LARTC - Nov 2007 - How to fight with encrypted p2p

Hi

I believe that whole question is in topic. 
Is there any way to recognize ( and then shape ) p2p traffic which is encrypted?
Modern p2p clients have this ability moreover some of them have this enabled by
default.
Now I''m using ipp2p for iptables but as I know this doesn''t
recognize encrypted traffic.

Thanks in advance.

Pozdrawiam
Szymon Turkiewicz

sAwAr wrote:
> 
> Hi
> 
> I believe that whole question is in topic. 
> Is there any way to recognize ( and then shape ) p2p traffic which is
encrypted?
> Modern p2p clients have this ability moreover some of them have this
enabled by default.
> Now I''m using ipp2p for iptables but as I know this
doesn''t recognize encrypted traffic.
> 
> Thanks in advance.
> 
> Pozdrawiam
> Szymon Turkiewicz
Have not tried this. An idea. P2P initiations are not encrypted AFAIK. 
Thus connections can be marked and related traffic shaped. If initiation 
is also encrypted, then I think we have a serious problem.

Mohan

Some clients P2P clients are nice about there encryption and negotiate  
encryption ahead of time using plain communication. I.E. Limewire,  
Azureus.  However, some just start TLS and that is all you can see.

Looking at ipp2ps signatures, I don''t see anything that leads me to  
believe they track that kind of info.



David Bierce



On Nov 11, 2007, at 9:48 PM, Mohan Sundaram wrote:
> sAwAr wrote:
>> Hi
>> I believe that whole question is in topic. Is there any way to  
>> recognize ( and then shape ) p2p traffic which is encrypted?
>> Modern p2p clients have this ability moreover some of them have  
>> this enabled by default. Now I''m using ipp2p for iptables but
as I
>> know this doesn''t recognize encrypted traffic.
>> Thanks in advance.
>> Pozdrawiam
>> Szymon Turkiewicz
> Have not tried this. An idea. P2P initiations are not encrypted  
> AFAIK. Thus connections can be marked and related traffic shaped. If  
> initiation is also encrypted, then I think we have a serious problem.
>
> Mohan
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Rtorrent which I use sometimes have ability to completely disable plain text 
communication :

man rtorrent
              allow_incoming  (allow incoming encrypted connections), 
try_outgoing (use encryption for outgoing connections), require (disable 
unencrypted  handshakes),  require_RC4  (also  disable  plaintext               
transmission  after  the initial encrypted handshake), enable_retry (if the 
initial outgoing connection fails, retry with encryption turned on if it was 
off or off if it was on),  prefer_plain text  (choose  plaintext when peer 
offers a choice between plaintext transmission and RC4 encryption, otherwise 
RC4 will be used).

and many other clients have similar abilities.
I''m afraid that full encrypted and enabled by default communication is
only a
matter of time and we will lose this "fight" very soon.
> Some clients P2P clients are nice about there encryption and negotiate
> encryption ahead of time using plain communication. I.E. Limewire,
> Azureus.  However, some just start TLS and that is all you can see.
>
> Looking at ipp2ps signatures, I don''t see anything that leads me
to
> believe they track that kind of info.
>
>
>
> David Bierce
>
> On Nov 11, 2007, at 9:48 PM, Mohan Sundaram wrote:
> > sAwAr wrote:
> >> Hi
> >> I believe that whole question is in topic. Is there any way to
> >> recognize ( and then shape ) p2p traffic which is encrypted?
> >> Modern p2p clients have this ability moreover some of them have
> >> this enabled by default. Now I''m using ipp2p for iptables
but as I
> >> know this doesn''t recognize encrypted traffic.
> >> Thanks in advance.
> >> Pozdrawiam
> >> Szymon Turkiewicz
> >
> > Have not tried this. An idea. P2P initiations are not encrypted
> > AFAIK. Thus connections can be marked and related traffic shaped. If
> > initiation is also encrypted, then I think we have a serious problem.
> >
> > Mohan
> > _______________________________________________
> > LARTC mailing list
> > LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Hi
> 
> I believe that whole question is in topic. 
> Is there any way to recognize ( and then shape ) p2p traffic which is
encrypted?
> Modern p2p clients have this ability moreover some of them have this
enabled by default.
> Now I''m using ipp2p for iptables but as I know this
doesn''t recognize encrypted traffic.
> 
> Thanks in advance.
> 
As far as I am concerned there is no way to recognize encrypted p2p.
I`ve tested ipp2p, and layer7, and also Mikrotik`s 3.0 p2p mark systems
[ which in fact uses modified layer7 ], and none of them cant recognize
this traffic simply because it is enctypted.

- --

[ ... and the Slackware for All... ]

gpg_key: http://szuwar.mayhem.net.pl/keys/szuwar_mayhem-public.gpg



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFHOZF96pLYJHrOtfoRAhxNAKCoOEqujQ8ibpeKKLcy4ODHXQmgAgCgh8Ur
k+pLmHu2JzhZmM1mtxD9pL4=DKs2
-----END PGP SIGNATURE-----

On 11/11/07 19:51, sAwAr wrote:
> Is there any way to recognize ( and then shape ) p2p traffic which is 
> encrypted?  Modern p2p clients have this ability moreover some of 
> them have this enabled by default.  Now I''m using ipp2p for
iptables
> but as I know this doesn''t recognize encrypted traffic.
Does this mean that we are down to handling traffic based on the 
sustained stream(s)?  I.e. how long the streams have been active, how 
many packets per second, how many streams a given end point has, speed 
of traffic, average size of packets?

Encrypted or not, I believe all traffic can be somewhat recognized by 
its usage pattern(s).  However there may be more false positives.  We 
may end up recognizing what we know as good and putting the rest at a 
lower class of service.

Thought''s / comments / objections / flame wars?



Grant. . . .

