bittorrent file transfer - rate limit

i am trying to use IntroPro-IPS to limit bittorrent traffic
to 20% of
my bandwidth.

it is able to detect file transfer traffic in many cases
using rules
given as part of product distribution. if i use bittorrent
(downloaded
from www.bittorrent.com) i could see that this p2p traffic
is not
exceeding 20% limit (100kbps). but if i use other client
application
such as azureus or uTorrent, i find that bittorrent data
traffic is
not recognized for some torrents.

this product has facility to add new rules to detect
application
traffic. i tried to add new rules with patterns from
bleedingthreats
and l7 filters and results are same. does anybody have right
patterns
to detect all kinds of bittorrent file transfer
connections?

thanks
Ravi

------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecuri
ty.com/index.php5?module=Form&action=impact&campaign
=intro_sfw 
to learn more.
------------------------------------------------------------
------------

Hi,

Older versions of Bit Torrent clients use TCP based transfer
for downloading
and uploading pieces. Later versions of clients support
multiple methods for
data transfer. Web seeding is one method which we see
commonly. We also see
Azureus client using UDP based data transfer. In addition,
if peers support
cryptography, then the connections (TCP or UDP) are
encrypted.

It is difficult to detect encrypted connections using
typical pattern
matching. First two packets of the connection exchange DH
pairs to get
symmetric key. This symmetric key is used to encrypt rest of
stream. First
two packets are even padded with random data of random
length to avoid
detection by any traffic enforcers. This is done very
cleverly and it had
been very successful. We believe that Traffic Heuristics
combined with some
intelligence of tracker connections is one way to detect
these encrypted
connections.

By the way, IntruPro-IPS has signatures for detecting 'web
seeding' and
'UDP' based data transfer connections in addition to TCP
based connections.
These signatures were added recently and you may like to get
latest version
of signature set.

Srini

-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com] On
Behalf Of Ravi Chunduru
Sent: Sunday, October 07, 2007 9:27 AM
To: focus-idssecurityfocus.com
Subject: bittorrent file transfer - rate limit

i am trying to use IntroPro-IPS to limit bittorrent traffic
to 20% of
my bandwidth.

it is able to detect file transfer traffic in many cases
using rules
given as part of product distribution. if i use bittorrent
(downloaded
from www.bittorrent.com) i could see that this p2p traffic
is not
exceeding 20% limit (100kbps). but if i use other client
application
such as azureus or uTorrent, i find that bittorrent data
traffic is
not recognized for some torrents.

this product has facility to add new rules to detect
application
traffic. i tried to add new rules with patterns from
bleedingthreats
and l7 filters and results are same. does anybody have right
patterns
to detect all kinds of bittorrent file transfer
connections?

thanks
Ravi

------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/
index.php5?module=Form&action=impact&campaign=in

tro_sfw 
to learn more.
------------------------------------------------------------
------------


************************************************************
********************
This email message (including any attachments) is for the
sole use of the intended recipient(s) 
and may contain confidential, proprietary and privileged
information. Any unauthorized review, 
use, disclosure or distribution is prohibited. If you are
not the intended recipient, 
please immediately notify the sender by reply email and
destroy all copies of the original message. 
Thank you.
 
Intoto Inc. 


------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecuri
ty.com/index.php5?module=Form&action=impact&campaign
=intro_sfw 
to learn more.
------------------------------------------------------------
------------

okay.

Thank you for detailed explanation.

