17

I support a small business' tech issues including setting up a guest WiFi network. The WiFi is important since they want people sitting around and consuming their product. Over the past months they've received numerous DMCA notices from their ISP regarding someone who insists on downloading porn via P2P. We're currently using a consumer-grade netgear access point. We're looking for ideas on how to stop the bad actors without sacrificing the service to our customers.

uSlackr
  • 291
  • 2
  • 7
  • 4
    I'm almost certain you'll discover that the perp is a member of staff, not a customer. – Lightness Races in Orbit Oct 09 '15 at 09:44
  • 5
    This seems more of a [superuser.se] question; it's not really about "security". – Lightness Races in Orbit Oct 09 '15 at 09:45
  • Is not stopping the "bad actors" but still eliminate the legal problems still a solution ? See my answer. You can't solve people problems with technology, but you can solve tech problems with tech ( that you are the node between the bad guys and the internet but you don't have to be) – Freedo Oct 09 '15 at 14:06
  • @LightnessRacesinOrbit I've thought of that. My first goal is to stop this on the guest wifi. If they get another notice then mgmt can deal with that. – uSlackr Oct 09 '15 at 15:43
  • What's the problem with porn? I wouldn't care too much about internet connection if it was banned. – Vorac Jun 29 '20 at 17:19

7 Answers7

17

It does not take much effort to block P2P etc with current routers and restrict access as this detailed article from 2011 (Lifehacker) shows.

But unless you restrict access a lot and thus make users unhappy they will still be able to upload copyrighted content to youtube, make bomb threats etc. If you don't want to deal with these liability issues (which also differ between countries) you better let a commercial hotspot provider deal with it. These providers usually create a separated network for the guests and route the traffic over their own infrastructure. This way they appear as the source of the traffic and not you and thus they also handle all the liability problems. Of course this shift of responsibility has a price which either you or your customers must pay.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • You'll never deal with the text postings ("bomb threats") by technical means. Even if you block email and all known social networking sites someone will think of another way of posting, but you've lost all ayour legitimate clients. Getting a provider to do it for you might or might not help. After all, you're still at the end of the line. (but +1) – Chris H Oct 09 '15 at 08:30
  • 3
    @ChrisH: if the source of the connection is the hotspot provider and not your company then this hotspot provider deals with the police etc and only when this is not sufficient your company might get involved as a potential witness. Thus this risk is greatly reduced for the company. – Steffen Ullrich Oct 09 '15 at 08:57
  • The router we use has access restrictions but only controls p2p over VPN tunnels and not "regular" ports. – uSlackr Oct 09 '15 at 15:39
4

You know what is really the cheapest and simplest solution ? Buy a VPN plan , and route all the company traffic (or the guest WiFi traffic) to the VPN. Never more care if your users are watching porn or downloading torrent or buying drugs or whatever , you won't be the responsible for it. Let the VPN company take care of that

I think this solution is really good because it's cheap and it's one less problem to spend time, and any VPN will do it.

Freedo
  • 2,253
  • 5
  • 18
  • 28
3

Per this superuser answer, you can try to block access to web sites that index the torrents. This isn't quite what you asked for but may help. That answer explains: One way to do this in an indirect way is by using OpenDNS.

Set the DNS server in your router settings to the OpenDNS servers (208.67.222.222 and 208.67.220.220)

  1. Create an account on the OpenDNS web site (that's free), and follow the instructions on their web site how to configure it
  2. Then in your account settings choose a custom filtering level and select to block "P2P/File sharing". If you want you can block other categories, I'd definitely block "Phishing", and depending on your needs you can add specific sites as exceptions or to be blocked.

As this is only blocking access to the sites that index torrents, it won't stop a torrent that has already been downloaded to the users computer from continuing. Also, users can configure their own DNS. But this might discourage some unwanted activity.

There are also some routers that won't break the bank (a $216 example) that have fairly sophisticated firewalls in them that I think can be configured to block P2P protocols with. You should check with the vendors before purchasing.