On 13.11.2007 16:09, Grant Taylor wrote:
> On 11/11/07 19:51, sAwAr wrote:
>> Is there any way to recognize ( and then shape ) p2p traffic which is
>> encrypted?  Modern p2p clients have this ability moreover some of
>> them have this enabled by default.  Now I''m using ipp2p for
iptables
>> but as I know this doesn''t recognize encrypted traffic.
>
> Does this mean that we are down to handling traffic based on the
> sustained stream(s)?  I.e. how long the streams have been active, how
> many packets per second, how many streams a given end point has, speed
> of traffic, average size of packets?
>
> Encrypted or not, I believe all traffic can be somewhat recognized by
> its usage pattern(s).  However there may be more false positives.  We
> may end up recognizing what we know as good and putting the rest at a
> lower class of service.
Well, you can surely try. But then again, I have been doing research
(publication pending) in traffic-pattern-based detection of VoIP flows
and peer-to-peer connections. While it usually is easy to find a pattern
matching your particular traffic class very well, part of this research
has been dedicated to automatically circumvent these systems. Why that?
Simple. Application evolve to circumvent detection. If you can simulate
that evolution in the lab, you can find out where your detection
algorithms will fail. Of course, that enumeration of possible failure
modes is non-exhaustive.

Bottom line: This is an arms race. Unless you do lots of research and
testing, detection will always be trying to catch up. If detection
manages to catch up, circumvention will advance, but you may have a
small time window where you can enjoy the "win". However, winning
becomes more and more expensive. Clients can expend considerable amount
of CPU power to avoid detection. You don''t have that luxury in filter
systems unless you have one filter per client.


Regards,
Carl-Daniel

On 11/13/07 09:37, Carl-Daniel Hailfinger wrote:
> Well, you can surely try. But then again, I have been doing research 
> (publication pending) in traffic-pattern-based detection of VoIP 
> flows and peer-to-peer connections. While it usually is easy to find 
> a pattern matching your particular traffic class very well, part of 
> this research has been dedicated to automatically circumvent these 
> systems. Why that?  Simple. Application evolve to circumvent 
> detection. If you can simulate that evolution in the lab, you can 
> find out where your detection algorithms will fail. Of course, that 
> enumeration of possible failure modes is non-exhaustive.
> 
> Bottom line: This is an arms race. Unless you do lots of research and 
> testing, detection will always be trying to catch up. If detection 
> manages to catch up, circumvention will advance, but you may have a 
> small time window where you can enjoy the "win". However, winning
> becomes more and more expensive. Clients can expend considerable 
> amount of CPU power to avoid detection. You don''t have that luxury
in
> filter systems unless you have one filter per client.
All very good points with regard to pattern based detecting P2P (and the 
likes) traffic.  What do you think about recognizing the traffic you do 
want and treating all else as a second or third class citizen.  Or is 
this just a form of net neutrality?  Or really is this entire discussion 
such.  Further does the net neutrality issue apply to companies (read: 
non ISPs) wanting to filter their own internal traffic.

Additionally as an aside will you please provide more information on 
your pending publication?  I''d likely be curious to read (what ever) 
when ever it is published.  Thanks in advance.



Grant. . . .

Hello ,

Tuesday, November 13, 2007, 5:09:32 PM, you wrote:
> Encrypted or not, I believe all traffic can be somewhat recognized by
> its usage pattern(s).  However there may be more false positives.  We 
> may end up recognizing what we know as good and putting the rest at a 
> lower class of service.
> Thought''s / comments / objections / flame wars?
It''s true that encrypted/unencrypted ratio of p2p traffic increased
about 10 times for past 2 years. There were a lot of predictions
before about such situation will happen. I guess that we have revise
shaping policing by some usage patterns as Grant said before. I guess
I''ll start to reread about all netfilter features and it helps me to
figure out how to solve this problem.

-- 
Konstantin

As you might have seen, these are words from ipp2p author:

"""

I have seen some pieces of code from ipoque which can detect encypted bittorrent
and edonkey traffic. Unforunately, this code will not work with
iptables, because it needs
more information about the flow history and the history of an ip address.

Right now, I do not have the time and the money to develop a filter
like this, but
if you are interested in a developement in this direction, please contact me.

"""

I *think* that we need something like a "bittorrent helper" in the
kernel to keep this extra information about the flow history and then
an iptables plugin to match. What do you think? Maybe we could contact
him to know what kind of information is it?


On Nov 12, 2007 9:17 AM, sawar <sawar@interia.pl>
wrote:
> Rtorrent which I use sometimes have ability to completely disable plain
text
> communication :
>
> man rtorrent
>               allow_incoming  (allow incoming encrypted connections),
> try_outgoing (use encryption for outgoing connections), require (disable
> unencrypted  handshakes),  require_RC4  (also  disable  plaintext
> transmission  after  the initial encrypted handshake), enable_retry (if the
> initial outgoing connection fails, retry with encryption turned on if it
was
> off or off if it was on),  prefer_plain text  (choose  plaintext when peer
> offers a choice between plaintext transmission and RC4 encryption,
otherwise
> RC4 will be used).
>
> and many other clients have similar abilities.
> I''m afraid that full encrypted and enabled by default
communication is only a
> matter of time and we will lose this "fight" very soon.
>
>
> > Some clients P2P clients are nice about there encryption and negotiate
> > encryption ahead of time using plain communication. I.E. Limewire,
> > Azureus.  However, some just start TLS and that is all you can see.
> >
> > Looking at ipp2ps signatures, I don''t see anything that leads
me to
> > believe they track that kind of info.
> >
> >
> >
> > David Bierce
> >
> > On Nov 11, 2007, at 9:48 PM, Mohan Sundaram wrote:
> > > sAwAr wrote:
> > >> Hi
> > >> I believe that whole question is in topic. Is there any way
to
> > >> recognize ( and then shape ) p2p traffic which is encrypted?
> > >> Modern p2p clients have this ability moreover some of them
have
> > >> this enabled by default. Now I''m using ipp2p for
iptables but as I
> > >> know this doesn''t recognize encrypted traffic.
> > >> Thanks in advance.
> > >> Pozdrawiam
> > >> Szymon Turkiewicz
> > >
> > > Have not tried this. An idea. P2P initiations are not encrypted
> > > AFAIK. Thus connections can be marked and related traffic shaped.
If
> > > initiation is also encrypted, then I think we have a serious
problem.
> > >
> > > Mohan
> > > _______________________________________________
> > > LARTC mailing list
> > > LARTC@mailman.ds9a.nl
> > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> >
> > _______________________________________________
> > LARTC mailing list
> > LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>


