BitTorrent & copy wright violation notifications from IP-Echelon



  • I run a WISP with a couple hundred clients and use pfsense as my everything.  Network is bridged to the clients radios which route to their connections which makes double NAT on their end.  I've got some public IP's which I use as virtual IP's to specific clients but not enough to give each of my clients their own.

    a couple years ago I was getting these violation notifications, maybe 10 or 20 and that's when I started with the virtual IPs.  Nothing came of it to me or any of my clients as the case was dismissed.

    No issues with violation notifications for a couple years and now they have started again.  the violations are a result of BitTorrent.

    I would like to assign my public IP's to the clients that are most likely to be involved in these notifications.  Dual purpose:  I can warn them before they engage in activities that may draw this unwanted attention.  Identify them if they do.

    IF there is a way to block the BitTorrents which are likely to be involved in activities that may lead to a notification I'd like to do that. 
    Maybe I can block all BitTorrent traffic and if a client contacts me I can turn them on in a case by case and then give them a virtual IP.

    I'm looking for ideas and asking for help please.



  • Have you installed the BandwidthD package?  It could help identify who the folks sucking up the most bandwidth are, which may help narrow your list of possible Torrent users.

    You could probably configure snort to sniff only, and get some more clues there.  I haven't done it, yet.  You may want to search the the IDS section of the forum.  You may find an answer there.


  • Banned

    Run them all in different vlan's and then you can tell excatly how much they use and when



  • @almabes:

    Have you installed the BandwidthD package? …

    You could probably configure snort to sniff only, and get some more clues there.  I haven't done it, yet.  You may want to search the the IDS section of the forum.  You may find an answer there.

    I use BandwidthD but cannot tell the difference between folks watching NetFlix and torrents.  Maybe if there was a filter on Bandwidth to filter for various types of traffic I could dig a little deeper.

    Don't know a thing about snort, read up on it but didn't really get it.  Saw a lot about the finer things of snort but I don't have the revelation on it in the very broadest sense.

    I will search IDS… thx



  • @Supermule:

    Run them all in different vlan's and then you can tell excatly how much they use and when

    I'm guessing you believe that know how much folks use will help me identify possible violators, but I'm not so sure.  More of my clients use netflix and other streaming video services that consume more data than BitTorrents.  I've got folks that use 50Gigs a day with the average being 2-8Gigs a day.

    I think the key is to identify the BitTorrent traffic itself but don't know how to do this.


  • Banned

    Install a transparent proxy and monitor it that way….

    Block known torrent ports and use wireshark to monitor traffic.



  • Most torrent clients now use random ports and the trackers run on standard HTTPS.

    If you're an actual ISP, they you can't be held liable for your users in the USA in most situations. You may just need some legal advise from a real lawyer. And blocking ports for paying customers may land you in a law suit.



  • @Harvy66:

    … blocking ports for paying customers...

    What I want to do is identify the clients that are using or are most likely using BitTorrents and assign them a virtual public IP.  Only thought on blocking is to get them to tell me they are having trouble with downloads or file sharing and thereby letting me know which clients to give the virutal IPs to.  I don't intend to stop or monitor the  BitTorrent just give them an IP.


  • Netgate

    Don't you know the MAC addresses of all your client radios?

    Match those up with the IPs in the notices.  Notify your customers when you get one.  Tell them to knock it off.  You're done.

    It's not your job to be the police force for the copyright holders.



  • IANAL, but I think you can disregard all copyright notice issues unless there is a court order. Copyright notices is just paper with no legal power from one citizen to another. Again, ask a lawyer. I know some ISPs claim that they really don't care and just throw that crap away. But I'm not sure at what point they do need to care.


  • Netgate

    I have received many.  Unless there is a repeat offender I just file them.  If there is a repeat offender, I let them know I am getting them.  That usually stops them or puts them through a VPN.  I have never seen them progress past those automated emails.

    Usually it's a business and they're happy to be notified someone is torrenting from work.



  • @Derelict:

    Don't you know the MAC addresses of all your client radios?

    Match those up with the IPs in the notices.

    edit: Oops, my bad… the notices do not contain the MAC address

    This is the rub, the ones who have virtual IPs (under Firewall in pfsense) are a non issue as I can identify them but only if required by court order and then only after giving them notice of the pending actions.

