topic Re: Matching p2p packets with NBAR? in Network Security

Matching p2p packets with NBAR?

lukaszwisniowski — Fri, 21 Feb 2020 06:31:37 GMT

I wonder whether there is any possibility for NBAR to match more than 16 ports for each type of protocol (for example fasttrack)? The problem is that for example imesh is using ports between 1024 and 7000 !!! I successfully managed to block p2p applications using string matching in iptables (linux), the thing is that I have no idea how to create access-list or class-map basing on strings in packets?

Anyone managed to shape todays p2p traffic using cisco routers?

Thanks for reply

Re: Matching p2p packets with NBAR?

wdrootz — Mon, 03 Feb 2003 19:36:00 GMT

The only way out of the "max 16 port" predicament (?... 🙂 ) that I know of is to use access lists. There is no limit on the number of entries in an access list. If the desired action is same irrespective of the port (which seems to be the case here) then this is the way out. For examples on the same, see the following docs:

1) http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt1/qcfnbar.htm#52645.

2) http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121e/121e2/nbar2e.htm

Re: Matching p2p packets with NBAR?

dldresser — Tue, 11 Feb 2003 03:08:25 GMT

Has anyone had success using the kazaa2.pdlm? Does it encounter the same 16 port issue? I have used it, created a class map and set a policy to drop all packets. However, it only stops the packets for about a minute and then they get through (packet counters increase as shown below)

test#sh ip nbar protocol-discovery protocol kazaa2

FastEthernet0/0

Input Output

Protocol Packet Count Packet Count

Byte Count Byte Count

5 minute bit rate (bps) 5 minute bit rate (bps)

------------------------ ------------------------ ------------------------

kazaa2 409 0

25050 0

0 0

unknown 294 0

22011 0

0 0

Total 7571 4352

947852 4143655

14000 53000

------------------------------------------

This is the class map

class-map match-any Kazaa

description Kazaa

match protocol kazaa2

match protocol fasttrack

match protocol http url "\.hash=*"

match protocol napster

match protocol gnutella

----------------

here is the policy to drop all packets

policy-map Test_Policy

class Kazaa

police cir 8000 bc 1000 be 1000

conform-action drop

exceed-action drop

violate-action drop

----------------------------------------------------

These are applied using service-policy command but no luck as of yet....Any suggestions? (have tried both 12.2(8)T5 and 12.2(13)T1 code on 3640 router.

Thanks!

Re: Matching p2p packets with NBAR?

lukaszwisniowski — Tue, 11 Feb 2003 08:46:29 GMT

You can't define ports for kazaa2 NBAR so it probably means that it is working on all ports. I don't know why, but I can't access pdlms on cisco site using standard login. Is it somehow restricted?

I've heard that kazaa2 NBAR wasn't accurate to limit traffic but it is blocking transmitions without any problems . What I propose is to block kazaa2 on all ports except 1214 and put this port into proper class-map. Port 1214 is used only by kazaa and other p2p. Of course kazaa will be working much slower but finally you managed to controll it and didn't blocked it if you are not allowed.

Re: Matching p2p packets with NBAR?

dboyko — Wed, 06 Aug 2003 20:41:39 GMT

I had the same problem using the "...action drop", but when I changed it to a true rate-limiting action (basically throttling the traffic to get ZERO bandwidth), it did the trick to Stop KaZaa.

Re: Matching p2p packets with NBAR?

sergej.gurenko — Thu, 08 Apr 2004 16:40:33 GMT

" ...action drop" do not work well. There is a workaround: use traffic marking and after dropp it with route map