-- 
Marco Casaroli
SapucaiNet Telecom
+55 35 34712377 ext. 5

About ipp2p,

Right now, the battle against p2p is lost with l7 detection from ipp2p,
l7 filter and others.

Why ?? It is a known fact that pattern matching does not work with full
encrypted P2P handshakes based on DHT key exchange algorithms with byte
padding. You have absolutely no byte pattern and no fixed packet lengths
in the stream. So something like a flow history will fail or might have
a very high false +ve rate.

The thing is that there are proprietary solutions which can detect fully
encrypted p2p streams based on a heuristic approach. (AFAIK ipoque is
selling a proprietary library for this which is integrated in some
firewall vendors). I have not seen any open source development into this
direction.

Klaus, (former) maintainer of ipp2p


Marco Aurelio wrote:
> As you might have seen, these are words from ipp2p author:
> 
> """
> 
> I have seen some pieces of code from ipoque which can detect encypted
bittorrent
> and edonkey traffic. Unforunately, this code will not work with
> iptables, because it needs
> more information about the flow history and the history of an ip address.
> 
> Right now, I do not have the time and the money to develop a filter
> like this, but
> if you are interested in a developement in this direction, please contact
me.
> 
> """
> 
> I *think* that we need something like a "bittorrent helper" in
the
> kernel to keep this extra information about the flow history and then
> an iptables plugin to match. What do you think? Maybe we could contact
> him to know what kind of information is it?
> 
> 
> On Nov 12, 2007 9:17 AM, sawar <sawar@interia.pl> wrote:
>> Rtorrent which I use sometimes have ability to completely disable plain
text
>> communication :
>>
>> man rtorrent
>>               allow_incoming  (allow incoming encrypted connections),
>> try_outgoing (use encryption for outgoing connections), require
(disable
>> unencrypted  handshakes),  require_RC4  (also  disable  plaintext
>> transmission  after  the initial encrypted handshake), enable_retry (if
the
>> initial outgoing connection fails, retry with encryption turned on if
it was
>> off or off if it was on),  prefer_plain text  (choose  plaintext when
peer
>> offers a choice between plaintext transmission and RC4 encryption,
otherwise
>> RC4 will be used).
>>
>> and many other clients have similar abilities.
>> I''m afraid that full encrypted and enabled by default
communication is only a
>> matter of time and we will lose this "fight" very soon.
>>
>>
>>> Some clients P2P clients are nice about there encryption and
negotiate
>>> encryption ahead of time using plain communication. I.E. Limewire,
>>> Azureus.  However, some just start TLS and that is all you can see.
>>>
>>> Looking at ipp2ps signatures, I don''t see anything that
leads me to
>>> believe they track that kind of info.
>>>
>>>
>>>
>>> David Bierce
>>>
>>> On Nov 11, 2007, at 9:48 PM, Mohan Sundaram wrote:
>>>> sAwAr wrote:
>>>>> Hi
>>>>> I believe that whole question is in topic. Is there any way
to
>>>>> recognize ( and then shape ) p2p traffic which is
encrypted?
>>>>> Modern p2p clients have this ability moreover some of them
have
>>>>> this enabled by default. Now I''m using ipp2p for
iptables but as I
>>>>> know this doesn''t recognize encrypted traffic.
>>>>> Thanks in advance.
>>>>> Pozdrawiam
>>>>> Szymon Turkiewicz
>>>> Have not tried this. An idea. P2P initiations are not encrypted
>>>> AFAIK. Thus connections can be marked and related traffic
shaped. If
>>>> initiation is also encrypted, then I think we have a serious
problem.
>>>>
>>>> Mohan
>>>> _______________________________________________
>>>> LARTC mailing list
>>>> LARTC@mailman.ds9a.nl
>>>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>> _______________________________________________
>>> LARTC mailing list
>>> LARTC@mailman.ds9a.nl
>>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>> _______________________________________________
>> LARTC mailing list
>> LARTC@mailman.ds9a.nl
>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>
> 
> 
>

Klauss,

Could you
Might be you can sponsor the development ...