Neil Smithline
  • 14,621
  • 4
  • 38
  • 55
  • This only works if clients use the router itself as a DNS, no? – Lightness Races in Orbit Oct 09 '15 at 09:45
  • 6
    It's so trivial to override DNS settings that this is worthless. OpenDNS is only useful if you are the systems administrator and can prevent users from changing their DNS settings. Additionally, this will have no effect on torrents that users have already started, since domain name resolution is only required to reach torrent search websites. – MJeffryes Oct 09 '15 at 10:23
  • Updated answer to reflect limitations @MJeffryes. Thanks for the feedback. – Neil Smithline Oct 09 '15 at 15:45
1

If you block p2p downloads they'll probably download over http instead. But blocking p2p ports is probably a good idea as other answers have said. I suspect that you've got someone with a home connection that either blocks or monitors these downloads and you're the easiest place for them to get their videos.

You don't say how much bandwidth you've got (or monthly data allowances), but per-client throttling could well make it much less worth their while over any protocol while freeing up bandwidth for your other users. You could probably set it at a level that allows casual youtube watching -- or maybe stopping that too would be nice to your other customers (depending on manners and headphones). A good enough router could easily implement progressive throttling, where the connection slows with quantity downloaded, but I don't know if there's anything cheaply commercially available.

Failing that, try to figure out who it is and point them to some advice about TOR or privacy-protecting VPNs (do some homework first, I haven't kept up with the details on this). That would have two effects -- conceal your involvement and probably let them download elsewhere. A third might be that you wouldn't see them again.

Chris H
  • 4,185
  • 1
  • 16
  • 22
  • So your advice is to locate the customer (actually I suspect staff member) who's using your company wifi to download porn, and _tell them how to do so secretly_? wtf – Lightness Races in Orbit Oct 09 '15 at 09:46
  • 1
    @LightnessRacesinOrbit, my *plan C* (after blocking, throttling) is point them to advice on how they can do it elsewhere (my assumption in the first para). If they did that properly you wouldn't even know what they were doing on your network. From the OP's Q I take it that the issue is p2p/DMCA, rather than the nature of the content. You assume it's staff, which makes things harder. I didn't. – Chris H Oct 09 '15 at 10:04
  • No, I don't assume it's staff. I said, clearly, I _suspect_ it's staff. And either way makes no difference. – Lightness Races in Orbit Oct 09 '15 at 10:09
-1

As far as I know, BitTorrent clients require UPnP to accept incoming connections behind NAT. If you disable UPnP in the router, users will no longer be able to seed files through BitTorrent.

This may affect some other applications as well.

(Note: most IPv6 networks don't support NAT. This may not work if your ISP supports IPv6.)

user2428118
  • 2,768
  • 16
  • 23
-1

This type of traffic can be stopped with the use of either an IPS or a proxy. Using just a firewall will allow circumvention by using a different port. The below solutions are port independent and rely on monitoring of traffic to identify P2P traffic that may be being sent over port 80.

A proxy is commonly used to prevent HTTP and/or HTTPS traffic, but they can also be used to filter on specific protocols being used. This is done by SPANing traffic to a system that identifies and detects protocol usage. When it is detected, it sends a reset signal.

An IPS works in a similar fashion to the above described solution. The difference is that the IPS is directly in-line and all traffic goes directly through the IPS. IPSes have many rules built-in out of the box to prevent malicious or illegal activity. Snort, for example, has the ability to observe P2P & TOR traffic. You can then have the IPS deny any traffic that matches the rules.

pr-
  • 782
  • 1
  • 4
  • 21
-3

Unless there's a technical battle of wits, you can probably get by with just setting a different WPA2 password every day and handing it out to customers.

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
  • 3
    What about a regular customer who happens to run a torrent client on his laptop? Every day, the customer makes a purchase, gets the wifi password, then logs in to do legitimate browsing while the P2P client happily runs in the background. – schroeder Oct 09 '15 at 02:37
  • technical battle of wits aside, it might be possible to raise the bar a little to prevent unintended or opportunistic "ill-mannerisms" - like blocking the common P2P ports, etc. – schroeder Oct 09 '15 at 02:39
  • This was the first idea we discussed. We felt like it punishes the wrong people. The bad guy will have no issue coming in. And there are a lot of regulars here. – uSlackr Oct 09 '15 at 15:35