63.197.87.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 216.30.17.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 208.184.198.0 255.255.255.128
    access-list CSM-acl-Ginside deny ip any 216.141.76.128 255.255.255.248
    access-list CSM-acl-Ginside deny ip any 64.152.73.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 66.35.229.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 64.152.64.0 255.255.255.0

    : http-tunnel.com, bypasses firewalls for many services
    : website first, proxies next.
    access-list CSM-acl-Ginside deny ip any host 63.217.26.14
    access-list CSM-acl-Ginside deny ip any host 206.161.123.160
    access-list CSM-acl-Ginside deny ip any host 205.252.49.1
    access-list CSM-acl-Ginside deny ip any host 63.217.29.193
    access-list CSM-acl-Ginside deny ip any host 206.161.123.161
    access-list CSM-acl-Ginside deny ip any host 205.252.49.2
    access-list CSM-acl-Ginside deny ip any host 63.217.29.194

    : [paid1|free1].http-tunnel.com arent on the status page but do exist.
    access-list CSM-acl-Ginside deny ip any host 63.218.224.132
    access-list CSM-acl-Ginside deny ip any host 63.218.224.133

    : cydoor
    access-list CSM-acl-Ginside deny ip any host 209.10.17.133
    access-list CSM-acl-Ginside deny ip any 209.73.225.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any host 212.29.215.3
    access-list CSM-acl-Ginside deny ip any host 209.11.42.240

    : more music sharing
    access-list CSM-acl-Ginside deny tcp any any eq 5000

    : various online games (quake, unreal, et al)
    access-list CSM-acl-Ginside deny udp any any range 27000 29000

    : triangle boy website, must find how to block TB proxies.. grg 20020723
    access-list CSM-acl-Ginside deny ip any host 216.131.94.132

    :doubleclick
    access-list CSM-acl-Ginside deny ip any 63.160.54.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 63.166.98.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 63.168.198.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 63.85.84.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 64.213.215.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 65.192.164.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 199.95.206.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 199.95.207.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 199.95.208.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 199.95.209.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 199.95.210.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 204.176.177.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 205.138.3.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 205.150.6.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 206.65.183.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 208.32.211.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 208.184.29.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 208.203.243.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 208.211.225.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 208.228.86.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 209.67.38.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 209.167.19.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 209.167.4.0 255.255.255.0
    access-list CSM-acl-Ginside deny ip any 209.167.79.0 255.255.255.0

    : friendgreetings.com "worm", see
    :http://securityresponse.symantec.com/avcenter/venc/data/friendgreetings.html
    access-list CSM-acl-Ginside deny ip any host 207.21.232.104
    access-list CSM-acl-Ginside deny ip any host 65.89.168.69
    access-list CSM-acl-Ginside deny ip any 216.34.38.64 255.255.255.192
    access-list CSM-acl-Ginside deny ip any host 216.65.63.139

    : activex viruslike crud, see http://zdnet.com.com/2100-1105_2-1026228.html
    access-list CSM-acl-Ginside deny ip any 216.187.107.0 255.255.255.0

    : www.freescratchandwin.com <- spyware, logger, hijacker.
    access-list CSM-acl-Ginside deny ip any 206.161.193.0 255.255.255.0
    --
    Will you ask your master if he wants to join my court at Camelot?!
     
    Walter Roberson, Jan 31, 2004
    #6
  7. Ben Horner

    VINH Guest

    Hi CISCO GURU,
    Just wonder does any one in the group have suggestion of an ACL that
    will block out most of the P2P traffic @ router's interface. Thankyou
    in advanced.


    VIN

    VIN
    -----------------------------------------------------------------------
    Posted via http://www.mcse.m
    -----------------------------------------------------------------------
    View this thread: http://www.mcse.ms/message244639.htm
     
    VINH, Jan 31, 2004
    #7
  8. Ben Horner

    VINH Guest

    VINH, Feb 1, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. BenH

    Streaming Media and NBAR

    BenH, Nov 18, 2003, in forum: Cisco
    Replies:
    0
    Views:
    435
  2. BenH

    IP CEF and NBAR

    BenH, Nov 28, 2003, in forum: Cisco
    Replies:
    0
    Views:
    1,121
  3. rzirzi
    Replies:
    0
    Views:
    395
    rzirzi
    Oct 25, 2006
  4. Xavier Veral

    Cisco 877, NBAR and Skype

    Xavier Veral, Dec 1, 2006, in forum: Cisco
    Replies:
    0
    Views:
    514
    Xavier Veral
    Dec 1, 2006
  5. Pawel
    Replies:
    0
    Views:
    475
    Pawel
    Jan 14, 2007
Loading...

Share This Page