Regards

Sébastien


Klaus escribió:
> About ipp2p,
>
> Right now, the battle against p2p is lost with l7 detection from ipp2p,
> l7 filter and others.
>
> Why ?? It is a known fact that pattern matching does not work with full
> encrypted P2P handshakes based on DHT key exchange algorithms with byte
> padding. You have absolutely no byte pattern and no fixed packet lengths
> in the stream. So something like a flow history will fail or might have
> a very high false +ve rate.
>
> The thing is that there are proprietary solutions which can detect fully
> encrypted p2p streams based on a heuristic approach. (AFAIK ipoque is
> selling a proprietary library for this which is integrated in some
> firewall vendors). I have not seen any open source development into this
> direction.
>
> Klaus, (former) maintainer of ipp2p
>
>
> Marco Aurelio wrote:
>   
>> As you might have seen, these are words from ipp2p author:
>>
>> """
>>
>> I have seen some pieces of code from ipoque which can detect encypted
bittorrent
>> and edonkey traffic. Unforunately, this code will not work with
>> iptables, because it needs
>> more information about the flow history and the history of an ip
address.
>>
>> Right now, I do not have the time and the money to develop a filter
>> like this, but
>> if you are interested in a developement in this direction, please
contact me.
>>
>> """
>>
>> I *think* that we need something like a "bittorrent helper"
in the
>> kernel to keep this extra information about the flow history and then
>> an iptables plugin to match. What do you think? Maybe we could contact
>> him to know what kind of information is it?
>>
>>
>> On Nov 12, 2007 9:17 AM, sawar <sawar@interia.pl> wrote:
>>     
>>> Rtorrent which I use sometimes have ability to completely disable
plain text
>>> communication :
>>>
>>> man rtorrent
>>>               allow_incoming  (allow incoming encrypted
connections),
>>> try_outgoing (use encryption for outgoing connections), require
(disable
>>> unencrypted  handshakes),  require_RC4  (also  disable  plaintext
>>> transmission  after  the initial encrypted handshake), enable_retry
(if the
>>> initial outgoing connection fails, retry with encryption turned on
if it was
>>> off or off if it was on),  prefer_plain text  (choose  plaintext
when peer
>>> offers a choice between plaintext transmission and RC4 encryption,
otherwise
>>> RC4 will be used).
>>>
>>> and many other clients have similar abilities.
>>> I''m afraid that full encrypted and enabled by default
communication is only a
>>> matter of time and we will lose this "fight" very soon.
>>>
>>>
>>>       
>>>> Some clients P2P clients are nice about there encryption and
negotiate
>>>> encryption ahead of time using plain communication. I.E.
Limewire,
>>>> Azureus.  However, some just start TLS and that is all you can
see.
>>>>
>>>> Looking at ipp2ps signatures, I don''t see anything
that leads me to
>>>> believe they track that kind of info.
>>>>
>>>>
>>>>
>>>> David Bierce
>>>>
>>>> On Nov 11, 2007, at 9:48 PM, Mohan Sundaram wrote:
>>>>         
>>>>> sAwAr wrote:
>>>>>           
>>>>>> Hi
>>>>>> I believe that whole question is in topic. Is there any
way to
>>>>>> recognize ( and then shape ) p2p traffic which is
encrypted?
>>>>>> Modern p2p clients have this ability moreover some of
them have
>>>>>> this enabled by default. Now I''m using ipp2p
for iptables but as I
>>>>>> know this doesn''t recognize encrypted traffic.
>>>>>> Thanks in advance.
>>>>>> Pozdrawiam
>>>>>> Szymon Turkiewicz
>>>>>>             
>>>>> Have not tried this. An idea. P2P initiations are not
encrypted
>>>>> AFAIK. Thus connections can be marked and related traffic
shaped. If
>>>>> initiation is also encrypted, then I think we have a
serious problem.
>>>>>
>>>>> Mohan
>>>>> _______________________________________________
>>>>> LARTC mailing list
>>>>> LARTC@mailman.ds9a.nl
>>>>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>>>>           
>>>> _______________________________________________
>>>> LARTC mailing list
>>>> LARTC@mailman.ds9a.nl
>>>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>>>         
>>> _______________________________________________
>>> LARTC mailing list
>>> LARTC@mailman.ds9a.nl
>>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>>
>>>       
>>
>>     
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>
>

Sorry ... I''m little bite tired ...
I mean  that we might sponsor  Klauss and L7 team to develop this ...

