F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

kykong_107132's avatar
kykong_107132
Icon for Nimbostratus rankNimbostratus
Aug 03, 2006

Detect limewire P2P traffic.

Hi All,

 

 

Wondering anyone know using irules how can we detect limewire P2P traffic? I have a solution for eDonkey and bittorrent, but not sure how limewire traffic look like.

 

 

thanks in advance.

 

application delivery
dev
devops
iRules

5 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 03, 2006
    How are you blocking eDonkey and BitTorrent traffic? Are you blocking the default ports or actually inspecting the packets?

     

     

    It would be relatively simple to block specific ports using packet filters (without a rule), but clients could still change the default port(s) the programs use.

     

     

    Also, how is the traffic currently passing through the BIG-IP: a wildcard VIP, standard VIP or SNAT?

     

     

    Aaron
  • kykong_107132's avatar
    kykong_107132
    Icon for Nimbostratus rankNimbostratus
    Aug 03, 2006
    Hi Aaron,

     

    for bittorrent and edonkey traffic, i detect it by analyzing the TCP payload.

     

     

    Current the traffic are goin thru wildcard virtual server.

     

     

    regards,

     

  • kykong_107132's avatar
    kykong_107132
    Icon for Nimbostratus rankNimbostratus
    Aug 03, 2006
    this are the irule that i used it to drop edonkey traffic.

     

     

    when CLIENT_ACCEPTED {

     

    TCP::collect 0 0

     

    }

     

     

    when CLIENT_DATA {

     

    append payload [TCP::payload]

     

    if {[string length $payload] < 6} {

     

    TCP::release

     

    TCP::collect

     

    return

     

    }

     

     

    TCP::release

     

    binary scan $payload cic ed_cli_protocol ed_cli_size ed_cli_type

     

    set ed_cli_protocol [expr { $ed_cli_protocol & 0xff }]

     

    if {($ed_cli_protocol == 0xE3) } { edonkey protocol in hexa is 0xE3

     

    log "eMule signature $ed_cli_protocol , Emule traffic from [IP::remote_addr]"

     

    discard

     

    }

     

    }

     

  • kykong_107132's avatar
    kykong_107132
    Icon for Nimbostratus rankNimbostratus
    Aug 03, 2006
    this is the irule to detect bittorrent traffic. actually i get this from F5 solution center.

     

     

    when CLIENT_ACCEPTED {

     

    TCP::collect 0 0

     

    }

     

     

    when CLIENT_DATA {

     

    append payload [TCP::payload]

     

    if {[string length $payload] < 6} {

     

    TCP::release

     

    return

     

    }

     

     

    TCP::release

     

    binary scan $payload cc5 bt_size bt_protocol

     

    if {($bt_protocol == "66 105 116 84 111") && ($bt_size == 19)} { from the TCP payload, Bittor(66 105 116 84 111 is the binary format for “bittorrent) content a protocol name “bitorrent” and the protocol name length is 19

     

    log "Torrent traffic from [IP::remote_addr]"

     

    discard

     

    }

     

    }

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 04, 2006
    I think this is the solution referenced for eMule and BitTorrent:

     

     

    P2P rateshaping: Click here

     

     

    And here is the AT&T white paper referenced in the solution:

     

    Click here

     

     

    Aaron