[LARTC] Detecting p2p traffic

[Andrew Beverley]

Ryan Castellucci wrote:
> On 5/7/06, Andrew Beverley <andy at andybev.com> wrote:
>> After varying degrees of success with p2p detection modules, I
>> would like to write the following rules using iptables to reliably
>> identify p2p traffic:
>> 
>> 1. If a host on the network has 5 or more simutaneous tcp
>> connections to ports above 1024, mark all connections to ports 1024
>> and above as 60.
>> 
>> 2. If a host has received (or sent) UDP packets from 5 different 
>> hosts' ports above 1024 in a minute then classify all UDP traffic
>> to and from that host above port 1024 as 60.
>> 
>> Number 1 can almost be acheived using something similar to: 
>> iptables .. --dport 1024: -m connlimit --connlimit-above 5 -j MARK
>>  --set-mark 60
>> 
>> Unfortunately though it still leaves 5 connections slurping up
>> plenty of bandwidth.
>> 
>> I have no ideas for number 2.
>> 
>> Anybody any ideas?
> 
> Take a look at the 'recent' and 'set' stuff.  You can use it to
> create groups of 'naughty' users and match against those groups.
> Recent is probably better in this case.

I achieved most of this with 'set'. I create an iptree ipset list that 
times out after 60 seconds. If the above are detected then the user's IP 
address is added to the ipset, and any subsequent traffic from the user 
destined to or from ports above 1024 is marked at a lower priority.

The one thing I haven't managed yet is detecting many different UDP 
ports within a set time period. Instead I match on UDP traffic packets 
longer then 1000 bytes, which seems to work on the whole but I'd like to 
get it to detect on different port numbers as it is less likely to over 
match.

Andy