How to block bittorent on a single vlan?

Modesty · Nov 10, 2020, 6:22 PM

Hi

i have in my house a renal flat. They have their own VLAN
192.168.5.0/24 from my ISP. I can see on ntop that they use bittorrent, and this i asume is used as bittorent is ment to be used.

They also use Steam, and that is OK according to my knowledge.

Q: How can I block bittorrenton on that vlan but keep up the other use of the net?

Thanks up front

kiokoman · Nov 10, 2020, 7:30 PM

Suricata and snort have p2p rules
maybe pfblockerng have some blocking list of tracker

johnpoz · Nov 10, 2020, 7:32 PM

bittorrent can be problematic to block to be honest.. Even with openappids, etc.

But per the resident ips guru @bmeeks I don't think you can do it with pfsense gui and ips

https://forum.netgate.com/topic/143353/how-to-script-rules-on-openappid-to-block-torrents

But maybe something has changed recently - I tagged him, he would be the one to ask for sure on how to do something like that.

edit: Yeah a list of trackers might be easier - but then again you can run torrents without trackers.. Its very difficult to block to be honest..

Easiest solution is proxy all your web traffic, and not allow that sort of stuff via the proxy..

bmeeks · Nov 10, 2020, 10:27 PM

One thing that changed this year with Snort is I added the ability to use an inline IPS mode of blocking. This new method lets you selectively drop only packets matching- and thus triggering- a rule instead of blocking at the IP address level. Selective dropping of packets in this manner lets you block specific applications rather than using the more blunt hammer approach of blocking all traffic from the host by blocking its IP address.

So now the caveats....

Inline IPS mode uses the kernel netmap device, and support of that device is very highly NIC hardware driver dependent. Some NICs support it, others don't. The latest package code will display an error and refuse to accept Inline IPS mode on an interface whose NIC is not listed by FreeBSD as supporting netmap operation.
You will see a performance impact when using Inline IPS mode as compared to the older Legacy Mode blocking. How much of an impact depends on the number of rules you have enabled and the CPU horsepower you have. Since Snort is single-threaded, it helps immensely to have a faster core rather than a bunch of slower cores. So a 3.3 GHz 4-core CPU is likely to outperform an 8-core 2.6 GHz CPU, as an example. Different CPU families will also show performance differences.
Lots of network traffic today is encrypted. In fact, most of it is encrypted. This limits the ability of the IDS/IPS to peer into the packet payloads. Thus detection of some stuff is hindered.
Snort offers the OpenAppID feature. This is a Layer 7 inspection engine that can detect many types of application traffic. It detects applications by looking at the initial header exchanges typical of a given application. It's not looking at the encrypted data payload itself. There are detection stubs for many of the popular social media, streaming, and other applications. Information on using OpenAppID can be found in the thread linked by @johnpoz.

johnpoz · Nov 10, 2020, 11:20 PM

And what would you say is the likelyhood of a new person to IPS picking up blocking p2p traffic without too steep of learning curve?

I would hope the openappid could pick up the different applications and block them, without just pure typical https encryption circumventing that.

But I think these apps are pretty freaking sneaky.. When I was involved in this sort of thing - proxy was the way to do it.. And control of the hardware - uses couldn't install shit.. And then there was the whole you get caught going against policy - and your fired ;) This is best deterrent there is ;)

But that is hard to do in such an environment.

bmeeks · Nov 10, 2020, 11:50 PM

Probably hit or miss to catch torrents. Depends on the specific application and whether or not there are OpenAppID rules written for it. OpenAppID requires two things to exist together in order to work. First, the Cisco/Snort team has to provide the correct detector stubs. These are downloaded from the Snort site. Secondly, the user has to have the correct text rules to load and use the OpenAppID stubs from the Snort team. Right now in pfSense those text rules are from a volunteer at a university in Brazil. I don't think he has updated them for quite some time. The actual file is hosted by Netgate, but they do not maintain the content.

So detection of torrents would need both of those things working in order to stand a chance of success. The OpenAppID stuff is a little better at picking up on the social media stuff like Facebook, Twitter, etc.

The best deterrent is the real risk of punishment of some type. For corporate weenies where I worked it was the threat of termination. Depending on the severity of the infraction, you got a warning on your first offense, then time off without pay for your second offense, and finally termination if it happened a third time. Of course certain offenses could go straight to termination. The HR weenies had a euphemism for the non-paid time off punishment. It was called "decision making leave". Ostensibly it was for you to contemplate whether or not you still wanted to work there...

q54e3w · Nov 11, 2020, 7:44 PM

If you were to successfully block the BitTorrent, they could just move to an encrypted VPN connection.
Are you trying to block torrent access because of legal repercussions to you as the account holder, or because you have some issue with the torrent network and its impact on your network? They could be using it for legitimate purposes too.

Modesty · Nov 11, 2020, 8:27 PM

@johnpoz
Is it possible to run ntop as a bridge and do blocking from ntop?
Ntop do show bittorrent activity...

Modesty · Nov 12, 2020, 7:44 PM

@q54e3w said in How to block bittorent on a single vlan?:

Are you trying to block torrent access because of legal repercussions to you as the account holder

Yes!

And, how much bt is leagal compared to opposite? 0,0001%

Well I dont know, anyway, im responsible for traffic on my net, my renters can set me in trouble...

q54e3w · Nov 12, 2020, 11:18 PM

@Modesty How much the protocol is universally used for illegal or legal activities isn't relevant, you're making an assumption of your tenants use which unless you have data, or notices from your ISP could be incorrect. For example, you mention they use Steam, Steam uses the BitTorrent protocol to distribute data between players so they may not be doing anything illegal at all. I would say though that if the legal ramifications are a concern then you should consider having your tenants subscribe to their own service rather sharing yours. Depending on your ISP you might also be breaching your ISPs ToS by providing service to tenants not leaving you in a great defensible position should they be up to no good post gaming.