14

Here is an interesting problem/scenario that some sysadmins out there might enjoy:

An apartment building owner is giving away free internet access to his tennants. Basically he has a T1 coming to the building and every apartment has a CAT5 plug in the wall. The internet access is "free" (included in the rent or whatever) to the tennants.

The problem is, several of the tennants are downloading illegal movies/music via bittorrent. As a result, the MPAA and RIAA is sending "nastygrams" to the owner of the internet connection (ie. apartment owner) concerning the illegal downloads.

The apartment owner has blocked lists of torrent sites as well as several file extensions at the router level but the problem persists.

What I'd like to know is if anyone out there has a clever/inexpensive solution for this problem? QoS apparently only works up to a point because bittorrent can use pretty much any port it wants. Packet inspection doesn't work on encrypted connections, etc.

The apartment owner did say he would be happy if he could simply see the upload/download traffic (ie. potential abusers) of the individual apartment units.

Any ideas?

UPDATE: Not interested in discussing the legal/lawyer/social issues as much as the actual technical solutions (whatever they may be). I would kindly request you vote up the TECHNICAL discussions over the legal/social ones. Thanks!

ANSWER: Selected Justin Scott's answer as the correct answer because of his suggestion to use managed switches and MRTG. While it would have been nicer to block bittorrent or at least make it EXTREMELY difficult MRTG and a managed switch will allow us to easily identify the offender(s).

KPWINC
  • 11,274
  • 3
  • 36
  • 44
  • Isn't a T1 technically around 1MBps? – niXar Jun 26 '09 at 16:39
  • A T1 is actually 1.54Mbps. The building actually has a bigger pipe than that... DSL at 3-4Mbps but for the sake of simplicity I said T1 in the question... not that it mattered much. :-) – KPWINC Jun 26 '09 at 17:28

10 Answers10

13

Is he authorized by his ISP to sublet the T1 to others? If so, then he is in effect a common carrier (like a phone company) and not responsible for the use of the service. As soon as he starts taking measures to prevent certain traffic he is assuming responsibility. I'd contact a lawyer before doing anything at all.

If he isn't authorized by his ISP to sublet their T1 then I wouldn't even get involved. "You're on your own pal."

Daniel Lucas
  • 1,192
  • 1
  • 14
  • 25
  • Thank you for your insight on this but legal matters aside, I'm more interested in a technical solution and "What is technically possible to do". Once we know what ALL of the options are, he can decide which way he wants to go. – KPWINC Jun 15 '09 at 19:43
  • 2
    Understood KPWINC. I guess I just wouldn't want to have any part in limiting users traffic. Keep the internet free as in freedom. Free as in beer would be nice too. ;) – Daniel Lucas Jun 15 '09 at 19:48
  • My understanding is that nobody is limiting them. They are free to purchase their own broadband connection. If that were the case, the MPAA/RIAA notices would go to them instead of the building owner. Its kinda like, if you come to swim in my pool please don't pee in it... if its YOUR pool... do what you like. ;-) – KPWINC Jun 16 '09 at 04:53
10

If each apartment has its own port on a managed switch somewhere in the building, seeing their traffic levels should be pretty simple with something like MRTG.

However, this seems like more of a legal issue than a technical issue. IANAL, but by trying to police the connection the owner is essentially giving up any sort of "common carrier" status he might have had (if any at all). If I were in this position, each apartment would get a static IP to get out to the Internet. If the MPAA/RIAA came knocking, I would politely direct them to the tenant who "owns" the IP address in question.

Justin Scott
  • 8,748
  • 1
  • 27
  • 39
  • I don't believe its a managed switch. So let's assume a regular dumb switch for now. I only say this because he has several buildings and I'm pretty sure not all of them have a managed switch. – KPWINC Jun 15 '09 at 19:45
  • Agree with you Justin. It wouldn't have to be static though, just public. That IP would be on the letter I'm sure. – Daniel Lucas Jun 15 '09 at 19:52
  • If you can't trace port usage on the individual switches, then you may be able to use statistics from the border router depending on its type and configuration. That's not an ideal solution as you would need to correlate the tracked IP addresses with the apartments somehow. If they use NAT with a DHCP server and short lease times, then your options become really limited. – Justin Scott Jun 15 '09 at 19:59
  • @flashkube Yes, but then you have to keep logs of which apartment had what IP address at specific times. If they're assigned on a static basis, tracking them down becomes a lot easier. – Justin Scott Jun 15 '09 at 20:00
  • 1
    Also, if the switches aren't managed, I'd recommend replacing them as soon as funds can be budgeted for it. You can pick up older 10/100 managed switches on eBay pretty cheap. We just bought a nice managed 24-port HP ProCurve 1U rack mount switch that supports SNMP for about $70. It's really nice to be able to see port utilization in real-time through its web interface. – Justin Scott Jun 15 '09 at 20:05
  • 1
    Have to agree with Justin here. The tools to do the traffic monitoring are free and proven, so long as you can read counters per-port. The cheapest solution is to going to be to get some cheap managed switches. – James F Jun 15 '09 at 22:55
6

The best social solution I've seen is to give the letter to the tenants and after 3 notices terminate their internet service. Most complexes I've worked in have that policy and it works well. After the first or second letter you see their bandwidth usage drop significantly.

