Detect limewire P2P traffic.

Question

Hi All,&nbsp;
&nbsp;Wondering anyone know using irules how can we detect limewire P2P traffic? I have a solution for eDonkey and bittorrent, but not sure how limewire traffic look like. &nbsp;
&nbsp;thanks in advance.&nbsp;

hoolio · Answer

How are you blocking eDonkey and BitTorrent traffic?  Are you blocking the default ports or actually inspecting the packets?&nbsp;
&nbsp;It would be relatively simple to block specific ports using packet filters (without a rule), but clients could still change the default port(s) the programs use.&nbsp;
&nbsp;Also, how is the traffic currently passing through the BIG-IP: a wildcard VIP, standard VIP or SNAT?&nbsp;
&nbsp;Aaron

kykong_107132 · Answer

Hi Aaron, 
&nbsp;for bittorrent and edonkey traffic, i detect it by analyzing the TCP payload. &nbsp;
&nbsp;Current the traffic are goin thru wildcard virtual server.&nbsp;
&nbsp;regards,&nbsp;

kykong_107132 · Answer

this are the irule that i used it to drop edonkey traffic.&nbsp;
&nbsp;when CLIENT_ACCEPTED {
&nbsp;        TCP::collect 0 0
&nbsp;}&nbsp;
&nbsp;when CLIENT_DATA {
&nbsp;    append payload [TCP::payload]
&nbsp;        if {[string length $payload] &lt; 6} {
&nbsp;            TCP::release
&nbsp;            TCP::collect
&nbsp;            return
&nbsp;        }&nbsp;
&nbsp;   TCP::release
&nbsp;   binary scan $payload cic ed_cli_protocol ed_cli_size ed_cli_type
&nbsp;   set ed_cli_protocol [expr { $ed_cli_protocol &amp; 0xff }]
&nbsp;   if {($ed_cli_protocol == 0xE3) } { edonkey protocol in hexa is 0xE3
&nbsp;       log "eMule signature $ed_cli_protocol , Emule traffic from [IP::remote_addr]"
&nbsp;       discard
&nbsp;  }
&nbsp; }&nbsp;

kykong_107132 · Answer

this is the irule to detect bittorrent traffic. actually i get this from  F5 solution center.&nbsp;
&nbsp;when CLIENT_ACCEPTED {
&nbsp;TCP::collect 0 0 
&nbsp;}&nbsp;
&nbsp;when CLIENT_DATA {
&nbsp;append payload [TCP::payload] 
&nbsp;if {[string length $payload] &lt; 6} { 
&nbsp;TCP::release
&nbsp;return 
&nbsp;}&nbsp;
&nbsp;TCP::release 
&nbsp;   binary scan $payload cc5 bt_size bt_protocol
&nbsp;if {($bt_protocol == "66 105 116 84 111") &amp;&amp; ($bt_size == 19)} { from the TCP payload, Bittor(66 105 116 84 111 is the binary format for “bittorrent) content a protocol name “bitorrent” and the protocol name length is 19
&nbsp;log "Torrent traffic from [IP::remote_addr]" 
&nbsp;discard
&nbsp;}
&nbsp;}&nbsp;

hoolio · Answer

I think this is the solution referenced for eMule and BitTorrent:&nbsp;
&nbsp;P2P rateshaping: Click here&nbsp;
&nbsp;And here is the AT&amp;T white paper referenced in the solution:&nbsp;Click here&nbsp;
&nbsp;Aaron

Forum Discussion

Detect limewire P2P traffic.

Recent Discussions

ppp TunnelStats: LCP_UNKNOWN_OPTIONS 1,LCP_PROTO_REJ 1,FSM_UNEXPECTED_DOWN 1,

How to Renew F5 Device Certificate

F5 ASM CEF Sending Logs in Specific TimeZone

F5 looses the token for the first call

feature request: container egress service

Related Content

SSL Orchestrator Advanced Use Cases: Detecting Generative AI

Bidirectional Forwarding Detection (BFD) Protocol Cheat Sheet

Operationlizing Online Fraud Detection, Prevention, and Response

End-to-End Fraud and Risk Detection with F5 Distributed Cloud

Detect and stop exfiltration attempts with F5 Distributed Cloud App Infrastructure Protection

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS