Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Controlling bittorrent - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Controlling bittorrent

Bittorrent is a great tool to download large files. If the transfer is interrupted you haven't lost anything. The transfer will continue once you restart the download. There is however the other use of bit torrent and let's face it, probably one of the biggest uses of bit torrent, is to download copyrighted movies, music, books, etc.  Now regardless of where you stand on the issue of artist rights , music/movie distributors, etc, etc, as security professionals you are in the position of having to control traffic in and out of your organisation, including torrent traffic.
So what are your options? We will get the easy answer out of the way first, block all outbound traffic or proxy everything via a proxy server, but that doesn't solve all of our problems.  The first challenge is that many torrent applications proxy over http or https, how do we detect these? The second problem is that there will be people in your  organisation that will have a static IP and direct access to the Internet. Some applications just, don't play well with proxies and exemptions have to be made. How do you prevent these users from accessing torrents? How do you control torrent downloads that are legit and should be permitted and prevent the bad?

If you have a commercial content filter, then it may be able to detect torrent traffic in http or https. If you have an IDS or IPS it may be able to alert on p2p traffic in the environment. If you have application aware firewalls there may be a signature that can be applied to traffic to detect torrent traffic. If you have traffic shaping devices they may be able to distinguish torrent traffic on the network and take some action.  You can control user desktops and prevent them from installing applications, although many torrent apps will run with just the executable and don't need installation or can be run off a USB.
Distinguishing between a good torrent and a bad one? I haven't found anything that works well. URL filtering gives some measure of control, but isn't fool proof.

What measures do you take and are they working for you?  Let us know.

Mark H

Mark

391 Posts
ISC Handler
"having to control traffic in and out of your organisation" does not mean having to be the copyright police. Security professionals are not here to do HR's job. They're here to find things that can hurt the network, and I've never seen a pirated copy of a Britney Spears album take down a LAN (if it's got an embedded virus or something then that's a different problem, and one for which we do have solutions). If you want to block p2p traffic then do it for the right reason: because your bandwidth is too valuable to be shared with the rest of the world for free. Once you've got your reasons straight it's easy to find them. All you have to do it monitor overall bandwidth usage and take closer looks at the high consumers.
Anonymous
Proxy the Internet connection, and prevent the stupid app from getting on the workstation anyway. Application whitelisting, no administrator rights for users, and USB device monitoring.

The upside of the pain of something like AppLocker? They will also have a harder time getting viruses, malware, and toolbars
Anonymous
@bradc. I agree security is not the copyright police, however most security people do have an obligation to assist in protecting the company from liability. So from a pure networking perspective I agree with you. As a security person I do not. Your job is to manage risk. Your organisation being held liable for copyright infringements of staff is a risk.

M
Mark

391 Posts
ISC Handler
We are against any kind of P2P application running inside our environment, because of the door it opens for malware through pirated application downloads by ignorant users,

We have put the torrent and the variants of it in the application blacklist in our Endpoint security application, which blocks the exe from running and gives us an alert,

Apart from this we keep monitoring installations of any unwarranted applications through our desktop management system, remotely uninstall it and warn the users of the consequences.

And finally the user education, where we educate the users about various ways used by malware to infiltrate the systems and the possibility of it putting their personal and professional data in danger.
Mark
1 Posts
Unfortunately, I feel there's an obligation of security folks to report anomalies if they are observed, no matter if its a perceived HR issue. There's also the fact that pirated software usually contains malware. Even if there's a business need for using torrent software, the traffic should be watched. The last thing most companies need is to be liable for an attack compromise against another company's network.
Ron

29 Posts
@Ron
I agree that we have an obligation to report anomalies and that illegal software and corporations don't mix well, but saying Pirated software usually contains malware is a little too much.
Justin

2 Posts
@Justin
YMMV. It probably depends on how much malware you're used to seeing that uses torrents as vectors. You might not have seen much...I've seen enough to suspect most torrent traffic as untrustworthy. You don't know what you're gonna get until you have it. Sure, you can say that of any file transfer but there are a few mitigation steps that can be applied (gpg key authentication, for example)...but you don't normally see that on bittorrent. You're getting pieces of the software from random hosts that are sharing parts of the file. You actually don't know what you're getting and can't verify the integrity of file...you may be able to do this from torrents that are maintained by open-source projects, maybe (Slackware v12.2 torrent, for example), but can you say the same for a movie or music track? In my experience, no. There are probably safer (and better) ways to get the software you need than torrents, IMO. In my experience, being on-guard helps a ton...its when you're not on guard is when you get bit in the backside...especially with torrents.
Ron

29 Posts
Mark,
As long as OpenDNS keeps the Torrent sites tagged in the P2P/File Sharing category, I *think* I'm okay. If college son (studying professional game development) needs a torrent for school homework, I will white-list it for him (or for myself on the rare occasion) but then when the work is done, remove the white-listing. So far, since I control my SOHO net, and demand admin access to all boxes (e.g. college boyz machines and devices...) that are allowed to use MY bandwidth and be inside MY perimeter, we've been okay. Knock on wood.
The only thing that I can think of that might present a torrent problem would be a new one, OpenDNS wouldn't have tagged yet. I'm looking at rules on my new router or new firmware on it to block the typical P2P ports. But that is another story. Maybe for 10/2/2010....
BzS
BezantSoft

14 Posts

Sign Up for Free or Log In to start participating in the conversation!