Tunnelling Bittorrent Over Port 80 – How to Detect Activity on Your Network
Bittorrent is a very popular file sharing protocol. As a way of distributing content from many hosts, it is second to none. It is very popular with movie\music pirates as it does not require a central server for the storage of data. A downloader (peer) can contact other peers and download pieces of content and that peer will automatically share any content it has downloaded. It does have many other uses such as a platform for distributing software updates.
When it comes to network management, most administrators try to block Bittorrent use. The main reason behind this is that it can use up massive amounts of network bandwidth and disk storage. Many high definition movies are now 6GB+ in size so all it takes is for a few clients to clog up a network. Bittorrent clients also create thousands of network connections to other peers which can overload some firewalls.
Blocking access to sites like ThePirateBay may work in the short term but the introduction of magnet links makes site blocking more difficult. If you are successful in blocking the torrent sites, users can still access them at home and use your network to download the content.
How to detect Bittorrent tunnelling activity on your network
Traditional firewalls which use port blocking are useless when it comes to Bittorrent. The protocol will seek out open TCP or UDP ports and use these to tunnel\transfer data. Even newer firewalls struggle with the Bittorrent protocol due to encryption and other recent changes.
In today’s world, the only way to accurately identify Bittorrent is to be application aware. What I mean by this is to forget about identifying applications based on the port numbers they use to communicate. Assume that TCP port 80 could be any application, HTTP, Skype, Bittorrent, etc…. You need to take a look inside the network packets and work out what application it is based on what the packet payload or content is.
This all sounds very complicated and it is if you have to sort through packets using something like Wireshark. It is not impossible but you will find it is very time consuming. The other issue is scale, Wireshark works fine for analyzing a single client but it will get overloaded if you are monitoring hundreds of clients.
What you are looking to do is extract certain metadata from the network packets. There is no need to store the contents of every packet unless you plan to replay the traffic for further analysis. This approach is also referred to as deep packet inspection. Aim to capture these fields at a minimum:
- Source IP Address
- Source Port
- Destination IP Address
- Destination Port
- Info_hash: urlencoded 20-byte SHA1 hash
A simple way to get visibility of Bittorrent on your network is via a SPAN or mirror port. Find where your Internet connection connects to your network switch infrastructure then configure it to send a copy of traffic going to and from the Internet to a switch port of your choice, this switch port is known as a SPAN or mirror port. It’s just a regular port but you configure it to be the destination for the SPAN traffic. See video below which covers this in more detail.
Tracking down Bittorrent activity with deep packet inspection
Once you have your SPAN port setup, you need to plug in a network analyzer which can process network packets. We develop one called LANGuardian but there are other options out there. For this example I will use a LANGuardian installed on my own network to track down Bittorrent tunneling. LANGuardian has the advantage of been able to report on real-time and historical activity.
Step 1 – Run a Top Applications Report
In my case I am going to take a look at activity over the past 4 hours and I also want to focus in on applications using port 80.
Step 2 – Drill Down on the Bittorrent Traffic
Most traffic on my network using port 80 is HTTP but I have a small amount of Bittorrent traffic using this port. To drill-down I click on the traffic volumes
Here I can clearly see the client IP address, host-name and info-hash values associated with this Bittorrent activity. Further details like other associated port numbers and external IP addresses can be got by drilling down further.