topic Block P2P traffic in Network Security

Block P2P traffic

Yadhu Tony — Tue, 12 Mar 2019 00:18:02 GMT

Hello,

I have tried the below configuration to block the P2P traffic.But still the users can download using utorrent client. How do I effectively block all the P2P traffic. Please help.

Class Map

class-map type inspect match-any ALL-P2P-PROTOCOLS
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature

class-map type inspect match-all P2P-PROTOCOL
match class-map ALL-P2P-PROTOCOLS
match access-group name INTERNET-ACL

class-map type inspect http match-any HTTP-PORT-MISUSE
match request port-misuse im
match request port-misuse p2p
match request port-misuse tunneling

Policy Map

policy-map type inspect http HTTP-PORT-MISUSE-POLICY
class type inspect http HTTP-PORT-MISUSE
reset
log

policy-map type inspect IN-TO-OUT-POLICY
class type inspect P2P-PROTOCOL
drop log
class class-default
drop log
class type inspect HTTP-ACCESS
inspect

service-policy http HTTP-PORT-MISUSE-POLICY

Also I am attaching the logs and 'show policy-map type inspect zone-pair IN-TO-OUT' output.

Please help me out.

Regards,

Tony

Block P2P traffic

Julio Carvajal — Fri, 02 Nov 2012 17:25:43 GMT

Hello,

Can you share the ACL INTERNET-ACL

Regards,

Julio

Block P2P traffic

Yadhu Tony — Sat, 03 Nov 2012 03:27:16 GMT

Hello Julio,

Please see the ACL INTERNET-ACL

ip access-list extended INTERNET-ACL

permit ip host 172.17.0.81 any

permit ip host 172.17.0.82 any

permit ip host 172.17.0.83 any

permit ip host 172.17.0.84 any

permit ip host 172.17.0.111 any

permit ip host 172.17.1.53 216.239.32.0 0.0.31.255

permit ip host 172.17.1.53 64.233.160.0 0.0.31.255

permit ip host 172.17.1.53 66.249.64.0 0.0.31.255

permit ip host 172.17.1.53 72.14.192.0 0.0.63.255

permit ip host 172.17.1.53 209.85.128.0 0.0.127.255

permit ip host 172.17.1.53 66.102.0.0 0.0.15.255

permit ip host 172.17.1.53 74.125.0.0 0.0.255.255

permit ip host 172.17.1.53 64.18.0.0 0.0.15.255

permit ip host 172.17.1.53 207.126.144.0 0.0.15.255

permit ip host 172.17.1.53 173.194.0.0 0.0.255.255

permit ip host 172.17.1.103 216.239.32.0 0.0.31.255

permit ip host 172.17.1.103 64.233.160.0 0.0.31.255

permit ip host 172.17.1.103 66.249.64.0 0.0.31.255

permit ip host 172.17.1.103 72.14.192.0 0.0.63.255

permit ip host 172.17.1.103 209.85.128.0 0.0.127.255

permit ip host 172.17.1.103 66.102.0.0 0.0.15.255

permit ip host 172.17.1.103 74.125.0.0 0.0.255.255

permit ip host 172.17.1.103 64.18.0.0 0.0.15.255

permit ip host 172.17.1.103 207.126.144.0 0.0.15.255

Regards,

Tony

Block P2P traffic

Julio Carvajal — Sat, 03 Nov 2012 04:25:01 GMT

Hello Tony,

Hope you are doing great

What happens if you take out the ACL from the class-map, Does it make a difference?

Regards,

Julio

Block P2P traffic

Yadhu Tony — Sat, 03 Nov 2012 05:19:52 GMT

Hello Julio,

I removed 'INTERNET-ACL' from 'class-map type inspect match-all P2P-PROTOCOL' but still P2P traffic is allowed. Could you please tell me what I am doing wrong?

Regards,

Tony

Block P2P traffic

Julio Carvajal — Sat, 03 Nov 2012 05:39:17 GMT

Hello Yadhu,

Actually the configuration looks good but block bittorrent traffic and P2P connections now days is not as simple.

There are several ways this connections can try to bypass our security policies but I think we can add more stuff to our configuration.

