cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2369
Views
0
Helpful
11
Replies

NBAR and P2P

tgregorics
Level 1
Level 1

Hi,

I'd like to know if NBAR can detect the bittorent trafic if a client like uTorrent enables protocol encryption. (http://www.utorrent.com/faq.php#Does_.C2B5Torrent_support_Protocol_Encryption.3F)

If it can't, is there any way to still be able to shape this p2p taffic to a limitted rate?

11 Replies 11

Edison Ortiz
Hall of Fame
Hall of Fame

If you know the source/destination port that is using, sure. You can either create an ACL matching those values or a custom NBAR.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hqos_r/qos_i1h.htm#wp1168104

HTH,

__

Edison.

If i knew the port numbers i would use ACLs and wouldn't need NBAR in the first place.

Unfortunately now days trackers use random port numbers, obviously to make filtering harder. I can't track down every tracker my local users use, and even if i do, they just search for an other one.

So, basically you saying that NBAR only classifies p2p traffic based on "known" port numbers? if so, then it's useless.

NBARs deployed by Cisco checks for application behavior, custom NBARs only check for src/dst ports.

__

Edison.

Well, good to know, but with this we are back to square one.

I still don't know if the bittorrent NBAR can match encrypted torrent packets (like the ones uTorrent, the MOST POPULAR client, generates) or not?

HI, [PLS RATE if HELPS]

Cisco IOS version 12.4(4)T introduced the much awaited Skype classification in NBAR. Now, with simple policy you can block Skype in much the same way as you used to block kazza, limewire, and other p2p applications.

Example:

NBAR configuration to drop Skype packets

class "map match" any p2p

match protocol skype

policy "map block" p2p

class p2p

drop

int FastEthernet0

description PIX "facing interface service"

policy "input block" p2p

If you are unsure about the bandwidth-eating applications being used in your organization, you can access the interface connected to the Internet and configure using the following command:

"ip nbar protocol-discovery"

This will enable nbar discovery on your router.

If you use the following command:

"show ip nbar protocol-discovery stats bit-rate top-n 10"

It will show you the top 10 bandwidth-eating applications being used by the users. Now, you will be able to block/restrict traffic with appropriate QoS policy.

You can also use "ip nbar port-map" command to look for the protocol or protocol name using a port number or numbers other than the well-known Internet Assigned Numbers Authority (IANA)-assigned port numbers.

Usage as per Cisco:

"ip nbar port-map protocol-name [tcp | udp] port-number"

Up to 16 ports can be specified with the above command. Port number values can range from 0 to 65535.

Here is the another way to go:

================================

Download the PDLM from Cisco to your flash then configure.

ip nbar pdlm flash:bittorrent.pdlm

ip nbar pdlm flash:eDonkey.pdlm

ip nbar pdlm flash:gnutella.pdlm

ip nbar pdlm flash:kazaa2.pdlm

ip nbar pdlm flash:WinMX.pdlm

ip nbar pdlm flashrinter.pdlm

!

class-map match-any nbar-discovery

match protocol gnutella

match protocol kazaa2

match protocol napster

match protocol printer

match protocol http url "*cmd.exe*"

match protocol fasttrack

match protocol novadigm

match protocol edonkey

match protocol bittorrent

!

!

policy-map ip-prec-marked

class nbar-discovery

drop

!

Interface Serial0/1

ip nbar protocol-discovery

service-policy input ip-prec-marked

HOPE I am Informative.

PLS RATE if HELPS !!!!

Best Regards,

Guru Prasad R

Hi,

I have the same problem, however although I have every other command to block protocols I have no skype.

Using the latest IOS on advanced security on a 2851, can you offer any thoughts ?

Cheers

Chris

fyi:

http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/clsfy_trfc_nbar_map.html

notes 12.4(4)T "supports only Skype version 1. Version 2 is not yet supported. "

Hiya,

Yes I`m aware of that one.

Answered my own question incidently, in that the NBAR Skype blocking is only in very specific versions of the IOS.

Feature Navigator seems to list these so going to try one of those next week

Cheers

Chris

Joseph W. Doherty
Hall of Fame
Hall of Fame

The latest NBAR PDLM for BitTorrent is version 3.0, datestamped 8/22/2007. The release notes don't mention encryption, so that might be a problem, but they do note (for non-encypted?) "The BitTorrent PDL module identifies and classifies most BitTorrent traffic regardless of port." Try it and see if it helps.

PS:

Some NBAR protocol matching is just a pretty face on port matching, other NBAR protocol matching does deeper and/or stateful analysis. See http://www.cisco.com/en/US/customer/prod/collateral/iosswrel/ps6537/ps6558/ps6612/ps6653/prod_qas09186a00800a3ded.html for more information.

slaptijack
Level 1
Level 1

I'm sure this is a case of too little too late, but I can tell you from personal experience that NBAR does not detect encrypted Bittorrent trafic.

Sorry.

Yes I can confirm that it does not detect encrypted traffic. With encryption off my policy works and the client gets no download. As soon as the client turns on encryption the download will start.

I have heard people have had some success blocking access to the info_hash file from the tracker using http url filtering with a regex. This effectively starves the client of peers.

Review Cisco Networking for a $25 gift card