Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1388
Views
0
Helpful
10
Replies

Unabel to block Gnutella

slerbeton79
Level 1
Level 1

‎12-04-2010 10:33 PM - edited ‎03-04-2019 10:41 AM

Hello all I am unable to block gnutella p2p.  Attached it my current config, all others work (bittorent fasttrack etc) but programs that use gnutella network (limewire/frostwire etc) are not blocked.  I also tried the match protocol gnutella file-transfer "*" without luck.

any ideas?

Labels:
76437-vger-confg.zip
0 Helpful
10 Replies 10

Talha Ansari
Level 1
Level 1

‎12-05-2010 04:19 AM

May be the p2p software is using some sort of encryption. You may try one method. On the users pc when you start gnutella check 'netstat -an' from command prompt and find out the destination ip address and the port number that the p2p program uses to communicate. Once you got hold of this you may create an extended access-list to drop all traffic by mentioning the destination ip address and the port number.

You can also take a sniffer trace and find out the destination ip address and the port number.

Hope that helps...

0 Helpful

slerbeton79
Level 1
Level 1
In response to andrew.prince

‎12-05-2010 09:06 AM

The issue with gnutella is that each time the application opens it creates new connections to random ip's and ports.

Anybody?

0 Helpful

Talha Ansari
Level 1
Level 1
In response to slerbeton79

‎12-05-2010 11:01 PM

Atleast take sniffer capture on your end user desktop and observe if there is some common port number(s) or common destination ip(s) which could be blocked.

0 Helpful

slerbeton79
Level 1
Level 1
In response to Talha Ansari

‎12-06-2010 02:00 PM

Instead of keep going to user's pc, I installed frostwire on my test machine and the program defaulted to TCP port 22486, and since that is not usual port gnutella pdlm montors, I added that port to the gnutella pdlm as well as created a custom one with that port. The next time the gnutella client loads it detects it cannot connect on 22486 tcp port so it connects on another random port in my case is port 54387.   Any other ideas?

0 Helpful

andrew.prince
Level 10
Level 10
In response to slerbeton79

‎12-07-2010 01:55 AM

1) Install a proxy server and force all internet traffic thru it.

or

2) Block all TCP/UDP ports higher than 1024, then deal with the applications on a per time basis.

or

3) Install a security client on the user machines to stop unauthorised applications from running.

or

4) Amend you AD policy to not allow users to install software on the machines

Plenty of servers.

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to slerbeton79

‎12-07-2010 02:12 AM

Hi sheldon,

The other p2p programs you are blocking but they have the same dynamic behaviour of changing ports so why gnutella is not blocked?

Furthermore NBAR is doing L7 inspection so the port can be anything it will recognize specific datapayload for gnutella.

Can't these protocols use normal apps ports not blocked like www? so blocking ports > 1024 will be useless.

Maybe you can mark good traffic and then based on that marking drop bad traffic?

Regards.

Don't forget to rate helpful posts.
0 Helpful

Shelley Bhalla
Level 3
Level 3

‎12-07-2010 06:38 AM

Gnutella applications are smart. When they cannot connect they morph  their signatures to see which one can. And everytime this happens

it is on a random port.

Not being intrusive to  other good traffic, it is always recommended to not block but severely  throttle the P2P traffic. This way the connection is made hence the  signature morph does not happen but the connection speed is so less that  users are discouraged to use the application completly.

If the user database is large and this is a huge annoyance that you want to control at any cost... Try Cisco SCE1010 as a product. This is a DPI device which has a lot of features that help ISP, Universities and schools amongst other.

Regards

Shelley.

0 Helpful

slerbeton79
Level 1
Level 1
In response to Shelley Bhalla

‎12-07-2010 07:08 AM

Thank you everyone for all your help.  I will end up having to throttle it instead of blocking.  The only thing I find strange is all other peer to peer traffic is completely blocked. Even trying to circumvent myself the router identifies it all and blocked, but for gnutella which is the worst for pirate software the cisco pdlm can't stop it.

0 Helpful

Shelley Bhalla
Level 3
Level 3
In response to slerbeton79

‎12-07-2010 08:02 AM

Gnutella is nasty for morphing signatures and trying to get out to the internet ins one way or the other. Seriously you are not alone in this battle. A lot of Gnutella was/is due to limewire/frostwire. Good news is that Limewire is closing shop in 2011 so soon this will be a thing of the past.

Ofcourse there are other Gnutella apps out there but majot chunk was limewire. There is rumors that even though limewire was shut down there are still some backdoors open. They all will close by 2011.

Please rate any posts that helped you.

Regards,

Shelley

Cisco TAC

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card