Identifying P2P users using traffic analysis

**mp3master1215** · July 22nd, 2005, 09:30 AM

Yiming Gong 2005-07-21
With the emergence of Napster in the fall of 1999, peer to peer (P2P) applications and their user base have grown rapidly in the Internet community. With the popularity of P2P and the bandwidth it consume, there is a growing need to identify P2P users within the network traffic.
In this paper the author will propose a new method based on traffic behavior that helps identify P2P users, and even helps to distinguish what type of P2P applications are being used.
Current Technology When it comes to identifying P2P users, currently there are only two choices: port based analysis and protocol analysis. Here is a brief review of both. Port based analysis
Port based analysis is the most basic and straightforward method to detect P2P users in network traffic. It is based on the simple concept that many P2P applications have default ports on which they function. When these applications are run, they use these ports to communicate with outside. The following is a example list:Limewire 6346/6347 TCP/UDP Morpheus 6346/6347 TCP/UDP BearShare default 6346 TCP/UDP Edonkey 4662/TCP EMule 4662/TCP 4672/UDP Bittorrent 6881-6889 TCP/UDP WinMx 6699/TCP 6257/UDP
To perform port based analysis, administrators just need to observe the network traffic and check whether there are connection records using these ports. If a match is found, it may indicate a P2P activity. Port based analysis is almost the only choice for network administrators who don't have special software or hardware (such as an IDS) to monitor traffic.
Port matching is very simple in practice, but its limitations are obvious. Most P2P applications allow users to change the default port numbers by manually selecting whatever port(s) they like. Additionally, many newer P2P applications are more inclined to use random ports, thus making the ports unpredictable. Also there is a trend for P2P applications begin to masquerade their function ports within well-known application ports such as port 80. All these issues make port based analysis less effective.
Protocol analysis Despite the poor results found using simple port matching, an administrator has another choice: application layer protocol analysis. With this approach, an application or piece of equipment monitors traffic passing through the network and inspects the data payload of the packets according to some previously defined P2P application signatures. Many of today's commercial and open source P2P application identification solutions are based on this approach, and include the L7-filter, Cisco's PDML, Juniper's netscreen-IDP, Alteon Application Switches, Microsoft common application signatures, and NetScout. They each do their detection work by doing regular expression matches on the application layer data, in order to determine whether a special P2P application is being used.
Because protocol analysis focuses on the packet payload and raises alerts only on a definite match, any client-side tricks that use non-default or dynamic ports to avoid detection by P2P applications will fail. Using this approach, the result is normally more accurate and believable, but it still has some shortcomings. Here are some points to remember with protocol analysis of P2P networks:
P2P applications are evolving continuously, and therefore signatures can change. Static signature based matching requires new signatures to be effective when these changes occur. With more and more P2P identification and control products on the market, P2P developers tend to tunnel around any controls placed in their way. They could easily achieve this by encrypting the traffic, such as by using SSL, making protocol analysis much more difficult.
Signature-based identification means that the product should read and process all network traffic, which brings up the issue of how to maintain network stability in a large network. The product may burden network equipment heavily or even cause network failures. If it works inline, what will you do when the product fails?
Signature-based identification at the application level (L7) is also highly resource- intensive. The higher bandwidth network, the more cost and resources you need to inspect it. Suppose you inspect a 1Gbit or even 10Gbit network link, how much investment must you make to get an appropriate product?
Most importantly, if your organization cannot afford the special appliances or applications that perform protocol analysis, is port matching your only alternative? Fortunately, the answer is no. An approach based on traffic behavior patterns proves to be both functional and cost-effective.
Traffic behavior Network traffic information can usually be easily retrieved from various network devices without affecting network performance or service availability too much. For small or medium networks, administrators can rely on their gateway or perimeter equipment logs. For larger networks and ISPs, administers can enable the Netflow function on their routers or switches to export network traffic records. TO SEE THE REST GO TO THE LINK!

Read the complete article

**Auggie2k** · July 22nd, 2005, 09:34 AM

Lol 2 threads. U must be really tryin to get your point across!

**Malakai1911** · July 22nd, 2005, 09:57 AM

3 threads, fucking stop.

**The Hunter** · July 22nd, 2005, 09:57 AM

I closed the other 2, and will shortly delete them. Please no more of these.

**mp3master1215** · July 22nd, 2005, 10:19 AM

i cant belive your getting mad im news admin im allowed to post news

**The Hunter** · July 22nd, 2005, 10:20 AM

Not 3 Identical threads.

**mp3master1215** · July 22nd, 2005, 10:22 AM

ah ok i dont think there identical but if you say so

**The Hunter** · July 22nd, 2005, 10:24 AM

They sure looked the same to us.

**1985** · July 22nd, 2005, 11:27 AM

ANts use port 443 and SSL over TCP: the same of https, so ISPs can't notice the difference and block it :icon_rr:

Block users on traffic analysis is not so simple: if you use your account for VoIP o videoconferencing, you are using a huge amount of bandwidth, but it is an admitted use of a xDSL connection. If not, what a xDSL is for? :hi

**ejonesss** · July 22nd, 2005, 02:58 PM

hellooowwww!!!! isps that only works if users are dumb enought to use the standard ports.

me i am smart enough to not use 6880 to 6900 range for bit torrent so you are going to have a hard time detecting me.

gaining · July 22nd, 2005, 03:10 PM

This doesnt matter!!
P2P is not illegal so why waste any money trying to fugure anything. Unless you can make sense out of hash. But why bother. My isp works for me! Nobody needs a 11mb to surf the web or to stream, so what is the speed for ;) my isp knows!

**black_magiic** · July 22nd, 2005, 04:54 PM

ya I personally think even three similar posts on the same story is pretty redundant.

**vixenk** · July 22nd, 2005, 08:48 PM

My isp works for me! Nobody needs a 11mb to surf the web or to stream, so what is the speed for ;) my isp knows!

Who's your isp? Hook me up! lol

**Excrement_Cranium** · July 25th, 2005, 06:27 AM

That is pretty much it. The ISP knows that people use faster download speeds to... oh my lord... download! Since P2P at this point is a sue by user enforcement, the ISP could care less. Only when they are pressured to they send threats or notices.