Regards

Sébastien CRAMATTE escribió:
> Klauss,
>
> Could you
> Might be you can sponsor the development ...
>
> Regards
>
> Sébastien
>
>
> Klaus escribió:
>   
>> About ipp2p,
>>
>> Right now, the battle against p2p is lost with l7 detection from ipp2p,
>> l7 filter and others.
>>
>> Why ?? It is a known fact that pattern matching does not work with full
>> encrypted P2P handshakes based on DHT key exchange algorithms with byte
>> padding. You have absolutely no byte pattern and no fixed packet
lengths
>> in the stream. So something like a flow history will fail or might have
>> a very high false +ve rate.
>>
>> The thing is that there are proprietary solutions which can detect
fully
>> encrypted p2p streams based on a heuristic approach. (AFAIK ipoque is
>> selling a proprietary library for this which is integrated in some
>> firewall vendors). I have not seen any open source development into
this
>> direction.
>>
>> Klaus, (former) maintainer of ipp2p
>>
>>
>> Marco Aurelio wrote:
>>   
>>     
>>> As you might have seen, these are words from ipp2p author:
>>>
>>> """
>>>
>>> I have seen some pieces of code from ipoque which can detect
encypted bittorrent
>>> and edonkey traffic. Unforunately, this code will not work with
>>> iptables, because it needs
>>> more information about the flow history and the history of an ip
address.
>>>
>>> Right now, I do not have the time and the money to develop a filter
>>> like this, but
>>> if you are interested in a developement in this direction, please
contact me.
>>>
>>> """
>>>
>>> I *think* that we need something like a "bittorrent
helper" in the
>>> kernel to keep this extra information about the flow history and
then
>>> an iptables plugin to match. What do you think? Maybe we could
contact
>>> him to know what kind of information is it?
>>>
>>>
>>> On Nov 12, 2007 9:17 AM, sawar <sawar@interia.pl> wrote:
>>>     
>>>       
>>>> Rtorrent which I use sometimes have ability to completely
disable plain text
>>>> communication :
>>>>
>>>> man rtorrent
>>>>               allow_incoming  (allow incoming encrypted
connections),
>>>> try_outgoing (use encryption for outgoing connections), require
(disable
>>>> unencrypted  handshakes),  require_RC4  (also  disable 
plaintext
>>>> transmission  after  the initial encrypted handshake),
enable_retry (if the
>>>> initial outgoing connection fails, retry with encryption turned
on if it was
>>>> off or off if it was on),  prefer_plain text  (choose 
plaintext when peer
>>>> offers a choice between plaintext transmission and RC4
encryption, otherwise
>>>> RC4 will be used).
>>>>
>>>> and many other clients have similar abilities.
>>>> I''m afraid that full encrypted and enabled by default
communication is only a
>>>> matter of time and we will lose this "fight" very
soon.
>>>>
>>>>
>>>>       
>>>>         
>>>>> Some clients P2P clients are nice about there encryption
and negotiate
>>>>> encryption ahead of time using plain communication. I.E.
Limewire,
>>>>> Azureus.  However, some just start TLS and that is all you
can see.
>>>>>
>>>>> Looking at ipp2ps signatures, I don''t see anything
that leads me to
>>>>> believe they track that kind of info.
>>>>>
>>>>>
>>>>>
>>>>> David Bierce
>>>>>
>>>>> On Nov 11, 2007, at 9:48 PM, Mohan Sundaram wrote:
>>>>>         
>>>>>           
>>>>>> sAwAr wrote:
>>>>>>           
>>>>>>             
>>>>>>> Hi
>>>>>>> I believe that whole question is in topic. Is there
any way to
>>>>>>> recognize ( and then shape ) p2p traffic which is
encrypted?
>>>>>>> Modern p2p clients have this ability moreover some
of them have
>>>>>>> this enabled by default. Now I''m using
ipp2p for iptables but as I
>>>>>>> know this doesn''t recognize encrypted
traffic.
>>>>>>> Thanks in advance.
>>>>>>> Pozdrawiam
>>>>>>> Szymon Turkiewicz
>>>>>>>             
>>>>>>>               
>>>>>> Have not tried this. An idea. P2P initiations are not
encrypted
>>>>>> AFAIK. Thus connections can be marked and related
traffic shaped. If
>>>>>> initiation is also encrypted, then I think we have a
serious problem.
>>>>>>
>>>>>> Mohan
>>>>>> _______________________________________________
>>>>>> LARTC mailing list
>>>>>> LARTC@mailman.ds9a.nl
>>>>>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>>>>>           
>>>>>>             
>>>>> _______________________________________________
>>>>> LARTC mailing list
>>>>> LARTC@mailman.ds9a.nl
>>>>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>>>>         
>>>>>           
>>>> _______________________________________________
>>>> LARTC mailing list
>>>> LARTC@mailman.ds9a.nl
>>>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>>>
>>>>       
>>>>         
>>>     
>>>       
>> _______________________________________________
>> LARTC mailing list
>> LARTC@mailman.ds9a.nl
>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>
>>
>>   
>>     
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>
>

> I believe that whole question is in topic. 
> Is there any way to recognize ( and then shape ) p2p traffic which is
encrypted?
> Modern p2p clients have this ability moreover some of them have this
enabled by default.
> Now I''m using ipp2p for iptables but as I know this
doesn''t recognize encrypted traffic.
One way to do this is to look for the style of traffic. For example, I
look for lots of connections from one PC to port numbers above 1024.
This will also incorrectly recognise some other traffic, but on the
whole it works well for me.

The following are some examples using connlimit (now included in vanilla
kernel) and ipset (see http://ipset.netfilter.org/)

# first look for style of traffic and log that client to an ipset
iptables -t mangle -A FORWARD -o ppp0 -p tcp --dport 1024: \
	-m connlimit --connlimit-above 10 -j SET --add-set p2p src
iptables -t mangle -A FORWARD -o ppp0 -p udp --dport 1024: \
	-m connlimit --connlimit-above 10 -j SET --add-set p2p src
iptables -t mangle -A FORWARD -i ppp0 -p tcp --sport 1024: \
	-m connlimit --connlimit-above 10 -j SET --add-set p2p dst
iptables -t mangle -A FORWARD -i ppp0 -p udp --sport 1024: \
	-m connlimit --connlimit-above 10 -j SET --add-set p2p dst

# then shape traffic above port 1024 for those detected clients
iptables -t mangle -A FORWARD -o ppp0 -p tcp --dport 1024: \
	-m set --set p2p dst -j MARK --set-mark 60
iptables -t mangle -A FORWARD -i ppp0 -p tcp --sport 1024: \
	-m set --set p2p dst -j MARK --set-mark 60
iptables -t mangle -A FORWARD -o ppp0 -p udp --dport 1024: \
	-m set --set p2p dst -j MARK --set-mark 60
iptables -t mangle -A FORWARD -i ppp0 -p udp --sport 1024: \
	-m set --set p2p dst -j MARK --set-mark 60


Regards,

Andy Beverley

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I believe "fighting" is the wrong approach.  Badly shaping the wrong
traffic is just as bad, if not worse IMO.  An ISP in my neck of the
woods plays havoc with encrypted mail (SMTP + TLS as well as IMAPS) as a
result of their P2P fight.  Needless to say we no longer use them, and
we encourage clients, friends, and colleagues not to as well.  I don''t
use P2P but I do use ssh, imaps, sftp, and https daily.  Screwing with
these services is not useful.  Limiting your rules to specific ports is
pretty useless.  This has been done before, and it failed miserably.

For me, if P2P does not belong at all, for instance on a corporate
network, then a default deny on the outbound works much better.  We then
 only allow specific connections on a case by case basis.  For instances
where I am not able to block p2p, I define specific rules for high and
low priority, and leave everything else in the default.  If the end user
wants to use the bulk of his or her bandwidth for P2P, so be it.  Of
course in this case bandwidth accounting is far more useful.

I would also encourage your users to use software that is or can be well
behaved.  Software that allows you set a proper TOS for instance.  If
possible work with the end users.

