How to detect P2P traffic and block it using pfSense

mauro.tridici

Dear Users,

ISP has informed us that someone in our corporate network is downloading copyrighted material.
I know that some probes such as Snort/Suricata could help me intercept and block such traffic, but since such services have not been activated yet, I would like to ask if it is possible to intercept and block such traffic using pfSense.

For example, the standard ports used by BitTorrent are 6881-6999.
How can I see which LAN IP has connections to those ports?

I thank you in advance.
Mauro

stephenw10

Check the state table in Diag > States if the connections are active.

mauro.tridici

hello @stephenw10 , welcome back.

it seems that new p2p client are not using standard ports.
how can I detect p2p traffic and identify the PC running p2p client on my LAN?

Did you already face this problem?

Thanks,
Mauro

stephenw10

You can try using Snort with OpenAppID to identify it but that depends entirely on the signatures matching it. P2P clients often deliberately hide their traffic making it difficult identify. The sheer volume of traffic to a particular internal IP can be telling depending on what traffic on common from clients on your network.

mauro.tridici

@stephenw10 many thanks for your helpful answer.

I think I was able to manage it.
Snort is detecting P2P traffic as expected.

Do you think there is a way to receive a notification mail when a P2P rule is fired (or P2P event is detected)?

Thank you in advance,
Mauro

NogBadTheBad

@mauro-tridici

I fire off the following scripts after midnight to get an email of the previous days snort alerts:-

login-to-view

grep ^`date -v-1d +"%D"` /var/log/snort/snort_pppoe*/alert | awk -F, '{a[$5]++;} END {for(i in a) print a[i]" "i}' | sed 's/"//g' | sort -r ; echo

grep ^`date -v-1d +"%D"` /var/log/snort/snort_pppoe*/alert ; echo

You would need to change snort_pppoe* to be your LAN interface folder.

michmoor

NTOPng as well might be able to detect the traffic.

mauro.tridici

@nogbadthebad thank you very much, I like this kind of solution

mauro.tridici

@michmoor sure, you are right, I will install it as soon as possible.

Gertjan

@mauro-tridici said in How to detect P2P traffic and block it using pfSense:

how can I detect p2p traffic and identify the PC running p2p client on my LAN?

If a universal answer to that question was known, the issue wouldn't exist

Think of it : how can you - or for that matter, the ISP, know what was downloaded ?

If the traffic was non encrypted (non TLS) then, with recent equipment, any type of data traffic = content could be intercepted and 'scanned' real time, and you could handle upon reception and emission of any suspected data.
These days are over .... no sane person uses non-TLS traffic these days (right ?). So the data packet or payload in an Ethernet packet is pure random data.
The only known info, visible to pfSense, is the source and destination IP, the source and destination ports.

What your ISP actually does : they download all know file from everywhere. If they find a user that uses one of their IP's, then they nuil you.
Most p2p programs do not only download, they also share with the world the content that they just downloaded.
It's the fact that a user also shares (offers to others) illegal content that is forbidden.

That is, this is IMHO,how things work in the country where I live : France.

A p2p program is not IP bound, they can use any possible IP, and a p2p can use any port it wants. So : pfSense has little or no way to know if traffic is p2p traffic.
If you can find a list with 'known' p2p IP .... I doubt if such a list really exists. If so : add the list to pfblockerng-devel and your done.

Again : the fact that the 'ISP' was able to download a file from a PC hidden behind your WAN IP was probably the fact they warned you.

I have no issue whatsoever if a co worker downloads whatever using the company network.
But if I see that he didn't use a VPN, I'll fire him on the spot.
I don't tell people (co workers, clients using the captive portal) anymore that I can use 'my' pfSense to scan their traffic : because I don't do that (anymore) and because I can't do that anymore.

Btw : if you have a big company and many co-workers, I can't tell "how you could find out how who is doing what on the Internet " ...
I'm there to keep the pipe open. Not to control what's in it.

A solution exists : let pfSense be your company's proxy.
Inform (setup) on all connected device that need an internet access that they should use this proxy. pfSense will now do all the internet requests on behalf of all these clients. So the clients uses TLS (or not) to connect to the client proxy. The TLS encryption is undone on pfSense, and pfSense engages for the client another TLS (or not) connection to the server intended. The answer back follow the same route, backwards. On pfSense, the traffic is now available for a moment in a non encrypted state : you can have the content scanned. Not known ports and protocols are not handled : p2p won't work anyomre.
It's hard to put in place, and harder to maintain it.

mauro.tridici

@gertjan many thanks for that good explanation.
I really appreciated it. I will save it in my notes :)

Have a good day
Mauro

bmeeks

@gertjan said in How to detect P2P traffic and block it using pfSense:

pfSense has little or no way to know if traffic is p2p traffic

The OpenAppID feature in Snort can identify many types of p2p traffic. It works by analyzing the initial set of handshake packets that happen between a p2p client and server. Some of that data is currently not encrypted (similar to SNI with TLS). So, Snort can likely identify p2p traffic from any IP address by sensing the session setup. But of course it cannot see the actual "content" of the downloaded or uploaded data that happens within the session. It knows a p2p connection was established and something was transferred, but not what was transferred. It might have been simply a Linux distro ISO installer image, or it might have been a pirated copy of "Avatar: The Way of Water" .

The way most of these copyright violation notifications work is that third-party firms are paid by the content owners to essentially set up p2p honeypots. When p2p clients from around the world connect and attempt to download, those connecting clients also offer up their locally "shared" files for upload. This is how these firms determine a particular IP address is sharing copyrighted content. They then use the IP address to identify the ISP and start the notification letters. Many folks refer to these companies as "copyright trolls".

Gertjan

@bmeeks
Wow, man, thanks.
Reading your posts is like reading wikipedia articles ... that strange feeling that new neurons were allocated in my head with new info .... ( was called learning in the past ) this feels good.

I still doubt that a app on some pc somewhere on some LAN will 'cooperate' by having it's activity detect by some upstream device running snort and the OpenAppID detector.
I should really try it out, as I have, in theory, a device (4100 MAX) that would be able to do so.

bmeeks

@gertjan said in How to detect P2P traffic and block it using pfSense:

I still doubt that a app on some pc somewhere on some LAN will 'cooperate' by having it's activity detect by some upstream device running snort and the OpenAppID detector.
I should really try it out, as I have, in theory, a device (4100 MAX) that would be able to do so.

It is a cat and mouse game between the p2p software developers and the IDS/IPS Layer 7 detection software developers. The goal of p2p is to "elude" detection, and the goal of stuff like OpenAppID is to "detect" p2p. Currently there are some things that do still happen in the clear during initial session setup, and that allows detection. Of course tomorrow some p2p variant will make a change to foil that detection, and then the OpenAppID folks will respond. So, back and forth the game continues.