BitTorrent & copy wright violation notifications from IP-Echelon
-
Install a transparent proxy and monitor it that way….
Block known torrent ports and use wireshark to monitor traffic.
-
Most torrent clients now use random ports and the trackers run on standard HTTPS.
If you're an actual ISP, they you can't be held liable for your users in the USA in most situations. You may just need some legal advise from a real lawyer. And blocking ports for paying customers may land you in a law suit.
-
… blocking ports for paying customers...
What I want to do is identify the clients that are using or are most likely using BitTorrents and assign them a virtual public IP. Only thought on blocking is to get them to tell me they are having trouble with downloads or file sharing and thereby letting me know which clients to give the virutal IPs to. I don't intend to stop or monitor the BitTorrent just give them an IP.
-
Don't you know the MAC addresses of all your client radios?
Match those up with the IPs in the notices. Notify your customers when you get one. Tell them to knock it off. You're done.
It's not your job to be the police force for the copyright holders.
-
IANAL, but I think you can disregard all copyright notice issues unless there is a court order. Copyright notices is just paper with no legal power from one citizen to another. Again, ask a lawyer. I know some ISPs claim that they really don't care and just throw that crap away. But I'm not sure at what point they do need to care.
-
I have received many. Unless there is a repeat offender I just file them. If there is a repeat offender, I let them know I am getting them. That usually stops them or puts them through a VPN. I have never seen them progress past those automated emails.
Usually it's a business and they're happy to be notified someone is torrenting from work.
-
Don't you know the MAC addresses of all your client radios?
Match those up with the IPs in the notices.
edit: Oops, my bad… the notices do not contain the MAC address
This is the rub, the ones who have virtual IPs (under Firewall in pfsense) are a non issue as I can identify them but only if required by court order and then only after giving them notice of the pending actions.
What I don't like is when it is one of the clients that is not assigned a virtual IP and only has IP common to my bridged network. In this case the IP on the notification is the same as the WAN interface on my pfsense, with no current way for me to determine which client is causing the notification.
I have received many. Unless there is a repeat offender…
How are you able to determine which client is responsible for the notification?
thanks for all the replies, plz keep them coming
-
The notification has an IP address. If you don't know what client had that IP at the time of the notification, I can't help you.
-
What I want to do is identify the clients that are using or are most likely using BitTorrents and assign them a virtual public IP. Only thought on blocking is to get them to tell me they are having trouble with downloads or file sharing and thereby letting me know which clients to give the virutal IPs to. I don't intend to stop or monitor the BitTorrent just give them an IP.
Ok…what if you wrote a PASS rule on your LAN interface for TCP traffic destined for any IP on ports 6881-6999 and set it to log. Maybe that will help identify them.
-
The notification has an IP address. If you don't know what client had that IP at the time of the notification, I can't help you.
Unfortunately, its his WAN interface IP he's NATting these torrenters to.
-
Ok…what if you wrote a PASS rule on your LAN interface for TCP traffic destined for any IP on ports 6881-6999 and set it to log. Maybe that will help identify them.
This sounds like a workable solution which is likely to find the majority of the clients I'm looking for. Unfortunately I know no more about writing these rules than I so about snort. But this sounds like something I can research and learn…
Pfsense is versatile and powerful. Even though I've used it for 5 years I feel like I only have a minimum knowledge and consider myself fortunate to be able to get it to do what I need. Now that I need it to do more, I'll have to learn more. And that's a good thing.
-
so how about this:
Don't the BitTorrents normally make multiple connections?
Perhaps something can be done to find these multiple connections?
IDK -
…and only has IP common to my bridged network. In this case the IP on the notification is the same as the WAN interface on my pfsense, with no current way for me to determine which client is causing the notification.
So why do you only have a home user design if you're an ISP?
Isn't the ability to, if necessary, track who did what a part of being an ISP?
What do you do when one of your users engage in more serious criminality and you ARE required by a court order to identify them?
You're at least not helped by only adding BT-traffic logging at that point… ???
-
What do you do when one of your users engage in more serious criminality and you ARE required by a court order to identify them?
No idea what country OP is in but here in the US we don't have mandatory records retention for ISPs.
You can't give them what you don't have. You can truthfully testify you don't have it.
-
I too am beginning to scrutinize my network traffic for various reasons. The approach I'm taking is to buy a switch to do port replication on my WAN ports and funnel that traffic to a Security Onion installation to process all of the data packets. My traffic is nowhere near yours, and the more bandwidth you consume the more infrastructure requirements Security Onion has (disk and RAM primarily).
This way I can inspect and classify all of the packets going across my network and run some metrics. I'll know the disposition of all seven layers and can then start scrutinizing traffic very granularly. In your situation, the Wireshark part of Security Onion should be able to tell you where torrent traffic is originating from and when.
Security Onion is a collection of integrated tools in an Ubuntu distribution.
-
@P3R:
What do you do when one of your users engage in more serious criminality and you ARE required by a court order to identify them?
IF I get a court order I will comply.
-
How if you have no idea what customer is on what IP address?
I'm not saying not knowing is a bad thing, but I like to know what's going on with my networks.
Knowing what's going on and keeping logs longer than necessary for troubleshooting are two different issues. ;)
-
Ok…what if you wrote a PASS rule on your LAN interface for TCP traffic destined for any IP on ports 6881-6999 and set it to log. Maybe that will help identify them.
This sounds like a workable solution which is likely to find the majority of the clients I'm looking for. Unfortunately I know no more about writing these rules than I so about snort. But this sounds like something I can research and learn…
Pfsense is versatile and powerful. Even though I've used it for 5 years I feel like I only have a minimum knowledge and consider myself fortunate to be able to get it to do what I need. Now that I need it to do more, I'll have to learn more. And that's a good thing.