Ravi

On 10/9/07, Srinivasa Addepalli <sraointoto.com> wrote:
>
> Hi,
>
> Older versions of Bit Torrent clients use TCP based
transfer for downloading
> and uploading pieces. Later versions of clients support
multiple methods for
> data transfer. Web seeding is one method which we see
commonly. We also see
> Azureus client using UDP based data transfer. In
addition, if peers support
> cryptography, then the connections (TCP or UDP) are
encrypted.
>
> It is difficult to detect encrypted connections using
typical pattern
> matching. First two packets of the connection exchange
DH pairs to get
> symmetric key. This symmetric key is used to encrypt
rest of stream. First
> two packets are even padded with random data of random
length to avoid
> detection by any traffic enforcers. This is done very
cleverly and it had
> been very successful. We believe that Traffic
Heuristics combined with some
> intelligence of tracker connections is one way to
detect these encrypted
> connections.
>
> By the way, IntruPro-IPS has signatures for detecting
'web seeding' and
> 'UDP' based data transfer connections in addition to
TCP based connections.
> These signatures were added recently and you may like
to get latest version
> of signature set.
>
> Srini
>
> -----Original Message-----
> From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com] On
> Behalf Of Ravi Chunduru
> Sent: Sunday, October 07, 2007 9:27 AM
> To: focus-idssecurityfocus.com
> Subject: bittorrent file transfer - rate limit
>
> i am trying to use IntroPro-IPS to limit bittorrent
traffic to 20% of
> my bandwidth.
>
> it is able to detect file transfer traffic in many
cases using rules
> given as part of product distribution. if i use
bittorrent (downloaded
> from www.bittorrent.com) i could see that this p2p
traffic is not
> exceeding 20% limit (100kbps). but if i use other
client application
> such as azureus or uTorrent, i find that bittorrent
data traffic is
> not recognized for some torrents.
>
> this product has facility to add new rules to detect
application
> traffic. i tried to add new rules with patterns from
bleedingthreats
> and l7 filters and results are same. does anybody have
right patterns
> to detect all kinds of bittorrent file transfer
connections?
>
> thanks
> Ravi
>
>
------------------------------------------------------------
------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to
> http://www.coresecurity.com/
index.php5?module=Form&action=impact&campaign=in

> tro_sfw
> to learn more.
>
------------------------------------------------------------
------------
>
>
>
************************************************************
********************
> This email message (including any attachments) is for
the sole use of the intended recipient(s)
> and may contain confidential, proprietary and
privileged information. Any unauthorized review,
> use, disclosure or distribution is prohibited. If you
are not the intended recipient,
> please immediately notify the sender by reply email and
destroy all copies of the original message.
> Thank you.
>
> Intoto Inc.
>
>

------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecuri
ty.com/index.php5?module=Form&action=impact&campaign
=intro_sfw 
to learn more.
------------------------------------------------------------
------------

can you please elaborate methodology you outlined on
detection of
Bittorrent encrypted connections? do you have plans to
provide this
support in free IntroPro IPS software?

Thanks
Ravi

On 10/9/07, Srinivasa Addepalli <sraointoto.com> wrote:
>
> Hi,
>
> Older versions of Bit Torrent clients use TCP based
transfer for downloading
> and uploading pieces. Later versions of clients support
multiple methods for
> data transfer. Web seeding is one method which we see
commonly. We also see
> Azureus client using UDP based data transfer. In
addition, if peers support
> cryptography, then the connections (TCP or UDP) are
encrypted.
>
> It is difficult to detect encrypted connections using
typical pattern
> matching. First two packets of the connection exchange
DH pairs to get
> symmetric key. This symmetric key is used to encrypt
rest of stream. First
> two packets are even padded with random data of random
length to avoid
> detection by any traffic enforcers. This is done very
cleverly and it had
> been very successful. We believe that Traffic
Heuristics combined with some
> intelligence of tracker connections is one way to
detect these encrypted
> connections.
>
> By the way, IntruPro-IPS has signatures for detecting
'web seeding' and
> 'UDP' based data transfer connections in addition to
TCP based connections.
> These signatures were added recently and you may like
to get latest version
> of signature set.
>
> Srini
>
> -----Original Message-----
> From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com] On
> Behalf Of Ravi Chunduru
> Sent: Sunday, October 07, 2007 9:27 AM
> To: focus-idssecurityfocus.com
> Subject: bittorrent file transfer - rate limit
>
> i am trying to use IntroPro-IPS to limit bittorrent
traffic to 20% of
> my bandwidth.
>
> it is able to detect file transfer traffic in many
cases using rules
> given as part of product distribution. if i use
bittorrent (downloaded
> from www.bittorrent.com) i could see that this p2p
traffic is not
> exceeding 20% limit (100kbps). but if i use other
client application
> such as azureus or uTorrent, i find that bittorrent
data traffic is
> not recognized for some torrents.
>
> this product has facility to add new rules to detect
application
> traffic. i tried to add new rules with patterns from
bleedingthreats
> and l7 filters and results are same. does anybody have
right patterns
> to detect all kinds of bittorrent file transfer
connections?
>
> thanks
> Ravi
>
>
------------------------------------------------------------
------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to
> http://www.coresecurity.com/
index.php5?module=Form&action=impact&campaign=in

> tro_sfw
> to learn more.
>
------------------------------------------------------------
------------
>
>
>
************************************************************
********************
> This email message (including any attachments) is for
the sole use of the intended recipient(s)
> and may contain confidential, proprietary and
privileged information. Any unauthorized review,
> use, disclosure or distribution is prohibited. If you
are not the intended recipient,
> please immediately notify the sender by reply email and
destroy all copies of the original message.
> Thank you.
>
> Intoto Inc.
>
>

