9

I manage the network in a small office (SW dev is my "real job"), and there are a couple of users who beat the hell out of our internet connection by running bittorrent. Between the almost crippling effect on the upload side (20Mbps) and the potential liability, I want to shut this down as much as possible.

Some quick details in anticipation of questions or suggestions:

  • we have 2 routers (1 Linksys, 1 Buffalo) running the latest DD-WRT, and one D-Link DIR-655 running whatever the latest factory software is

  • internet is FiOS 20/20 plan

  • users connect via WiFi & wired, everyone uses DHCP

  • acquiring new hardware (let's say < $1000) that really does the trick reliably is an option

  • we have an internet usage policy in place, yes, but I want to enforce it as much as possible via IT because we all know that some people just can't follow the rules. Yes I know that dealing with this is a social issue, but this part is out of my authority/control.

  • the common strategies (completely block access by MAC / IP, block ports, etc..) won't work. At least 2 of the people routinely re-program the MAC addresses on their Ethernet interfaces.

I understand that BT clients can be configured to use other ports, so just blocking the standard BT port range is weaksauce.

I can't believe I'm the first person to skin this cat. Or maybe only IT depts. with large equipment budgets can skin this cat?

Thanks for your help!

Dan
  • 193
  • 2
  • 5

11 Answers11

4

Enable QoS on your DD-WRT stuff as described here. Make all non-port-80/22/25/IMAP/POP traffic limited to some very small amount of bandwidth, and make even those ports limited to something reasonable like 2Mb/s or so.

Then go read BOFH for ideas about what to do to the offending users.

pjz
  • 10,497
  • 1
  • 31
  • 40
4

You're right, it really is a social problem that needs to be addressed by management. If certain people are impacting the network to the point that it's causing problems for others, then they need to be dealt with and explained what the consequences will be if they keep it up. Reprogramming the MAC addresses on their NICs? If they have no legitimate need to be doing that then you might consider locking down your wifi router and network switches to only accept connections from certain MAC addresses. If they change it, they can't get on the network, and suddenly MAC address filtering/limiting becomes a possibility at the border router.

Traffic shaping for non-standard ports can also be employed to reduce the amount of available bandwidth for all ports except the standard http, ftp, smtp, etc. Turning down the amount of bandwidth available for non-standard applications makes them a lot less desirable.

Another option at your border router/firewall is to only allow certain ports for outbound traffic, limited to standard ports. This may or may not be practical given your environment.

Justin Scott
  • 8,748
  • 1
  • 27
  • 39
2

If its a small office tell the employees to stop using bittorent or face disciplinary action, spending money/time on traffic shaping for a small office seems ridiculous... unless there are some extraordinary circumstances you haven't mentioned.

I am sure the manager of your office would want to know why their employees have time to setup bittorent, change their mac address, etc on company time...

Element
  • 856
  • 2
  • 10
  • 14
2

If you go for technical tricks and ignore the social aspect, the bad guys will try misc tricks to avoid the restrictions. If you'll implement something that marks and shapes bittorrent traffic, they'll start using encryption etc.

If you go only social and start yelling at the bad guys, you will become their enemy. Especially if this is not your main job there. They might think you're restricting them to please the boss for example. And working on a daily basis with people who hate you is sad.

A very effective approach that involves almost no violence is to monitor network usage. Set up something like mrtg and make the network usage graphs publicly available for anybody in the office. So as soon as somebody will complain about slow internet - send him there to look who's wasting the bandwidth.

This way you won't have to fight alone against bandwidth hogs. You won't even need to fight at all, the good users will eat the bad ones.

Anonymous
  • 1,540
  • 1
  • 14
  • 18
1

Lock down those machines - remove admin rights. They're acting like spoiled children, and the only thing you can really do is treat them that way.

Kara Marfia
  • 7,892
  • 5
  • 32
  • 56
  • I don't see how that would stop somebody to run a bittorrent client. – Anonymous Jul 16 '09 at 05:59
  • 1
    If you REALLY have the time to blow, you can just restrict them to only run approved exectuables. At that point, tho, I'm thinking - why do these people still collect paychecks? – Kara Marfia Jul 16 '09 at 13:37
1

If you don't have the authority to smack them on the wirst for it and the people that do aren't willing too, then you are pretty much out of luck. Yes there are technological ways to address this. It appears that at least some of your problem users are probably savvy enough to avoid pretty much any tech solution that you try though. Worse, for that sort of person you have now implicitly validated that it is ok for them to do (since there was no management response) as long as they do it in a way that avoids the roadblocks that you put up.

EBGreen
  • 1,443
  • 11
  • 10
1

You should take a look on M0n0wall and pfSense.

I believe the traffic shaping features of pfSense are better and that's the one I'd suggest.

The documentation is unfortunately very scarce but if you experiment with it a little bit it's not hard to figure things out.
Just run the wizard and learn from the rules it will create. Also, check this Traffic Shaping Guide.

While this won't solve your social issues nor will it be a final solution in enforcing the rules, I believe it's a good middle ground.
You can allow them to use the bandwidth while making sure everything else that is more important doesn't get affected.

Carlos Lima
  • 475
  • 3
  • 11
1

Have you considered a web proxy like Squid? That may be one option. I know the big boys can filter at the packet level.

Another way of combatting this is to run period scans of each workstation/laptop as far as what's installed. You see a BitTorrent client, you flag the user. You can script for the easy stuff by querying the registry at:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

K. Brian Kelley
  • 9,004
  • 31
  • 33
0

A SOHO Router like a Cisco 871w has the ability to do deep packet inspection. You would be able to deny P2P on all ports without affecting other traffic.

The same goes for Instant Messaging, RDP, etc... Some instant messaging clients can be configured to go out through Port 80 (HTTP), which you would be unlikely to block. But a router like the Cisco 871w actually operates at a higher level of the OSI model and can detect whether or not the traffic going across port 80 is HTTP or some other protocol.

Jim March
  • 977
  • 3
  • 8
  • 17
0

The reason for the technical solution is that it's usually the management types that are doing it.
It's the same problem with security, those with the most sensitive data are the ones that don't bother with a password, send confidential email from Yahoo while logged onto unencrypted airport wifi and lose laptops.
Since you can't enforce the rules with them - they make the rules - the only solution is one they don't know about.

Martin Beckett
  • 317
  • 1
  • 2
  • 11
0

It won't work for sophisticated users, but I once blocked certain users from a site by putting a dummy entry in c:\Windows\system32\etc\hosts

cagcowboy
  • 1,064
  • 1
  • 14
  • 21
  • That won't work for bittorrent, since all transfers are peer-to-peer. You could possibly block the trackers, but there are far too many for that to work (and most clients support DHT, so don't even need a tracker). That said, it would the torrent file harder to initially get.. – dbr Apr 30 '09 at 19:47
  • 1
    Yeah, I was thinking of blocking the pirate bay for example, not the downloads. – cagcowboy Apr 30 '09 at 20:17