How do you block bit torrent traffic with a Cisco ASA?

  • I have referenced an old external Cisco article on how to block Bit torrent traffic referenced on-line Here

    This procedure I have found only works 50% of the time.

    I find blocking bit torrent specific ports, and doing the regex do work, it just does not catch all the traffic.

    object-group service bit-torrent-services tcp-udp
    port-object eq 6969
    port-object range 6881 6999
    

    and

    regex bit-torrent-tracker ".*[Ii][Nn][Ff][Oo]_[Hh][Aa][Ss][Hh]=.*"
    

    Does anyone have more up to date regex for finding bit torrent traffic? Or does is this the limits of the ASA at this time?

    I believe this would be the limit of ASA at this time. Other UTM appliances use "an application module (based on IPS)" and can successfully block it. Nevertheless I am sure you can do it too but using an IPS module attached to the ASA.

  • Ricky

    Ricky Correct answer

    8 years ago

    <joke>Unplug it</joke>

    Bittorrent clients can (and do) use random ports. Blocking the common ports will only encourage users to move to different ports. Also, the inter-client traffic has supported encryption for some years now -- originally as a means to limit ISP interference -- making the actual p-t-p traffic unrecognizable.

    Looking for "info_hash" in the client-tracker communication, while somewhat effective, is also easily defeated. (tor, ssl, vpn, etc.) It also does nothing to stop tracker-less swarms (DHT), peer-exchange (PEX), UDP tracker protocol...

    If you've managed to kill 50%, count yourself lucky. This is a game of whack-a-mole you cannot win.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM

Tags used