I have personally found that the best solutions are not tech solutions.
 Having a well defined Acceptable Use Policy, plus a constructive
dialogue with my users has been far more effective than any shaping
routine I/we could come up with.

Ask yourself, what is the problem you are really trying to solve.

Andrew Beverley wrote:
>> I believe that whole question is in topic. 
>> Is there any way to recognize ( and then shape ) p2p traffic which is
encrypted?
>> Modern p2p clients have this ability moreover some of them have this
enabled by default.
>> Now I''m using ipp2p for iptables but as I know this
doesn''t recognize encrypted traffic.
> 
> One way to do this is to look for the style of traffic. For example, I
> look for lots of connections from one PC to port numbers above 1024.
> This will also incorrectly recognise some other traffic, but on the
> whole it works well for me.
> 
> The following are some examples using connlimit (now included in vanilla
> kernel) and ipset (see http://ipset.netfilter.org/)
> 
> # first look for style of traffic and log that client to an ipset
> iptables -t mangle -A FORWARD -o ppp0 -p tcp --dport 1024: \
> 	-m connlimit --connlimit-above 10 -j SET --add-set p2p src
> iptables -t mangle -A FORWARD -o ppp0 -p udp --dport 1024: \
> 	-m connlimit --connlimit-above 10 -j SET --add-set p2p src
> iptables -t mangle -A FORWARD -i ppp0 -p tcp --sport 1024: \
> 	-m connlimit --connlimit-above 10 -j SET --add-set p2p dst
> iptables -t mangle -A FORWARD -i ppp0 -p udp --sport 1024: \
> 	-m connlimit --connlimit-above 10 -j SET --add-set p2p dst
> 
> # then shape traffic above port 1024 for those detected clients
> iptables -t mangle -A FORWARD -o ppp0 -p tcp --dport 1024: \
> 	-m set --set p2p dst -j MARK --set-mark 60
> iptables -t mangle -A FORWARD -i ppp0 -p tcp --sport 1024: \
> 	-m set --set p2p dst -j MARK --set-mark 60
> iptables -t mangle -A FORWARD -o ppp0 -p udp --dport 1024: \
> 	-m set --set p2p dst -j MARK --set-mark 60
> iptables -t mangle -A FORWARD -i ppp0 -p udp --sport 1024: \
> 	-m set --set p2p dst -j MARK --set-mark 60
> 
> 
> Regards,
> 
> Andy Beverley
> 
> 
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHU98owRXgH3rKGfMRAmszAKCIhVoUnfuWDIaWQqwE1WfuSz9sNwCgipFZ
wqrptNaNg3HMFE79AvbQ+fI=gb3i
-----END PGP SIGNATURE-----

> I believe "fighting" is the wrong approach.  Badly shaping the
wrong
> traffic is just as bad, if not worse IMO.  An ISP in my neck of the
> woods plays havoc with encrypted mail (SMTP + TLS as well as IMAPS) as a
> result of their P2P fight.  Needless to say we no longer use them, and
> we encourage clients, friends, and colleagues not to as well.  I
don''t
> use P2P but I do use ssh, imaps, sftp, and https daily.  Screwing with
> these services is not useful.
Using the rules in the example previously given specifically steers well clear
of these services.
> Limiting your rules to specific ports is
> pretty useless.  This has been done before, and it failed miserably.
Agreed.
> For me, if P2P does not belong at all, for instance on a corporate
> network, then a default deny on the outbound works much better.  We then
> only allow specific connections on a case by case basis.
I have seen this work very well on corporate networks, and would 
recommend this
approach where possible. Unfortunately though, on a normal home user network,
there are so many different possibilities that this isn''t very
practical.
> For instances
> where I am not able to block p2p, I define specific rules for high and
> low priority, and leave everything else in the default.  If the end user
> wants to use the bulk of his or her bandwidth for P2P, so be it.  Of
> course in this case bandwidth accounting is far more useful.
Again, this depends on the circumstances. If you only have 2Mbit/s to share
between 100 users then each user cannot have their own ''share''
of the
connection. Equally, people downloading in a responsible way are lumped 
into the
same category as p2p users, which is not fair. Bandwidth accounting is a
possibility, and something I haven''t investigated.

For those who want to fairly share bandwidth beween users, I would 
recommend the
ESFQ patches. These allow bandwidth sharing to be done on an IP address basis,
rather than per connection. This prevents the hundreds of p2p connections from
drowning out single downloads.
> I would also encourage your users to use software that is or can be well
> behaved.  Software that allows you set a proper TOS for instance.  If
> possible work with the end users.
> I have personally found that the best solutions are not tech solutions.
> Having a well defined Acceptable Use Policy, plus a constructive
> dialogue with my users has been far more effective than any shaping
> routine I/we could come up with.
Agreed. However, in a situation where you have a lot of users coming 
and going,
it is not easy to educate the many hundreds of users.

I guess it all boils down to your own situation. Traffic shaping on a 
corporate
network or on a network where your users are static can be done using 
the above
techniques. However, sharing a small connection between hundreds of regularly
changing users is difficult, and I have found the ''blunt''
rules previously
described to work very well with no complaints.

Regards,

Andy Beverley

Hi,

We had similiar problem with p2p, used ipp2p and L7filter together
before and worked well until clients( mostly clever ones) started
getting around it with encryption. We have about 700 wireless clients
hitting our network and our network was taking big knocks with guys
using couple of gigs day on entry level packages.

