Is P2P or BitTorrent traffic a concern on your network or more specifically, how can you detect BitTorrent with NetFlow? Well, you have to perform traffic behavior analysis.
Developers of tools like BitTorrent and Skype don’t want to see their application blocked by network admins. To avoid this, they employ traffic behavior techniques that make their application difficult to detect. How do they do this? They make the application behave like ‘ordinary’ applications. They can use ports like 80 and 443 which usually can’t be blocked. They engineer throttling techniques to ensure that any one connection out of hundreds doesn’t absorb excessive bandwidth (I digress more on this in a minute). They also design the application to be flexible so that its behavior on the network can change.
In order to demonstrate the above, I decided to ask a couple of people I work with to initiate torrent downloads so that we could study the behavior with our NetFlow Analyzer. The NetFlow is coming from our 48 port Enterasys N series switch.
Above we see the top incoming internet hosts on the uplink interface during the time of the download. The BitTorrent download is in the non top 10 traffic (i.e. shown in gray). BitTorrent doesn’t want to grab the file from any one single host so it grabs pieces of it from different hosts. This keeps the internet hosts sending the file out of the top 10. It’s clever.
At the very top of the report, I toggled Source to Destination. I’m still looking at inbound traffic, I just want to look at the top hosts it is heading to:
Notice above that 10.1.37.10 shows up as #1. In just 5 minutes it has downloaded 1.53 Gb (> 187MB) of the file. It is downloading the file from hundreds of different hosts. How do I know this? Look at the Flows column (2.48K)!
You can confirm your suspicious by filtering on 10.1.37.10 and changing the NetFlow report type:
Notice above that the application uses different well known ports to over 800 different hosts to down load the file. Savvy users of BitTorrent know to throttle the bandwidth consumed by any one connection to a few k/minute.
Luckily, Flow Analytics also knows what behavior to look for when it comes to BitTorrent and can monitor and alarm for this type of P2P traffic.
The above can be performed across hundreds of routers simultaneously and deduplication ensures that you don’t receive multiple alarms for the same torrent.
I hope the above helps you become more aware of BitTorrent. I don’t think it is a horrible application however, it can be abused and network admins, need to be aware if it is causing problems.