Hi, It requires Bittorrent protocol intelligence in the software. It finds out BitTorrent peers (IP address and Port on which peer is listening on) for torrent files and keeps it in its storage. Any new connections going to these peers or coming from these peers are considered as BitTorrent file transfer connections. With this mechanism, it is possible to detect encrypted file transfer connections. Note that it is only high level description of the approach, but there are lots of bells and whistles in the implementation. Yes, we will have this feature in free IntruPro IPS software.
Srini -----Original Message----- From: Ravi Chunduru [mailto:[EMAIL PROTECTED] Sent: Friday, October 19, 2007 8:55 AM To: Srinivasa Addepalli Cc: [email protected] Subject: Re: bittorrent file transfer - rate limit can you please elaborate methodology you outlined on detection of Bittorrent encrypted connections? do you have plans to provide this support in free IntroPro IPS software? Thanks Ravi On 10/9/07, Srinivasa Addepalli <[EMAIL PROTECTED]> wrote: > > Hi, > > Older versions of Bit Torrent clients use TCP based transfer for downloading > and uploading pieces. Later versions of clients support multiple methods for > data transfer. Web seeding is one method which we see commonly. We also see > Azureus client using UDP based data transfer. In addition, if peers support > cryptography, then the connections (TCP or UDP) are encrypted. > > It is difficult to detect encrypted connections using typical pattern > matching. First two packets of the connection exchange DH pairs to get > symmetric key. This symmetric key is used to encrypt rest of stream. First > two packets are even padded with random data of random length to avoid > detection by any traffic enforcers. This is done very cleverly and it had > been very successful. We believe that Traffic Heuristics combined with some > intelligence of tracker connections is one way to detect these encrypted > connections. > > By the way, IntruPro-IPS has signatures for detecting 'web seeding' and > 'UDP' based data transfer connections in addition to TCP based connections. > These signatures were added recently and you may like to get latest version > of signature set. > > Srini > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Ravi Chunduru > Sent: Sunday, October 07, 2007 9:27 AM > To: [email protected] > Subject: bittorrent file transfer - rate limit > > i am trying to use IntroPro-IPS to limit bittorrent traffic to 20% of > my bandwidth. > > it is able to detect file transfer traffic in many cases using rules > given as part of product distribution. if i use bittorrent (downloaded > from www.bittorrent.com) i could see that this p2p traffic is not > exceeding 20% limit (100kbps). but if i use other client application > such as azureus or uTorrent, i find that bittorrent data traffic is > not recognized for some torrents. > > this product has facility to add new rules to detect application > traffic. i tried to add new rules with patterns from bleedingthreats > and l7 filters and results are same. does anybody have right patterns > to detect all kinds of bittorrent file transfer connections? > > thanks > Ravi > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in > tro_sfw > to learn more. > ------------------------------------------------------------------------ > > > **************************************************************************** **** > This email message (including any attachments) is for the sole use of the intended recipient(s) > and may contain confidential, proprietary and privileged information. Any unauthorized review, > use, disclosure or distribution is prohibited. If you are not the intended recipient, > please immediately notify the sender by reply email and destroy all copies of the original message. > Thank you. > > Intoto Inc. > > ******************************************************************************** This email message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential, proprietary and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please immediately notify the sender by reply email and destroy all copies of the original message. Thank you. Intoto Inc. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