Was going to use Ipoque, but was quite pricy for us, Only solutions
for us to use a daily limit of eg 500MB, then they get slowed down to
slower speeds, This worked like a charm

Out of interest we used freeradius / pptpd|pppd  with some custom perl
scripts and tc rules

Sew

On Dec 3, 2007 9:33 PM, Andrew Beverley <andy@andybev.com>
wrote:
> > I believe "fighting" is the wrong approach.  Badly shaping
the wrong
> > traffic is just as bad, if not worse IMO.  An ISP in my neck of the
> > woods plays havoc with encrypted mail (SMTP + TLS as well as IMAPS) as
a
> > result of their P2P fight.  Needless to say we no longer use them, and
> > we encourage clients, friends, and colleagues not to as well.  I
don''t
> > use P2P but I do use ssh, imaps, sftp, and https daily.  Screwing with
> > these services is not useful.
>
> Using the rules in the example previously given specifically steers well
clear
> of these services.
>
> > Limiting your rules to specific ports is
> > pretty useless.  This has been done before, and it failed miserably.
>
> Agreed.
>
> > For me, if P2P does not belong at all, for instance on a corporate
> > network, then a default deny on the outbound works much better.  We
then
> > only allow specific connections on a case by case basis.
>
> I have seen this work very well on corporate networks, and would
> recommend this
> approach where possible. Unfortunately though, on a normal home user
network,
> there are so many different possibilities that this isn''t very
practical.
>
> > For instances
> > where I am not able to block p2p, I define specific rules for high and
> > low priority, and leave everything else in the default.  If the end
user
> > wants to use the bulk of his or her bandwidth for P2P, so be it.  Of
> > course in this case bandwidth accounting is far more useful.
>
> Again, this depends on the circumstances. If you only have 2Mbit/s to share
> between 100 users then each user cannot have their own
''share'' of the
> connection. Equally, people downloading in a responsible way are lumped
> into the
> same category as p2p users, which is not fair. Bandwidth accounting is a
> possibility, and something I haven''t investigated.
>
> For those who want to fairly share bandwidth beween users, I would
> recommend the
> ESFQ patches. These allow bandwidth sharing to be done on an IP address
basis,
> rather than per connection. This prevents the hundreds of p2p connections
from
> drowning out single downloads.
>
> > I would also encourage your users to use software that is or can be
well
> > behaved.  Software that allows you set a proper TOS for instance.  If
> > possible work with the end users.
> > I have personally found that the best solutions are not tech
solutions.
> > Having a well defined Acceptable Use Policy, plus a constructive
> > dialogue with my users has been far more effective than any shaping
> > routine I/we could come up with.
>
> Agreed. However, in a situation where you have a lot of users coming
> and going,
> it is not easy to educate the many hundreds of users.
>
> I guess it all boils down to your own situation. Traffic shaping on a
> corporate
> network or on a network where your users are static can be done using
> the above
> techniques. However, sharing a small connection between hundreds of
regularly
> changing users is difficult, and I have found the ''blunt''
rules previously
> described to work very well with no complaints.
>
>
> Regards,
>
> Andy Beverley
>
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>

Thanks for sharing.

Just one question, how are you implementing the daily limit?

Regards,

Mario Antonio

----- Original Message -----
From: "the sew" <sewlist@gmail.com>
To: "Andrew Beverley" <andy@andybev.com>
Cc: lartc@mailman.ds9a.nl
Sent: Monday, December 10, 2007 8:37:07 AM (GMT-0500) America/New_York
Subject: Re: [LARTC] How to fight with encrypted p2p

Hi,

We had similiar problem with p2p, used ipp2p and L7filter together
before and worked well until clients( mostly clever ones) started
getting around it with encryption. We have about 700 wireless clients
hitting our network and our network was taking big knocks with guys
using couple of gigs day on entry level packages.

Was going to use Ipoque, but was quite pricy for us, Only solutions
for us to use a daily limit of eg 500MB, then they get slowed down to
slower speeds, This worked like a charm

Out of interest we used freeradius / pptpd|pppd  with some custom perl
scripts and tc rules

Sew

On Dec 3, 2007 9:33 PM, Andrew Beverley <andy@andybev.com>
wrote:
> > I believe "fighting" is the wrong approach.  Badly shaping
the wrong
> > traffic is just as bad, if not worse IMO.  An ISP in my neck of the
> > woods plays havoc with encrypted mail (SMTP + TLS as well as IMAPS) as
a
> > result of their P2P fight.  Needless to say we no longer use them, and
> > we encourage clients, friends, and colleagues not to as well.  I
don''t
> > use P2P but I do use ssh, imaps, sftp, and https daily.  Screwing with
> > these services is not useful.
>
> Using the rules in the example previously given specifically steers well
clear
> of these services.
>
> > Limiting your rules to specific ports is
> > pretty useless.  This has been done before, and it failed miserably.
>
> Agreed.
>
> > For me, if P2P does not belong at all, for instance on a corporate
> > network, then a default deny on the outbound works much better.  We
then
> > only allow specific connections on a case by case basis.
>
> I have seen this work very well on corporate networks, and would
> recommend this
> approach where possible. Unfortunately though, on a normal home user
network,
> there are so many different possibilities that this isn''t very
practical.
>
> > For instances
> > where I am not able to block p2p, I define specific rules for high and
> > low priority, and leave everything else in the default.  If the end
user
> > wants to use the bulk of his or her bandwidth for P2P, so be it.  Of
> > course in this case bandwidth accounting is far more useful.
>
> Again, this depends on the circumstances. If you only have 2Mbit/s to share
> between 100 users then each user cannot have their own
''share'' of the
> connection. Equally, people downloading in a responsible way are lumped
> into the
> same category as p2p users, which is not fair. Bandwidth accounting is a
> possibility, and something I haven''t investigated.
>
> For those who want to fairly share bandwidth beween users, I would
> recommend the
> ESFQ patches. These allow bandwidth sharing to be done on an IP address
basis,
> rather than per connection. This prevents the hundreds of p2p connections
from
> drowning out single downloads.
>
> > I would also encourage your users to use software that is or can be
well
> > behaved.  Software that allows you set a proper TOS for instance.  If
> > possible work with the end users.
> > I have personally found that the best solutions are not tech
solutions.
> > Having a well defined Acceptable Use Policy, plus a constructive
> > dialogue with my users has been far more effective than any shaping
> > routine I/we could come up with.
>
> Agreed. However, in a situation where you have a lot of users coming
> and going,
> it is not easy to educate the many hundreds of users.
>
> I guess it all boils down to your own situation. Traffic shaping on a
> corporate
> network or on a network where your users are static can be done using
> the above
> techniques. However, sharing a small connection between hundreds of
regularly
> changing users is difficult, and I have found the ''blunt''
rules previously
> described to work very well with no complaints.
>
>
> Regards,
>
> Andy Beverley
>
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