Please read the following document and add follow the configuration they have applied,

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/white_paper_c27_543585.html

Let me know if there is something you do not understand on that config,

Regards

Block P2P traffic

Yadhu Tony — Sat, 03 Nov 2012 06:04:51 GMT

Hello Julio,

Thank you for your reply and link. The configuration seems to be very refined. Let me try it out and inform you of the outcome.

Regards,

Yadhu

Block P2P traffic

Yadhu Tony — Mon, 05 Nov 2012 10:51:43 GMT

Hello Julio,

There is an update from my side. I followed the link and modified the configuration. Unfortunately the result is negative. But I found that more packets are being dropped because of the tight policies. Anyway thank you so much for your help and support. Please let me know if there is any better method available so that we can block the entire traffic that kills our bandwidth.

Regards,

Tony

Block P2P traffic

Julio Carvajal — Mon, 05 Nov 2012 17:42:16 GMT

Hello Tony,

Okay. I have seen on the last couple of days that because of how this protocols are being tunneled or jumping from one port to another, etc. Its pretty difficult to blok it with ZBFW.

So instead of doing that I would like to check if we can block it with NBAR, can we give it a try ??? If yes, here is how

class-map match-any p2p
match protocol edonkey
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol winmx
match protocol skype
match protocol cuseeme
match protocol novadigm
match protocol ssh
match protocol irc

policy-map P2P-DROP
class p2p
drop

Apply the policy to the user-facing (incoming) interface.

int xxxxx

You can verify the status by doing:

sh policy-map int xxx

sh ip nbar protocol-discovery

Let me know the result,

Remembe to rate all of the helpful posts

service-policy input P2P-DROP

Block P2P traffic

Yadhu Tony — Tue, 06 Nov 2012 11:23:19 GMT

Hello Julio,

Thanks for your reply. Yeah, NBAR feature is more stronger than ZBFW ! More packets are being dropped after I configure NBAR on my router. But still it is not completely blocked. Please see the 'sh policy-map interface gi0/0 input' output :

ISR#sh policy-map interface gi0/0 input
GigabitEthernet0/0

Service-policy input: P2P-DROP

    Class-map: P2P (match-any)
      108893 packets, 11349383 bytes
      5 minute offered rate 5000 bps, drop rate 5000 bps
      Match: protocol edonkey
        328 packets, 250522 bytes
        5 minute rate 0 bps
      Match: protocol fasttrack
        98 packets, 6066 bytes
        5 minute rate 0 bps
      Match: protocol gnutella
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol winmx
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol cuseeme
        2 packets, 290 bytes
        5 minute rate 0 bps
      Match: protocol kazaa2
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol irc
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol bittorrent
        108298 packets, 11050790 bytes
        5 minute rate 5000 bps
      drop

    Class-map: class-default (match-any)
      3329777 packets, 1295326162 bytes
      5 minute offered rate 209000 bps, drop rate 0 bps
      Match: any

Regards,

Tony

Block P2P traffic

Julio Carvajal — Tue, 06 Nov 2012 19:11:52 GMT

Hello Yadhu,

Then I will suggest you to use an aplication to block this as the ZBFW or NBAR had been able to block this,

At least the ZBFW let you know how is using P2P application so you can go and talk to them but based on the last cases I have seen p2p applications have not been succesfully block ( 100 % talking)

Regards

Block P2P traffic

Yadhu Tony — Thu, 08 Nov 2012 09:29:52 GMT

Hello Julio,

Anyway that was a nice experiment with P2P traffic Feel it is better to use an application like Symantec Endpoint Protection.

Regards,

Yadhu

Block P2P traffic

Julio Carvajal — Thu, 08 Nov 2012 21:36:31 GMT

Hello Yadhu,

Exactly,

We definetly tried it

Remember to rate all of the helpful posts

Regards

Re: Block P2P traffic

Yadhu Tony — Sat, 15 Dec 2012 12:18:30 GMT

I just summarized the discussion and published it on http://yadhutony.blogspot.in/2012/11/how-to-block-p2p-traffic-on-cisco-router.html

It gives me the best result !

Thanks Julio for your support.

Regards,
Tony

http://yadhutony.blogspot.com

Re: Block P2P traffic

Julio Carvajal — Sat, 15 Dec 2012 17:52:55 GMT

Hello Yadhu,

Good job with the document, really clear

Yes, I would say an external dedicated server or device will be need it to block this traffic ( maybe with a deeper application inspection)

Regards,

Julio