After varying degrees of success with p2p detection modules, I would like to write the following rules using iptables to reliably identify p2p traffic: 1. If a host on the network has 5 or more simutaneous tcp connections to ports above 1024, mark all connections to ports 1024 and above as 60. 2. If a host has received (or sent) UDP packets from 5 different hosts'' ports above 1024 in a minute then classify all UDP traffic to and from that host above port 1024 as 60. Number 1 can almost be acheived using something similar to: iptables .. --dport 1024: -m connlimit --connlimit-above 5 -j MARK --set-mark 60 Unfortunately though it still leaves 5 connections slurping up plenty of bandwidth. I have no ideas for number 2. Anybody any ideas? On my network all p2p traffic falls into these categories, and I don''t mind overmatching with other traffic. Thanks, Andy
On Sunday 07 May 2006 19:43, Andrew Beverley wrote:> After varying degrees of success with p2p detection modules, I would like > to write the following rules using iptables to reliably identify p2p > traffic: ><snip>> On my network all p2p traffic falls into these categories, and I don''t mind > overmatching with other traffic.If you can, you could look into compiling and using ipp2p against your kernel. I find it works extremely well with my p2p traffic from edonkey protocol(s). You may have success with L7-Filter, too. You can probably use both at the same time, but I''ve never tried as ipp2p works for me. -- Jason Boxman http://edseek.com/ - Linux and FOSS stuff
Jason Boxman wrote:> On Sunday 07 May 2006 19:43, Andrew Beverley wrote: >> After varying degrees of success with p2p detection modules, I would like >> to write the following rules using iptables to reliably identify p2p >> traffic: >> > <snip> >> On my network all p2p traffic falls into these categories, and I don''t mind >> overmatching with other traffic. > > If you can, you could look into compiling and using ipp2p against your kernel. > I find it works extremely well with my p2p traffic from edonkey protocol(s). > You may have success with L7-Filter, too. You can probably use both at the > same time, but I''ve never tried as ipp2p works for me.Thanks - I tried both ipp2p and l7-filter. I found that on the whole they worked well, but on the network of 50 clients there was always a couple that it didn''t detect. I also wanted to put something in place that didn''t need upgrading - if and when I move on someone will have to keep updating ipp2p and l7-filter on the server. Andy
Ryan Castellucci wrote:> On 5/7/06, Andrew Beverley <andy@andybev.com> wrote: >> After varying degrees of success with p2p detection modules, I >> would like to write the following rules using iptables to reliably >> identify p2p traffic: >> >> 1. If a host on the network has 5 or more simutaneous tcp >> connections to ports above 1024, mark all connections to ports 1024 >> and above as 60. >> >> 2. If a host has received (or sent) UDP packets from 5 different >> hosts'' ports above 1024 in a minute then classify all UDP traffic >> to and from that host above port 1024 as 60. >> >> Number 1 can almost be acheived using something similar to: >> iptables .. --dport 1024: -m connlimit --connlimit-above 5 -j MARK >> --set-mark 60 >> >> Unfortunately though it still leaves 5 connections slurping up >> plenty of bandwidth. >> >> I have no ideas for number 2. >> >> Anybody any ideas? > > Take a look at the ''recent'' and ''set'' stuff. You can use it to > create groups of ''naughty'' users and match against those groups. > Recent is probably better in this case.I achieved most of this with ''set''. I create an iptree ipset list that times out after 60 seconds. If the above are detected then the user''s IP address is added to the ipset, and any subsequent traffic from the user destined to or from ports above 1024 is marked at a lower priority. The one thing I haven''t managed yet is detecting many different UDP ports within a set time period. Instead I match on UDP traffic packets longer then 1000 bytes, which seems to work on the whole but I''d like to get it to detect on different port numbers as it is less likely to over match. Andy
I''m using the 2 modules at the same, and the problems I encounter are:
1) l7-filter need to patch kernel (you can''t skip this), and for
this
reason in my recent scripts I''m putting "module detection
procedures"
to allow me disable this module when no exists.
2) With a little manual changes into .h files and .c headers includes
section, you can compile kernel module and iptables extensions for
ipp2p, with this sources, you can upgrade you kernel and put a
detection script into init scripts to detect, compile and install ipp2p
without problems.
3) I use p2p detection modules in this way:
a) Marking p2p traffic in mangle table.
b) Limiting bandwidth with tc.
c) Using connlimit iptables extension in filter table to drop tcp
"new p2p connections" when they reaches a limit.
Perhaps this help a bit.
Regards
--
Samuel Díaz García
ArcosCom Wireless, S.L.L.
CIF: B11828068
c/ Romero Gago, 19
Arcos de la Frontera
11630 - Cadiz
http://www.arcoscom.com
mailto:samueldg@arcoscom.com
msn: samueldg@arcoscom.com
Tlfn.: 956 70 13 15
Fax: 956 70 34 83
El Lun, 22 de Mayo de 2006, 8:26, Andrew Beverley
escribió:> Jason Boxman wrote:
>> On Sunday 07 May 2006 19:43, Andrew Beverley wrote:
>>> After varying degrees of success with p2p detection modules, I
would
>>> like
>>> to write the following rules using iptables to reliably identify
p2p
>>> traffic:
>>>
>> <snip>
>>> On my network all p2p traffic falls into these categories, and I
don''t
>>> mind
>>> overmatching with other traffic.
>>
>> If you can, you could look into compiling and using ipp2p against your
>> kernel.
>> I find it works extremely well with my p2p traffic from edonkey
>> protocol(s).
>> You may have success with L7-Filter, too. You can probably use both at
>> the
>> same time, but I''ve never tried as ipp2p works for me.
>
> Thanks - I tried both ipp2p and l7-filter. I found that on the whole
> they worked well, but on the network of 50 clients there was always a
> couple that it didn''t detect. I also wanted to put something in
place
> that didn''t need upgrading - if and when I move on someone will
have to
> keep updating ipp2p and l7-filter on the server.
>
> Andy
>
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
On Monday 22 May 2006 03:26, Andrew Beverley wrote:> Jason Boxman wrote: > > On Sunday 07 May 2006 19:43, Andrew Beverley wrote: > >> After varying degrees of success with p2p detection modules, I would > >> like to write the following rules using iptables to reliably identify > >> p2p traffic: > > > > <snip> > > > >> On my network all p2p traffic falls into these categories, and I don''t > >> mind overmatching with other traffic. > > > > If you can, you could look into compiling and using ipp2p against your > > kernel. I find it works extremely well with my p2p traffic from edonkey > > protocol(s). You may have success with L7-Filter, too. You can probably > > use both at the same time, but I''ve never tried as ipp2p works for me. > > Thanks - I tried both ipp2p and l7-filter. I found that on the whole > they worked well, but on the network of 50 clients there was always a > couple that it didn''t detect. I also wanted to put something in place > that didn''t need upgrading - if and when I move on someone will have to > keep updating ipp2p and l7-filter on the server.There is an alternative method that i''ve used and is infallible detecting p2p. Find out what is *not* p2p traffic in your network and give it the appropriate bandwidth/priority. Then the rest will be p2p traffic. This is the same approach used to build firewall rules, which is close all traffic and start open ports/protocols till all works ok. So at first maybe there will be some false positives, but with yours clients feedback and a Little of network analysis all goes to the right place. Some clues on what is not p2p: - packets with size<100bytes - tcp ports 80,21,22,25,110 and so on... - all udp, some p2p protocols use it for control but AFAIK is not used in data transfers, and if it is, you can still use a size rule ie: udp<900bytes - other protocols as icmp igmp esp... -- Luciano