On Dec 10, 2007 4:09 PM, Mario Antonio Garcia <dino@webjogger.net>
wrote:
> Thanks for sharing.
No problem

>
> Just one question, how are you implementing the daily limit?
two ways of detecting them:

1st is the /etc/ppp/ip-up.local which executes the script to check
usage against the radius db and shape them on authentication,

Once they logged in , I dont want to kick everone off every few hours
to check usage, I have a "nice" cron job running every 3 hours, to
check every single user against the db and if they reached their
quotas ,they get shaped while being online., Radius stores all info
about the nas in the db, so makes it quite strait forward.

Also nicely added is our reselling guys who maintain the clients get a
report everytime of users who exceeded the limit and can be aware of
which clients is the problem if they phone to complain, Also nice is
that usually the infected pc''s gets knocked off first to save alot of
bandwidth

Sew




>
> Regards,
>
> Mario Antonio
>
>
> ----- Original Message -----
> From: "the sew" <sewlist@gmail.com>
> To: "Andrew Beverley" <andy@andybev.com>
> Cc: lartc@mailman.ds9a.nl
> Sent: Monday, December 10, 2007 8:37:07 AM (GMT-0500) America/New_York
> Subject: Re: [LARTC] How to fight with encrypted p2p
>
> Hi,
>
> We had similiar problem with p2p, used ipp2p and L7filter together
> before and worked well until clients( mostly clever ones) started
> getting around it with encryption. We have about 700 wireless clients
> hitting our network and our network was taking big knocks with guys
> using couple of gigs day on entry level packages.
>
> Was going to use Ipoque, but was quite pricy for us, Only solutions
> for us to use a daily limit of eg 500MB, then they get slowed down to
> slower speeds, This worked like a charm
>
> Out of interest we used freeradius / pptpd|pppd  with some custom perl
> scripts and tc rules
>
> Sew
>
> On Dec 3, 2007 9:33 PM, Andrew Beverley <andy@andybev.com> wrote:
> > > I believe "fighting" is the wrong approach.  Badly
shaping the wrong
> > > traffic is just as bad, if not worse IMO.  An ISP in my neck of
the
> > > woods plays havoc with encrypted mail (SMTP + TLS as well as
IMAPS) as a
> > > result of their P2P fight.  Needless to say we no longer use
them, and
> > > we encourage clients, friends, and colleagues not to as well.  I
don''t
> > > use P2P but I do use ssh, imaps, sftp, and https daily.  Screwing
with
> > > these services is not useful.
> >
> > Using the rules in the example previously given specifically steers
well clear
> > of these services.
> >
> > > Limiting your rules to specific ports is
> > > pretty useless.  This has been done before, and it failed
miserably.
> >
> > Agreed.
> >
> > > For me, if P2P does not belong at all, for instance on a
corporate
> > > network, then a default deny on the outbound works much better. 
We then
> > > only allow specific connections on a case by case basis.
> >
> > I have seen this work very well on corporate networks, and would
> > recommend this
> > approach where possible. Unfortunately though, on a normal home user
network,
> > there are so many different possibilities that this isn''t
very practical.
> >
> > > For instances
> > > where I am not able to block p2p, I define specific rules for
high and
> > > low priority, and leave everything else in the default.  If the
end user
> > > wants to use the bulk of his or her bandwidth for P2P, so be it. 
Of
> > > course in this case bandwidth accounting is far more useful.
> >
> > Again, this depends on the circumstances. If you only have 2Mbit/s to
share
> > between 100 users then each user cannot have their own
''share'' of the
> > connection. Equally, people downloading in a responsible way are
lumped
> > into the
> > same category as p2p users, which is not fair. Bandwidth accounting is
a
> > possibility, and something I haven''t investigated.
> >
> > For those who want to fairly share bandwidth beween users, I would
> > recommend the
> > ESFQ patches. These allow bandwidth sharing to be done on an IP
address basis,
> > rather than per connection. This prevents the hundreds of p2p
connections from
> > drowning out single downloads.
> >
> > > I would also encourage your users to use software that is or can
be well
> > > behaved.  Software that allows you set a proper TOS for instance.
If
> > > possible work with the end users.
> > > I have personally found that the best solutions are not tech
solutions.
> > > Having a well defined Acceptable Use Policy, plus a constructive
> > > dialogue with my users has been far more effective than any
shaping
> > > routine I/we could come up with.
> >
> > Agreed. However, in a situation where you have a lot of users coming
> > and going,
> > it is not easy to educate the many hundreds of users.
> >
> > I guess it all boils down to your own situation. Traffic shaping on a
> > corporate
> > network or on a network where your users are static can be done using
> > the above
> > techniques. However, sharing a small connection between hundreds of
regularly
> > changing users is difficult, and I have found the
''blunt'' rules previously
> > described to work very well with no complaints.
> >
> >
> > Regards,
> >
> > Andy Beverley
> >
> >
> > _______________________________________________
> > LARTC mailing list
> > LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> >
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>
>
>
>