    What I don't like is when it is one of the clients that is not assigned a virtual IP and only has IP common to my bridged network.  In this case the IP on the notification is the same as the WAN interface on my pfsense, with no current way for me to determine which client is causing the notification.

    @Derelict:

    I have received many.  Unless there is a repeat offender…

    How are you able to determine which client is responsible for the notification?

    thanks for all the replies, plz keep them coming


  • Netgate

    The notification has an IP address.  If you don't know what client had that IP at the time of the notification, I can't help you.



  • What I want to do is identify the clients that are using or are most likely using BitTorrents and assign them a virtual public IP.  Only thought on blocking is to get them to tell me they are having trouble with downloads or file sharing and thereby letting me know which clients to give the virutal IPs to.  I don't intend to stop or monitor the  BitTorrent just give them an IP.

    Ok…what if you wrote a PASS rule on your LAN interface for TCP traffic destined for any IP on ports 6881-6999 and set it to log.  Maybe that will help identify them.



  • @Derelict:

    The notification has an IP address.  If you don't know what client had that IP at the time of the notification, I can't help you.

    Unfortunately, its his WAN interface IP he's NATting these torrenters to.



  • @almabes:

    Ok…what if you wrote a PASS rule on your LAN interface for TCP traffic destined for any IP on ports 6881-6999 and set it to log.  Maybe that will help identify them.

    This sounds like a workable solution which is likely to find the majority of the clients I'm looking for.  Unfortunately I know no more about writing these rules than I so about snort.  But this sounds like something I can research and learn…

    Pfsense is versatile and powerful.  Even though I've used it for 5 years I feel like I only have a minimum knowledge and consider myself fortunate to be able to get it to do what I need.  Now that I need it to do more, I'll have to learn more. And that's a good thing.



  • so how about this:

    Don't the BitTorrents normally make multiple connections? 
    Perhaps something can be done to find these multiple connections?
    IDK



  • @charlesa920:

    …and only has IP common to my bridged network.  In this case the IP on the notification is the same as the WAN interface on my pfsense, with no current way for me to determine which client is causing the notification.

    So why do you only have a home user design if you're an ISP?

    Isn't the ability to, if necessary, track who did what a part of being an ISP?

    What do you do when one of your users engage in more serious criminality and you ARE required by a court order to identify them?

    You're at least not helped by only adding BT-traffic logging at that point… ???


  • Netgate

    What do you do when one of your users engage in more serious criminality and you ARE required by a court order to identify them?

    No idea what country OP is in but here in the US we don't have mandatory records retention for ISPs.

    You can't give them what you don't have.  You can truthfully testify you don't have it.



  • I too am beginning to scrutinize my network traffic for various reasons.  The approach I'm taking is to buy a switch to do port replication on my WAN ports and funnel that traffic to a Security Onion installation to process all of the data packets.  My traffic is nowhere near yours, and the more bandwidth you consume the more infrastructure requirements Security Onion has (disk and RAM primarily).

    This way I can inspect and classify all of the packets going across my network and run some metrics.  I'll know the disposition of all seven layers and can then start scrutinizing traffic very granularly.  In your situation, the Wireshark part of Security Onion should be able to tell you where torrent traffic is originating from and when.

    Security Onion is a collection of integrated tools in an Ubuntu distribution.



  • @P3R:

    What do you do when one of your users engage in more serious criminality and you ARE required by a court order to identify them?

    IF I get a court order I will comply.


  • Netgate

    How if you have no idea what customer is on what IP address?

    I'm not saying not knowing is a bad thing, but I like to know what's going on with my networks.

    Knowing what's going on and keeping logs longer than necessary for troubleshooting are two different issues.  ;)



  • @charlesa920:

    @almabes:

    Ok…what if you wrote a PASS rule on your LAN interface for TCP traffic destined for any IP on ports 6881-6999 and set it to log.  Maybe that will help identify them.

    This sounds like a workable solution which is likely to find the majority of the clients I'm looking for.  Unfortunately I know no more about writing these rules than I so about snort.  But this sounds like something I can research and learn…

    Pfsense is versatile and powerful.  Even though I've used it for 5 years I feel like I only have a minimum knowledge and consider myself fortunate to be able to get it to do what I need.  Now that I need it to do more, I'll have to learn more. And that's a good thing.

    https://doc.pfsense.org/index.php/Firewall_Rule_Basics