Detecting BitTorrent with NetFlow

Posted in NetFlow, NetFlow Analyzer on November 26th, 2010 by mike@plixer.com
Detecting BitTorrent with NetFlow

Is P2P or BitTorrent traffic a concern on your network or more specifically, how can you detect BitTorrent with NetFlow?  Well, you have to perform traffic behavior analysis.

Developers of tools like BitTorrent and Skype don’t want to see their application blocked by network admins.  To avoid this, they employ traffic behavior techniques that make their application difficult to detect.  How do they do this?  They make the application behave like ‘ordinary’ applications.  They can use ports like 80 and 443 which usually can’t be blocked.  They engineer throttling techniques to ensure that any one connection out of hundreds doesn’t absorb excessive bandwidth (I digress more on this in a minute).  They also design the application to be flexible so that its behavior on the network can change.

In order to demonstrate the above, I decided to ask a couple of people I work with to initiate torrent downloads so that we could study the behavior with our NetFlow Analyzer.  The NetFlow is coming from our 48 port Enterasys N series switch.

P2P BitTorrent Detection with NetFlow

Above we see the top incoming internet hosts on the uplink interface during the time of the download. The BitTorrent download is in the non top 10 traffic (i.e. shown in gray). BitTorrent doesn’t want to grab the file from any one single host so it grabs pieces of it from different hosts. This keeps the internet hosts sending the file out of the top 10. It’s clever.

At the very top of the report, I toggled Source to Destination.  I’m still looking at inbound traffic, I just want to look at the top hosts it is heading to:

P2P BitTorrent Detection with NetFlow 2

Notice above that 10.1.37.10 shows up as #1. In just 5 minutes it has downloaded 1.53 Gb (> 187MB) of the file. It is downloading the file from hundreds of different hosts.  How do I know this?  Look at the Flows column (2.48K)!

You can confirm your suspicious by filtering on 10.1.37.10 and changing the NetFlow report type:

P2P BitTorrent Dection with NetFlow 3

Notice above that the application uses different well known ports to over 800 different hosts to down load the file. Savvy users of BitTorrent know to throttle the bandwidth consumed by any one connection to a few k/minute.

Luckily, Flow Analytics also knows what behavior to look for when it comes to BitTorrent and can monitor and alarm for this type of P2P traffic.

P2P BitTorrent Detection with NetFlow 4

P2P BitTorrent Detection with NetFlow 5

The above can be performed across hundreds of routers simultaneously and deduplication ensures that you don’t receive multiple alarms for the same torrent.

I hope the above helps you become more aware of BitTorrent.  I don’t think it is a horrible application however, it can be abused and network admins, need to be aware if it is causing problems.

Michael Patterson
Founder and CEO

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.
Tags: , , , ,

2 Responses to “Detecting BitTorrent with NetFlow”

  1. Pinoy Says:

    Well do you know how can I block torrents on my network? Can you please give any working applications that can block torrent. Thank you

  2. Jon Mills Says:

    It can seem a bit complicated, but using Cisco’s Network-Based Application Recognition (NBAR) and an Access Control List (ACL) it’s really not that bad.

    Since you can’t use NBAR protocols in ACLs, you have to set a Differentiated Services Code Point (DSCP), then use an ACL to drop that traffic.

    Here’s an example of how you would do that:

    1. Create a traffic class for BitTorrent named “bittorrent-class”. This can be used to identify BitTorrent traffic in a service policy.

    class-map match-any bittorrent-class
    match protocol bittorrent

    2. Create a service policy that marks the traffic with a DSCP value you don’t use anywhere. A service-policy will do things like change DSCP values on packets. It will not drop things (That is what an ACL is for).

    policy-map mark-bad-traffic
    class bittorent-class
    set ip dscp 1

    3. Apply a service policy to the inbound on an interface. Now all BitTorrent inbound on Serial 0/0 is marked as DSCP 1

    interface serial 0/0
    service-policy input mark-bad-traffic

    4. Create an ACL for all the stuff marked DSCP 1. I deny DSCP 1 then allow all other IP traffic. You really have to be sure you don’t have anything else marked like this!

    access-list 155 deny ip any any dscp 1 
    access-list 155 permit ip any any

    5. Apply this ACL to outbound traffic on interface(s). The ACL will drop any outbound traffic marked with DSCP 1.

    interface FastEthernet 0/0
    ip access-group 155 out

    Here’s a great blog if you are interested in learning more about configuring NBAR.

Leave a Reply