17.1  P2P Eliminator

Peer-to-Peer (P2P) networks are world-wide distributed systems, where each node can represent both a client and a server. These networks are used for sharing of big volumes of data (this sharing is mostly illegal). DirectConnect and Kazaa are the most popular ones.

In addition to illegal data distribution, utilization of P2P networks overload lines via which users are connected to the Internet. Such users may limit connections of other users in the same network and may increase costs for the line (for example when volume of transmitted data is limited for the line).

WinRoute provides the P2P Eliminator module which detects connections to P2P networks and applies specific restrictions. Since there is a large variety of P2P networks and parameters at individual nodes (servers, number of connections, etc.) can be changed, it is hardly possible to detect all P2P connections.[6]. However, using various methods (such as known ports, established connections, etc.), the P2P Eliminator is able to detect whether a user connects to one or multiple P2P networks.

The following restrictions can be applied to users of P2P networks (i.e. to hosts on which clients of such networks are run):

P2P Eliminator Configuration

P2P networks are detected automatically (the P2P Eliminator module keeps running). To set the P2P Eliminator module's parameters, go to the P2P Eliminator tab in the Configuration → Advanced Options section.

Detection settings and P2P Eliminator

Figure 17.1. Detection settings and P2P Eliminator


As implied by the previous description, it is not possible to block connections to particular P2P networks. P2P Eliminator allows complete blocking of all traffic (i.e. access to the Internet from the particular host), enabling of only such services which are securely not associated with P2P networks or limiting of bandwidth (transfer speed) that can be used by P2P networks clients. The settings will be applied to all clients of P2P networks detected by P2P Eliminator.

Check the Inform user by email option if you wish that users at whose hosts P2P networks are detected will be warned and informed about actions to be taken (blocking of all traffic / allowance of only certain services and length of the period for which restrictions will be applied). The email is sent only if a valid email address (see chapter 15.1  Viewing and definitions of user accounts) is specified in the particular user account. This option does not apply to unauthenticated users.

The Traffic will be blocked for value defines time when the restriction for the particular host will be applied. The P2P Eliminator module enables traffic for this user automatically when the specified time expires. The time of disconnection should be long enough to make the user consider consequences and to stop trying to connect to P2P networks.

If traffic of P2P network clients is not blocked, it is possible to set bandwidth limitation for P2P networks at the bottom of the P2P Eliminator tab. Internet lines are usually asymmetric (the speed vary for incoming and outgoing direction); therefore, this limitation is set separately for each direction. Bandwidth limitation applies only to traffic of P2P networks (detected by P2P Eliminator), other services are not affected.

Bandwidth limits applied to P2P networks

Figure 17.2. Bandwidth limits applied to P2P networks


Note:

  1. If a user who is allowed to use P2P networks (see chapter 15.1  Viewing and definitions of user accounts) is connected to the firewall from a certain host, no P2P restrictions are applied to this host. Settings in the P2P Eliminator tab are always applied to unauthorized users.

  2. Information about P2P detection and blocked traffic can be viewed in the Status → Hosts / users section (for details, refer to chapter 19.1  Active hosts and connected users).

  3. If you wish to notify also another person when a P2P network is detected (e.g. the WinRoute administrator), define the alert on the Alerts Settings tab of the Configuration → Accounting section. For details, see chapter 19.4  Alerts.

Parameters for detection of P2P networks

Click Advanced to set parameters for P2P detection.

Settings of P2P networks detection

Figure 17.3. Settings of P2P networks detection


Ports of P2P networks

List of ports which are exclusively used by P2P networks. These ports are usually ports for control connections — ports (port ranges) for data sharing can be set by users themselves.

Ports in the list can be defined by port numbers or by port ranges. Individual values are separated by commas while dash is used for definition of ranges.

Number of suspicious connections

Big volume of connections established from the client host is a typical feature of P2P networks (usually one connection for each file). The Number of connections value defines maximal number of client's network connections that must be reached to consider the traffic as suspicious.

The optimum value depends on circumstances (type of user's work, frequently used network applications, etc.) and it must be tested. If the value is too low, the system can be unreliable (users who do not use P2P networks might be suspected). If the value is too high, reliability of the detection is decreased (less P2P networks are detected).

Safe services

Certain “legitimate” services may also show characteristics of traffic in P2P networks (e.g. big number of concurrent connections). To ensure that traffic is not detected incorrectly and users of these services are not persecuted by mistake, it is possible to define list of so called secure services. These services will be excluded from detection of P2P traffic.

The Define services... button opens a dialog where services can be define that will not be treated as traffic in P2P network. All services defined in Configuration → Definitions → Services are available (for details, refer to chapter sect-services"/>).

Warning

Default values of parameters of P2P detection were set with respect to long-term testing. As already mentioned, it is not always possible to say that a particular user really uses P2P networks or not which results only in certain level of probability. Change of detection parameters may affect its results crucially. Therefore, it is recommended to change parameters of P2P networks detection only in legitimate cases (e.g. if a new port number is detected which is used only by a P2P network and by no legitimate application or if it is found that a legitimate service is repeatedly detected as a P2P network).



[6] According to thorough tests, the detection is highly reliable (probability of failure is very low).