How to effectivily block torrents on my network?
As per the network policy, we have to block all torrent traffic from the network. To do this, I used to block all ports above 1024 on my firewall/proxy devices. But due to this, many other applications which use non-standard ports are not able to function, especially mobile applications, and users are complaining because of this.
Is there an effective way of blocking torrents on my network?
A minimum number of ports, or few specific ports, or application level filtering?
We have Cisco Iron Port Security and Cisco ASA 5500 Firewall devices.
You have a number of ways to restrict torrents:
- Blocking ports: this doesn't work, because p2p traffic can use pretty much any port (even ones below 1024)
- Deep inspection: looking at traffic and blocking based on type can help you a lot, however encrypted traffic all looks alike
- Destination filtering: this may also help a bit, but you'd have to maintain a large blacklist
Volume: if a user is downloading/uploading large amounts of traffic then investigate
Controlling the applications installed on the computers on your network through Group Policy or a real world policy. Disallow all p2p applications, and if anyone breaches the policy don't let them use the network/fire them/fine them/whatever
Tracking Volume by user + a baseball bat is usually your best bet ... I have also seen destination filtering with a whitelist with exceptions for specific users be quite effective. Controlling applications can be difficult to enforce (users can just boot from usb linux and either give themselves root or run the torrent from bootable linux)
BitTorrent can run on any port, and can be wrapped inside SSL, so blocking by ports or traffic data isn't going to get you anywhere.
My suggestion would be to block HTTP traffic on any port which matches the tracker announce protocol, as per the specification. This won't work if the tracker is running on HTTPS, but most don't. It also won't prevent DHT from working, but that's unlikely to matter too much.
Additionally, you can monitor traffic to see if large amounts of data are being transferred to a single user, and take action based upon that.
My opinion is that this isn't a technical issue - it's a policy issue. Make all your users sign a usage policy that explicitly bans the use of file-sharing networks and systems, including BitTorrent, and ensure that appropriate punishments can be enforced should people violate that policy.
Torrenting with DHT only is easily possible, and trackers aren't limited to a specific port.
I agree that torrent can run on any port, but i suppose that only applies to Outgoing ports, not incoming ports. So can we do something considering that?
From my perspective, only deep packet inspection including SSL/TLS traffic will work.
Common practice is to have a proxy server in internal network (with the SSL inspection) to allow users to access the internet (and block all unwanted sites / services) then block all traffic outgoing from such users directly to the internet. If you need to allow users to access specific servers on non-standard ports you have to allow them explicitly (IP, protocol, port / service).
What kind of non-standard services are users accessing from your network?
The most effective way is to install a Unified threat management box or a Next generation firewall. These boxes are capable of doing a layer 7 inspection and can identify the applications and users. To get a taste of what it is, try playing with the free Sophos UTM available here.
I would recommend u block alle UDP-Ports 1-65535, also all TCP-Ports except one which brings you further to your squid-proxy running with filters and ACLs to undertake more filtering options. uTorrent wont have a chance to connect!
As mentioned in other answers to this post, torrent is almost impossible to block effectively. Effective policies on its usage can help. Also, you may not need to block it - just allocate a very,very minuscule bandwidth to torrents so that a download that would normally takes an hour would be downloaded in a year to ∞
Torrent can use any ports, how can you define a filter rule which data packet is a torrent and which is not?
@schroeder I am not sure in the details but as far I know, torrent is also encrypted which typically hardens protocol inspection.