[LARTC] Detecting p2p traffic
Andrew Beverley
andy at andybev.com
Mon May 8 01:43:07 CEST 2006
After varying degrees of success with p2p detection modules, I would like to
write the following rules using iptables to reliably identify p2p traffic:
1. If a host on the network has 5 or more simutaneous tcp connections to ports
above 1024, mark all connections to ports 1024 and above as 60.
2. If a host has received (or sent) UDP packets from 5 different hosts' ports
above 1024 in a minute then classify all UDP traffic to and from that host
above port 1024 as 60.
Number 1 can almost be acheived using something similar to:
iptables .. --dport 1024: -m connlimit --connlimit-above 5 -j MARK --set-mark 60
Unfortunately though it still leaves 5 connections slurping up plenty of
bandwidth.
I have no ideas for number 2.
Anybody any ideas?
On my network all p2p traffic falls into these categories, and I don't mind
overmatching with other traffic.
Thanks,
Andy
More information about the LARTC
mailing list