Re: bittorrent file transfer - rate limit

---

• From: "Ravi Chunduru" <ravi.is.chunduru@xxxxxxxxx>
• Date: Fri, 19 Oct 2007 08:54:49 -0700

---

can you please elaborate methodology you outlined on detection of
Bittorrent encrypted connections? do you have plans to provide this
support in free IntroPro IPS software?

Thanks
Ravi

On 10/9/07, Srinivasa Addepalli <srao@xxxxxxxxxx> wrote:

Hi,

Older versions of Bit Torrent clients use TCP based transfer for downloading
and uploading pieces. Later versions of clients support multiple methods for
data transfer. Web seeding is one method which we see commonly. We also see
Azureus client using UDP based data transfer. In addition, if peers support
cryptography, then the connections (TCP or UDP) are encrypted.

It is difficult to detect encrypted connections using typical pattern
matching. First two packets of the connection exchange DH pairs to get
symmetric key. This symmetric key is used to encrypt rest of stream. First
two packets are even padded with random data of random length to avoid
detection by any traffic enforcers. This is done very cleverly and it had
been very successful. We believe that Traffic Heuristics combined with some
intelligence of tracker connections is one way to detect these encrypted
connections.

By the way, IntruPro-IPS has signatures for detecting 'web seeding' and
'UDP' based data transfer connections in addition to TCP based connections.
These signatures were added recently and you may like to get latest version
of signature set.

Srini

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Ravi Chunduru
Sent: Sunday, October 07, 2007 9:27 AM
To: focus-ids@xxxxxxxxxxxxxxxxx
Subject: bittorrent file transfer - rate limit

i am trying to use IntroPro-IPS to limit bittorrent traffic to 20% of
my bandwidth.

it is able to detect file transfer traffic in many cases using rules
given as part of product distribution. if i use bittorrent (downloaded
from www.bittorrent.com) i could see that this p2p traffic is not
exceeding 20% limit (100kbps). but if i use other client application
such as azureus or uTorrent, i find that bittorrent data traffic is
not recognized for some torrents.

this product has facility to add new rules to detect application
traffic. i tried to add new rules with patterns from bleedingthreats
and l7 filters and results are same. does anybody have right patterns
to detect all kinds of bittorrent file transfer connections?

thanks
Ravi

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw
to learn more.
------------------------------------------------------------------------


********************************************************************************
This email message (including any attachments) is for the sole use of the intended recipient(s)
and may contain confidential, proprietary and privileged information. Any unauthorized review,
use, disclosure or distribution is prohibited. If you are not the intended recipient,
please immediately notify the sender by reply email and destroy all copies of the original message.
Thank you.

Intoto Inc.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

---

• Follow-Ups:
  • RE: bittorrent file transfer - rate limit
    • From: Srinivasa Addepalli

• References:
  • bittorrent file transfer - rate limit
    • From: Ravi Chunduru
  • RE: bittorrent file transfer - rate limit
    • From: Srinivasa Addepalli

• Prev by Date: Re: couple IDS development questions
• Next by Date: RE: Using Snort to find creditcard data?
• Previous by thread: Re: bittorrent file transfer - rate limit
• Next by thread: RE: bittorrent file transfer - rate limit
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: bittorrent file transfer - rate limit ... It requires Bittorrent protocol intelligence in the software. ... Any new connections going to ... these peers or coming from these peers are considered as BitTorrent file ... bittorrent file transfer - rate limit ... (Focus-IDS) Re: equitable traffic diversion (bittorrent vs. http)? ... It works as expected, but when on one place runs bittorrent, it will eat all the bandwidth and for the remaining 4 IPs the line becomes very slow. ... Bittorrent makes this a little less effective since it has so many connections. ... Systems Engineer ... (comp.os.linux.networking) Re: adsl bittorrent speeds troubleshooting ... This is my first time with adsl so im ... > not 100% that the configuration is correct. ... the BitTorrent system works best when you allow incoming ... If you don't allow incoming connections, ... (freebsd-questions) Re: [fw-wiz] Firewall scaling ... Total nonsense! ... bittorrent to produce greater then 320 connections apeice, ... I've seen 3500+ connections from individual computers. ... ...We waste time looking for the perfect lover ... (Firewall-Wizards) Re: bittorrent file transfer - rate limit ... Older versions of Bit Torrent clients use TCP based transfer for downloading ... Azureus client using UDP based data transfer. ... It is difficult to detect encrypted connections using typical pattern ... bittorrent file transfer - rate limit ... (Focus-IDS)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ids  > 2007-10