Otherwise I wouldn't worry about it. He wont have the connection shut off for receiving a mass "we saw you download this" emails or letter. The chances of it going to court are very slim. Personally if I had a T1 (or something faster..) I'd ask for a ip address block and give each apartment it's own public ip, then it's trivial to trace who did what and to shift blame.

reconbot
  • 2,435
  • 3
  • 25
  • 30
  • That's assuming he has legal standing to share his T1 in the first place. But I do agree on your technical/social answers. You need to have both sides covered for this to work. – Joseph Kern Jun 15 '09 at 19:22
  • Joseph Kern Suggests peergaudian as a gateay service, I like that idea - I'd also cap their upload speed after the first offence like a regular isp would. Discourages the behavior. – reconbot Jun 15 '09 at 19:23
  • I'm fairly certain he has permission to share the T1 as he has been communicating with the ISP about the issue. This is a business connection and his ISP seems to have no problem with the way he is using the line. The main issue seems to be determining who (behind his NAT) is using the bandwidth. – KPWINC Jun 15 '09 at 19:48
6

Everyone here has already talked about the legality issues with this kind of setup, so I won't beat that dead horse more.

If you'd like a good free tool for monitoring internet traffic, you might want to try IPAUDIT as it will give you pretty good information about your host's traffic use. I have a post in the following question (IPAUDIT is a Linux-based solution for traffic monitoring): https://serverfault.com/questions/8267/monitor-internet-bandwidth

You could also find some good answers in this quesiton: Network Traffic Monitoring

l0c0b0x
  • 11,697
  • 6
  • 46
  • 76
4

I'm going to have to be really negative about this... Trying to fight Bit Torrent the technical way is going to lead to a lot of headaches for near zero efficiency. Bit Torrent can be encapsulated in SSL on port 443 making it no different then browsing an HTTPS website.

The only solution is to talk to the people and get them to slow down or just stop...

Antoine Benkemoun
  • 7,314
  • 3
  • 41
  • 60
2

I'd look at graphing bandwidth-usage statistics. Since he's using wired distribution, using SNMP counters (provided the distribution switches are capable) is one great way to get statistics (assuming that the tennants aren't sending traffic anywhere but the Internet-- i.e. not peer-to-peer on the LAN) about bandwidth usage. MRTG, Cacti, etc are your friend for this.

If the tennants are doing peer-to-peer networking he'll need to do some traffic profiling at the egress onto the Internet. You could do that on the cheap with a Linux iptables installation and some logging rules.

The owner is probably best served speaking to an attorney about this (though that's going to cost money). It would be a good idea if he made sure he wasn't going to end up being the target of litigation.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
1

He needs to be very careful of his legal standing, as mentioned in the other posts. Talk to a lawyer.

There are a few technical means to deal with this. But I am afraid that trying anything will just get him in deeper. A lawyer could spin his attempt at technical control in several directions.

No good deed goes unpunished.

(Or he could just install peerguardian as a gateway service)

Joseph Kern
  • 9,809
  • 3
  • 31
  • 55
0

The only reasonably way to ensure integrity of your network is to, by default, restrict all access except the ones you allow. All other methods, if you still insist on having full network control, is just playing catch-up with the newest greatest (and oldest well known) protocols used for sending data from a to b and vice versa.

But if you are interested in job security and a lot of administrative work, go for it.

BTW you didn't say from which country you came from, jurisdiction is quite different on this topic across the world but I assume US since you are talking about a T1 pipe.

Something which apparently works quite well in the states is writing back with some legal jargon stating that they may chose between either one explanation:

  • The copyright owner gave implicit right for making use of the availability of that work
  • The received work is not the same as the work referred to in your allegations

Always end your letter with a friendly greeting and the option to further discuss the matter, stating your consultancy tariff.

  • Interesting tactic with the reply letter, Martin. Where did you hear this was effective? Only curious. – Daniel Lucas Jun 19 '09 at 21:52
  • A couple of legal students at Harvard wrote to the RIAA when they where charged, subsequently all charges where dropped, was on a slashdot like site a year or two ago. A note about the argumentation, if I remember correctly the argument was that because they can only see who downloads what with bit torrent if they also self peer to the download, so that means they either make the copyright material available and since they are the holder of the material or act of the interest of the copyright holder they give subsequent allowance to download it or it is fake which means it is not copyrighted. – Martin P. Hellwig Jun 22 '09 at 21:37
0

I'll improve on the best answer.

You should buy a Smoothwall Firewall appliance (or IPCop, MonoWall, LEAF,or pfSense) because Smoothwall uses MRTG. Smoothwall will give you all kinds of additional features.

You can buy a cheap dual-NIC firewall appliance for only a few hundred dollars.

or make one yourself using a dual-NIC mini-ITX motherboard like a EPIA-M700 ($257) or a EPIA LT or a EPIA PE .

djangofan
  • 4,172
  • 10
  • 45
  • 59
0

I'd say to institute connection/disconnection/UDP packet address and DHCP logging on the router, and include the router port # in the logs. The idea here being that the RIAA letter should include date/time/ip of the infringement. From that, you can lookup which router port (and thus which apartment) was committing the infringement, and forward the letter. These logs will be big, but since they don't include packet contents, they shouldn't be TOO big. And if the landlord is NATting, the inbound UDP traffic should be very small.

This lets the landlord prove (as far as he can) which party is responsible and pass the hassle down to them appropriately. In any lawsuit the landlord should be able to successfully get out of anything except answering some subpoenas for logs.

Michael Kohne
  • 2,284
  • 1
  • 16
  • 29