3

Due to DMCA takedown notices, trying to block bitTorrent traffic for client on a Cisco ASA 5520.

ASA Software : 7.2 ASDM: 5.2

The device is really just used for for NAT and VPN's currently. Is there a simple way to block bitTorrent TCP ports 6881-6999 on this device?

Will
  • 1,127
  • 10
  • 25
CaseyIT
  • 427
  • 3
  • 8
  • 14

2 Answers2

1

I have attempted to do this and ran into a few issues. The biggest was that most bittorrent clients these days will choose a random port outside of that range. Blocking just 6881-6999 is a start, but will be easily defeated. Even if you block all UDP and high ports, clients will eventually switch to port 80 and 443 (HTTP and HTTPS), which presumably you don't want to block.

I have not found a good way to entirely block bittorrent. Bittorrent has evolved and adapted around all kinds of blocks, and will continue to evade attempts to block it. I'm sure there is a way to use Deep Packet Inspection to identify and shut it down, but I haven't had a chance to look at that. And I'm not sure how successful that would be due to bittorrent clients using encryption by default now.

I have been using this code on my ASA to at least marginally help the situation. I'm sure this blocks other useful things, but I haven't had any complaints from users.

object-group service Blocked-UDP-Ports udp
 description All ports blocked for Bit Torrent UDP DHT (all ephemeral ports except VPN encapsulation)
 port-object range 10001 65535
 port-object range 1024 1193
 port-object range 1195 9999
object-group service BitTorrent-Tracker tcp
 description TCP Ports used by Bit Torrent for tracker communication
 port-object eq 2710
 port-object range 6881 6999

access-list inside_access_in extended deny udp any any object-group Blocked-UDP-Ports log warnings inactive
access-list inside_access_in extended deny tcp any any object-group BitTorrent-Tracker log warnings inactive
minamhere
  • 859
  • 7
  • 18
  • Good answer, beat me to it. The only "good" way is by using some kind of layer7 device, though even that is not foolproof. There are companies that specialize in products that block P2P.... – Scott Pack Mar 29 '11 at 13:19
  • Thanks - Is it possible to do this in the ASDM GUI? – CaseyIT Mar 29 '11 at 13:27
  • 3
    Or a layer 8 device, perhaps a big stick? – Tom O'Connor Mar 29 '11 at 13:28
  • Scott, Do you have any suggestions or experience with any of those? While endlessly chasing down P2P users isn't something I actually want to waste my time with, this is on my list of future projects. – minamhere Mar 29 '11 at 13:28
  • 1
    Casey, You can do this in ASDM. Here are 2 screen shots that show what I'm doing. The first shot creates the object-groups for the port ranges. The second (rules 3 and 4) apply those groups to specific areas of the network, and deny said traffic: http://imgur.com/a/JEzTI – minamhere Mar 29 '11 at 13:38
0

Only easy way to stop this is to default deny all egress traffic and allow specific ports for services. It's a PITA, but bittorrent clients wont listen on 1024 ports, so 443 and 80 are safe to let out. So are dns, ssh, ftp, pop3, imap, sip, whois, telnet.

noone
  • 1