How to effectively block torrents on my network?

Question

As per the network policy, we have to block all torrent traffic from the network. To do this, I used to block all ports above 1024 on my firewall/proxy devices. But due to this, many other applications that use non-standard ports are not able to function, especially mobile applications, and users are complaining because of this.

Is there an effective way of blocking torrents on my network?
A minimum number of ports, or few specific ports, or application-level filtering?

We have Cisco Iron Port Security and Cisco ASA 5500 Firewall devices.

Answer 1

You have a number of ways to restrict torrents:

• Blocking ports: this doesn't work, because p2p traffic can use pretty much any port (even ones below 1024)
• Deep inspection: looking at traffic and blocking based on type can help you a lot, however encrypted traffic all looks alike
• Destination filtering: this may also help a bit, but you'd have to maintain a large blacklist

• Volume: if a user is downloading/uploading large amounts of traffic then investigate

• Controlling the applications installed on the computers on your network through Group Policy or a real world policy. Disallow all p2p applications, and if anyone breaches the policy don't let them use the network/fire them/fine them/whatever

Answer 2

BitTorrent can run on any port, and can be wrapped inside SSL, so blocking by ports or traffic data isn't going to get you anywhere.

My suggestion would be to block HTTP traffic on any port which matches the tracker announce protocol, as per the specification. This won't work if the tracker is running on HTTPS, but most don't. It also won't prevent DHT from working, but that's unlikely to matter too much.

Additionally, you can monitor traffic to see if large amounts of data are being transferred to a single user, and take action based upon that.

My opinion is that this isn't a technical issue - it's a policy issue. Make all your users sign a usage policy that explicitly bans the use of file-sharing networks and systems, including BitTorrent, and ensure that appropriate punishments can be enforced should people violate that policy.

Answer 3

This is mainly a policy issue. An higher being has decreed “Thou shall not have torrents on this network”. Seeing no way to effectively block only torrents, you block all ports.

Now, certain applications no longer work. They should request that to be changed and you should relay that request to that higher being: "Application X, which is needed by jdoe for his work, requires access to port Y, which was blocked (as with thousands other) in order to ensure it could not be used for torrents. Shall we allow even if that means that it would be possible to torrent using that port?"

If the higher being allows the change, you implement it. If he doesn't, you refer jdoe to the higher being rejecting that request.

Rinse and repeat for every user and application.

I think that a more lax policy, based more on users agreeing to your rules would probably work better for everyone. In fact, I suspect the higher being inner wishes are actually not to "block torrents" but to "block illegal torrents", which is quite different. But who am I to question His Will?

Answer 4

From my perspective, only deep packet inspection including SSL/TLS traffic will work.

Common practice is to have a proxy server in internal network (with the SSL inspection) to allow users to access the internet (and block all unwanted sites / services) then block all traffic outgoing from such users directly to the internet. If you need to allow users to access specific servers on non-standard ports you have to allow them explicitly (IP, protocol, port / service).

What kind of non-standard services are users accessing from your network?

Answer 5

I would recommend u block alle UDP-Ports 1-65535, also all TCP-Ports except one which brings you further to your squid-proxy running with filters and ACLs to undertake more filtering options. uTorrent wont have a chance to connect!

Answer 6

The most effective way is to install a Unified threat management box or a Next-generation firewall. These boxes are capable of doing a layer 7 inspection and can identify the applications and users.

Answer 7

As mentioned in other answers to this post, torrent is almost impossible to block effectively. Effective policies on its usage can help. Also, you may not need to block it - just allocate a very,very minuscule bandwidth to torrents so that a download that would normally takes an hour would be downloaded in a year to ∞