Loading...
Thursday, 21 November 2013

How to Block Torrent in Mikrotik


The bane of most ISPs is Peer to Peer traffic(p2p). If you run hotels or apartments, especially apartments full of students, p2p will be your main source of issues. In some cases, extreme measure must be taken. So how does one go about taking back their network? The first thing to do is to find the offending traffic.
Mikrotik has some built in matching functionality for p2p traffic. You can use this in mangle rules or firewall rules. In mangle, you can mark the packets and then lower their precedence, or stick them in a smaller queue. In the firewall, you can block them all together.
Notice the many matches
Notice the many matches
Here’s the rub, bit torrent traffic is almost universally encrypted, so these matching methods will generally not do you too much good. These matches must inspect the packets, and when encrypted they look like so much junk. So what do you do now?
You drop it like you are Fox and bit torrent is “Are you smarter than a fifth grader?”, “Do not disturb”, “Don’t forget the lyrics”, “Hole in the wall”, “MADtv”, “osborns reloaded”, “Prison Break”, “Secret millionaire”, “Sit down, shutup” or “Terminator”. So how do we drop it? I do it in the following ways.
First, we block people from finding torrents :) Using MTKs layer 7 inspection(L7), we match http get requests for bit torrent sites and related sites. Here’s my regex:
1
^.*(get|GET).+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*$
Here’s the CLI code you can simply paste:
1
2
/ip firewall layer7-protocol
add comment="" name=torrent-wwws regexp="^.*(get|GET).+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*$"
This regex matches most of the popular torrent sites. You will notice that the word torrent is also there. If you go to google and type torrent, it will match the get request…what! hehehe. This means that even if they try to google for a torrent it will get matched. So now we put in a firewall rule to block with this L7.
1
2
3
/ip firewall filter
add action=drop chain=forward comment="block torrent wwws" disabled=no layer7-protocol=\
    torrent-wwws
From the GUI, you set chain to forward and under the advanced you choose the L7:
As you can see, on the forward chain, I added the L7 torrent-wwws, which was defined earlier. This means anyone trying to browse to any of our specified bit torrent sites will get blocked. Also if their client tries to hit the tracker with a get request, it gets stopped too. Now, just to put a bow on top, lets be a little more devious! Lets block DNS queries based on the same regex.
Here’s the new regex:
1
^.+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*$
Here’s the code to copy and paste in the CLI:
1
2
/ip firewall layer7-protocol
add comment="" name=torrent-dns regexp="^.+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*\$"
Here’s the firewall rule to block:
1
2
3
/ip firewall filter
add action=drop chain=forward comment="block torrent dns" disabled=no dst-port=53 \
    layer7-protocol=torrent-dns protocol=udp
Notice that I’m blocking UDP to port 53, so this will drop all DNS queries to our torrent list above. :)This way, if they are using a web proxy, they will still get blocked! If their client tries to do any resolution matching this good stuff, it will get blocked too.
Using the above method to block along with the standard p2p matching, it looks like you can save around 25% – 50% utilization on traffic. Though, what will the kids do when they can’t download their pornography and movies…I think the internet has no other use?
*Edit* It appears as if Blizzard, makers of WoW, are now only allowing updates via BitTorrent. I’ve written a little exclusion for this that can be found here.

0 comments:

Post a Comment

Latest @ World's TOP 10

Contact

Total Pageviews

 
TOP