A common problem for network administrators is when end users get in the habit of blaming the network for slowness on their workstations. For this reason it’s important for network administrators to not only prove, but sometimes disprove, issues with the network. Sometimes the issue is a combination of both.
I have to admit that I love it when I’ve completed configuring Flow Analytics and the Threats Overview dashboard lights up to let you know things may be going on that aren’t supposed to.
Of all of the algorithms in Flow Analytics, my favorite is the P2P Monitor. The P2P Algorithm monitors connections (including BitTorrent) that include, amongst other things, a high number of hosts connecting to a single host on your network.
We found a case where the P2P monitor alerted on a certain internal IP. I thought it was amusing that the admins had a pretty good idea of who this was just by the IP. We investigated it further and this is what we found.
I expect to see a lot of traffic on TCP port 80, but UDP?… I decided to drill down into the conversations and saw traffic consistent with Torrent traffic.
The network admins then used another application to see what was installed on this person’s workstation, and found an application called “sopcast”.
From SopCasts’ website: “SopCast is a simple, free way to broadcast video and audio or watch the video and listen to radio on the Internet. Adopting P2P(Peer-to-Peer) technology, It is very efficient and easy to use. Let anyone become a broadcaster without the costs of a powerful server and vast bandwidth. You can build your own TV stations comparable with large commercial sites with minimal resources. Using SopCast, you can serve 10,000 online users with a personal computer and a home broadband connection.
SoP is the abbreviation for Streaming over P2P. Sopcast is a Streaming Direct Broadcasting System based on P2P. The core is the communication protocol produced by Sopcast Team, which is named sop://, or SoP technology. “
I also read on the site that the service port can be changed to any port of the user’s preference. The user knew that UDP port 80 was open and used it to watch TV, or listen to the radio, or whatever he was doing.
I don’t know what the story is with this guy, since the network admins seem to have him fresh in their minds, but in this economy, it’s not a good thing to get caught slacking off and abusing network resources at the same time. You just might have to eat a big steamy plate of humble pie…
Don’t be that guy…