------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecuri
ty.com/index.php5?module=Form&action=impact&campaign
=intro_sfw 
to learn more.
------------------------------------------------------------
------------

Hi,

It requires Bittorrent protocol intelligence in the
software. It finds out
BitTorrent peers (IP address and Port on which peer is
listening on) for
torrent files and keeps it in its storage. Any new
connections going to
these peers or coming from these peers are considered as
BitTorrent file
transfer connections. With this mechanism, it is possible to
detect
encrypted file transfer connections. Note that it is only
high level
description of the approach, but there are lots of bells and
whistles in the
implementation. Yes, we will have this feature in free
IntruPro IPS
software.

Srini


-----Original Message-----
From: Ravi Chunduru [mailto:ravi.is.chundurugmail.com] 
Sent: Friday, October 19, 2007 8:55 AM
To: Srinivasa Addepalli
Cc: focus-idssecurityfocus.com
Subject: Re: bittorrent file transfer - rate limit

can you please elaborate methodology you outlined on
detection of
Bittorrent encrypted connections? do you have plans to
provide this
support in free IntroPro IPS software?

Thanks
Ravi

On 10/9/07, Srinivasa Addepalli <sraointoto.com> wrote:
>
> Hi,
>
> Older versions of Bit Torrent clients use TCP based
transfer for
downloading
> and uploading pieces. Later versions of clients support
multiple methods
for
> data transfer. Web seeding is one method which we see
commonly. We also
see
> Azureus client using UDP based data transfer. In
addition, if peers
support
> cryptography, then the connections (TCP or UDP) are
encrypted.
>
> It is difficult to detect encrypted connections using
typical pattern
> matching. First two packets of the connection exchange
DH pairs to get
> symmetric key. This symmetric key is used to encrypt
rest of stream. First
> two packets are even padded with random data of random
length to avoid
> detection by any traffic enforcers. This is done very
cleverly and it had
> been very successful. We believe that Traffic
Heuristics combined with
some
> intelligence of tracker connections is one way to
detect these encrypted
> connections.
>
> By the way, IntruPro-IPS has signatures for detecting
'web seeding' and
> 'UDP' based data transfer connections in addition to
TCP based
connections.
> These signatures were added recently and you may like
to get latest
version
> of signature set.
>
> Srini
>
> -----Original Message-----
> From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com]
On
> Behalf Of Ravi Chunduru
> Sent: Sunday, October 07, 2007 9:27 AM
> To: focus-idssecurityfocus.com
> Subject: bittorrent file transfer - rate limit
>
> i am trying to use IntroPro-IPS to limit bittorrent
traffic to 20% of
> my bandwidth.
>
> it is able to detect file transfer traffic in many
cases using rules
> given as part of product distribution. if i use
bittorrent (downloaded
> from www.bittorrent.com) i could see that this p2p
traffic is not
> exceeding 20% limit (100kbps). but if i use other
client application
> such as azureus or uTorrent, i find that bittorrent
data traffic is
> not recognized for some torrents.
>
> this product has facility to add new rules to detect
application
> traffic. i tried to add new rules with patterns from
bleedingthreats
> and l7 filters and results are same. does anybody have
right patterns
> to detect all kinds of bittorrent file transfer
connections?
>
> thanks
> Ravi
>
>
------------------------------------------------------------
------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to
>
http://www.coresecurity.com/
index.php5?module=Form&action=impact&campaign=in

> tro_sfw
> to learn more.
>
------------------------------------------------------------
------------
>
>
>
************************************************************
****************
****
> This email message (including any attachments) is for
the sole use of the
intended recipient(s)
> and may contain confidential, proprietary and
privileged information. Any
unauthorized review,
> use, disclosure or distribution is prohibited. If you
are not the intended
recipient,
> please immediately notify the sender by reply email and
destroy all copies
of the original message.
> Thank you.
>
> Intoto Inc.
>
>


************************************************************
********************
This email message (including any attachments) is for the
sole use of the intended recipient(s) 
and may contain confidential, proprietary and privileged
information. Any unauthorized review, 
use, disclosure or distribution is prohibited. If you are
not the intended recipient, 
please immediately notify the sender by reply email and
destroy all copies of the original message. 
Thank you.
 
Intoto Inc. 


------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecuri
ty.com/index.php5?module=Form&action=impact&campaign
=intro_sfw 
to learn more.
------------------------------------------------------------
------------